In Short
- While not mandatory under Australian law, disclosing your use of cookies in a privacy policy is best practice, especially if personal information is collected.
- If your business targets EU customers, the ePrivacy Directive and GDPR may require valid cookie consent, including opt-in and opt-out mechanisms.
- Clearly inform users about the types of cookies you use and their purpose to build trust and comply with global privacy standards.
Tips for Businesses
Ensure your website’s privacy policy explains how cookies are used, stored, and their purpose. If you operate internationally, consider adding a cookie consent pop-up to meet EU GDPR requirements. Provide users with clear choices to accept or reject cookies and ensure consent can be withdrawn at any time.
In light of the Optus data breach and the Medibank cyber attack, Australia has heightened concerns about privacy and data collection practices. If you run an Australian business, you have likely used cookies to collect information about visitors to your website. But do you need a cookie consent pop-up to inform users about the presence of cookies? It’s crucial to understand your obligations under the Australian Privacy Principles (APPs) and international frameworks like the European Union’s General Data Protection Regulation (GDPR). While neither the Optus breach nor the Medibank attack directly involved website cookies, both incidents have spotlighted data security and privacy practices and underscored the importance of being transparent about data collection and obtaining proper consent. This article explains the Australian and international regulatory frameworks governing the use of cookies.
How Do Cookies Work?
When you use any website, you may have your data collected by the website and stored on a user’s internet browser. Such data can be collected through cookies. This data includes browsing activity and information a user may have previously entered (such as a password or a record of which buttons the user pressed or which pages the user viewed).
There are different types of cookies. These are:
- authentication cookies (which allows websites to recognise and maintain a user’s login status across different pages);
- session cookies (which are temporary and will enable a website to track a user’s activities while a user is using the site); and
- persistent cookies (which are data stored on a user’s device between browsing sessions. Websites will use these cookies to remember a user’s preferences and provide the user with a personalised experience).
While cookies can enhance user experience by making websites more accessible and tailored to your needs, they can also be used for online behavioural advertising.
What is the Australian Law Regarding Cookies?
The Australian Privacy Principles (APPs) deal with “personal information” as defined in the Privacy Act 1988 (Cth). Personal information usually identifies a person.
Not all information collected by cookies is sufficient to identify a website user. However, it is best practice to ensure transparency about a user’s use of cookies, including using a cookie consent pop-up.
Continue reading this article below the formWhat is a Cookie Consent Pop-up?
A cookie consent pop-up is a banner or notification that appears when a user visits a website. It details that the website uses cookies and requests that users consent to their use before accessing it.
If users do not accept cookies, the website’s functionality may be limited, and certain personalised features or settings may not work optimally. For example, some e-commerce sites do not keep track of items in shopping carts, or streaming platforms do not remember viewing preferences between different devices.
While Australian law does not explicitly mandate the use of cookie consent pop-ups, businesses covered by the APPs are required to be transparent about the types of data they collect and how it is used, stored, and handled. Users may notice that many Australian companies will provide clear cookie notices on their websites. However, a “pop-up” or “banner” disclosing and requiring consent to use cookies is unnecessary.
Why Do Many Websites Use Cookie Consent Pop-ups?
Many businesses use cookie consent pop-ups because of the EU ePrivacy Directive. Businesses operating in Europe must obtain informed consent before placing a cookie on a user’s device.
While not all Australian businesses need to comply with the General Data Protection Regulations (GDPR), the GDPR has influenced global privacy practices. As a result, Australian companies with an international presence and user base will display cookie consent notices that comply with EU regulations and meet evolving global privacy standards.
This factsheet outlines the Australian Government’s strengthened consumer privacy laws in 2025 following major data breaches and their alignment with global standards.
What Does the EU ePrivacy Directive Require?
Suppose you are an Australian business operating a website that collects cookies and targets customers based in the EU. In that case, consider incorporating a cookie consent pop-up on your website as a matter of best practice.
The ePrivacy Directive has two key requirements:
- obtain informed consent for storing or accessing information on a user’s device; and
- ensure that consent is valid, meaning it needs to be informed and must be an indication of the individual’s wishes.
Many businesses use the cookie consent pop-up to ensure the consent provided by an individual is valid. Cookie consent pop-ups do this by providing adequate information as to:
- the type of cookies that are being used;
- possible data that may be collected; and
- a requirement for a user to actively consent to this by ticking a box before accessing the website.
What Does the GDPR Require?
Introduced in May 2018, the GDPR regulates cookies to the extent that they may identify a person. It states that “cookie identifiers” may identify a person when used with other information. Thus, cookies used to identify people may be considered personal data for the GDPR.
As the GDPR is a law based in the EU, Australian businesses will need to consider the extent to which the GDPR applies to them. If the GDPR applies to an Australian business, it imposes specific requirements regarding cookie consent where:
- the business will need to obtain users’ consent to the use of cookies through affirmative action because implied consent is not enough;
- genuine choice should be provided to the user visiting the website, which means the user should be able to accept or reject cookies; and
- users should be able to withdraw their acceptance of your use of cookies (i.e. an opt-out).
The ePrivacy Directive and GDPR exist side by side. Although the ePrivacy Directive may not directly apply to Australian businesses, the GDPR may impose specific requirements regarding cookie consent. This is only where the GDPR applies to your business.
Key Takeaways
Australian businesses that operate a website are becoming more aware of their customers’ concerns when it comes to privacy and data collection. Although the cookie consent pop-up is not mandatory in Australia, your business should nevertheless be considering disclosing your use of cookies on your website through a privacy policy. This is particularly relevant if the cookie can collect personal information from the user.
If you need help with cookie consent pop-ups for your business, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents for a low monthly fee. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
Some websites won’t work properly without users allowing cookie use. For instance, some sites will forget log-in details, the user’s nearest store, and more.
Yes, cookies can help a website offer a personalised experience for users. They usually exist to remember the user’s location, preferences and likes.
We appreciate your feedback – your submission has been successfully received.
