Skip to content

I Have a Website. Do I Need a Cookie Consent Pop-Up?

In Short

  • While not mandatory under Australian law, disclosing your use of cookies in a privacy policy is best practice, especially if personal information is collected.
  • If your business targets EU customers, the ePrivacy Directive and GDPR may require valid cookie consent, including opt-in and opt-out mechanisms.
  • Clearly inform users about the types of cookies you use and their purpose to build trust and comply with global privacy standards.

Tips for Businesses

Ensure your website’s privacy policy explains how cookies are used, stored, and their purpose. If you operate internationally, consider adding a cookie consent pop-up to meet EU GDPR requirements. Provide users with clear choices to accept or reject cookies and ensure consent can be withdrawn at any time.


Table of Contents

In light of the Optus data breach and the Medibank cyber attack, Australia has heightened concerns about privacy and data collection practices. If you run an Australian business, you have likely used cookies to collect information about visitors to your website. But do you need a cookie consent pop-up to inform users about the presence of cookies? It’s crucial to understand your obligations under the Australian Privacy Principles (APPs) and international frameworks like the European Union’s General Data Protection Regulation (GDPR). While neither the Optus breach nor the Medibank attack directly involved website cookies, both incidents have spotlighted data security and privacy practices and underscored the importance of being transparent about data collection and obtaining proper consent. This article explains the Australian and international regulatory frameworks governing the use of cookies.

How Do Cookies Work?

When you use any website, you may have your data collected by the website and stored on a user’s internet browser. Such data can be collected through cookies. This data includes browsing activity and information a user may have previously entered (such as a password or a record of which buttons the user pressed or which pages the user viewed). 

There are different types of cookies. These are:

  • authentication cookies (which allows websites to recognise and maintain a user’s login status across different pages); 
  • session cookies (which are temporary and will enable a website to track a user’s activities while a user is using the site); and
  • persistent cookies (which are data stored on a user’s device between browsing sessions. Websites will use these cookies to remember a user’s preferences and provide the user with a personalised experience).

While cookies can enhance user experience by making websites more accessible and tailored to your needs, they can also be used for online behavioural advertising. 

Platforms like Google and Meta (Facebook) employ persistent cookies to track users’ interests based on their browsing history across multiple sites. This means that platforms can understand a user’s specific interests based on browsing history and serve targeted advertisements. For example, users may notice that if they frequently visit travel websites or research holiday destinations, they may start seeing more ads for flight deals or hotel accommodations across various sites due to behavioural advertising driven by cookies.

What is the Australian Law Regarding Cookies?

The Australian Privacy Principles (APPs) deal with “personal information” as defined in the Privacy Act 1988 (Cth). Personal information usually identifies a person. 

Not all information collected by cookies is sufficient to identify a website user. However, it is best practice to ensure transparency about a user’s use of cookies, including using a cookie consent pop-up.

Continue reading this article below the form
Loading form

A cookie consent pop-up is a banner or notification that appears when a user visits a website. It details that the website uses cookies and requests that users consent to their use before accessing it.

If users do not accept cookies, the website’s functionality may be limited, and certain personalised features or settings may not work optimally. For example, some e-commerce sites do not keep track of items in shopping carts, or streaming platforms do not remember viewing preferences between different devices. 

While Australian law does not explicitly mandate the use of cookie consent pop-ups, businesses covered by the APPs are required to be transparent about the types of data they collect and how it is used, stored, and handled. Users may notice that many Australian companies will provide clear cookie notices on their websites. However, a “pop-up” or “banner” disclosing and requiring consent to use cookies is unnecessary.  

Many businesses use cookie consent pop-ups because of the EU ePrivacy Directive. Businesses operating in Europe must obtain informed consent before placing a cookie on a user’s device.

Although the EU ePrivacy Directive does not expressly require Australian businesses to comply, a strict interpretation may require websites targeting customers in the EU to comply, even if they are not located in the EU.

While not all Australian businesses need to comply with the General Data Protection Regulations (GDPR), the GDPR has influenced global privacy practices. As a result, Australian companies with an international presence and user base will display cookie consent notices that comply with EU regulations and meet evolving global privacy standards.

Front page of publication
2024 Key Data and Privacy Developments

The Australian Government is changing the law to protect consumer privacy after a series of high-profile data breaches and to bring the law into line with the safer and more protective laws in other regions. This fact sheet outlines what is expected in 2024.

Download Now

What Does the EU ePrivacy Directive Require?

Suppose you are an Australian business operating a website that collects cookies and targets customers based in the EU. In that case, consider incorporating a cookie consent pop-up on your website as a matter of best practice.

The ePrivacy Directive has two key requirements:

  • obtain informed consent for storing or accessing information on a user’s device; and
  • ensure that consent is valid, meaning it needs to be informed and must be an indication of the individual’s wishes.

Many businesses use the cookie consent pop-up to ensure the consent provided by an individual is valid. Cookie consent pop-ups do this by providing adequate information as to:

  • the type of cookies that are being used;
  • possible data that may be collected; and 
  • a requirement for a user to actively consent to this by ticking a box before accessing the website.

What Does the GDPR Require?

Introduced in May 2018, the GDPR regulates cookies to the extent that they may identify a person. It states that “cookie identifiers” may identify a person when used with other information. Thus, cookies used to identify people may be considered personal data for the GDPR.

As the GDPR is a law based in the EU, Australian businesses will need to consider the extent to which the GDPR applies to them. If the GDPR applies to an Australian business, it imposes specific requirements regarding cookie consent where:

  • the business will need to obtain users’ consent to the use of cookies through affirmative action because implied consent is not enough;
  • genuine choice should be provided to the user visiting the website, which means the user should be able to accept or reject cookies; and
  • users should be able to withdraw their acceptance of your use of cookies (i.e. an opt-out).

The ePrivacy Directive and GDPR exist side by side. Although the ePrivacy Directive may not directly apply to Australian businesses, the GDPR may impose specific requirements regarding cookie consent. This is only where the GDPR applies to your business.

Key Takeaways

Australian businesses that operate a website are becoming more aware of their customers’ concerns when it comes to privacy and data collection. Although the cookie consent pop-up is not mandatory in Australia, your business should nevertheless be considering disclosing your use of cookies on your website through a privacy policy. This is particularly relevant if the cookie can collect personal information from the user.

If you need help with cookie consent pop-ups for your business, our experienced privacy lawyers can assist as part of our LegalVision membership.  For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents for a low monthly fee.  Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions

What happens if a user doesn’t accept cookies on a website?

Some websites won’t work properly without users allowing cookie use.  For instance, some sites will forget log-in details, the user’s nearest store, and more.

Can cookies improve the user experience on a website?

Yes, cookies can help a website offer a personalised experience for users.  They usually exist to remember the user’s location, preferences and likes.

Register for our free webinars

Franchisor Compliance Update: Code Obligations from November 2025

Online
Stay compliant with the new franchising updates from November 2025. Register for our free webinar.
Register Now

Avoiding NDIS Pitfalls: Key Breaches and How to Prevent Them

Online
Understand NDIS pitfalls and reduce the risk of breaches affecting your business. Register for our free webinar.
Register Now

Demystifying M&A: What Every Business Owner Should Know

Online
Understand the essentials of mergers and acquisitions and protect your business value. Register for our free webinar.
Register Now

Social Media Compliance: Safeguard Your Brand and Avoid Common Pitfalls

Online
Avoid legal pitfalls in social media marketing and safeguard your brand. Register for our free webinar.
Register Now
See more webinars >
Sharon Chen

Sharon Chen

Lawyer | View profile

Sharon is a Lawyer with LegalVision’s Corporate and Commercial team. She graduated from the University of New South Wales, where she studied Psychology and Law.

Qualifications:  Bachelor of Laws, Graduate Diploma of Legal Practice, Bachelor of Psychological Science, University of New South Wales.

Read all articles by Sharon

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards