With the Cambridge Analytica scandal and Typeform data breach, there is increasing concern about privacy and data collection. If you are an Australian business, you have probably used cookies to collect information about people who access your website. But do you need a cookie consent pop-up to inform users of the presence of cookies on your website? You should understand your obligations under the Australian Privacy Principles (APPs), European Union ePrivacy Directive and the recently rolled-out General Data Protection Regulations. This article explains the Australian and international frameworks governing the use of cookies by Australian businesses.

How Do Cookies Work?

A user of any website may have their data collected by a website and stored on the user’s internet browser. This data includes browsing activity and information the user may have previously entered. For example, which buttons a user has clicked and which pages they have viewed.

There are different types of cookies. These are:

  • authentication cookies;
  • session cookies; and
  • persistent cookies.

Businesses use cookies to make their websites more accessible to the user. However, they can also use cookies for online behavioural advertising. This is where the cookies assist in understanding specific interests you have based on your browsing activities.

What is the Australian Law Regarding Cookies?

The APPs deal with “personal information” as defined in the Privacy Act 1988 (Cth). Personal information is usually information which identifies a person. Not all information collected by cookies is sufficient to identify a person who uses a website. 

Furthermore, not all businesses need to comply with the APPs. However, those that do can still use cookies and may require cookie consent pop-ups.

What is a Cookie Consent Pop-up?

A cookie consent pop-up is a banner that arises once a user goes onto a website. It details that the website uses cookies and requests the user to consent to the use of cookies before accessing the website.

Usually, if a user does not accept the use of cookies on the website, the website may be slower and will not remember specific settings that a user has set when browsing.

Australian law does not require the use of cookie consent pop-ups. Businesses who are subject to the APPs may be required to state the type of data collected and how it is used, stored and handled. However, the need for a “pop-up” or “banner” disclosing, and requiring the consent for, the use of cookies is not necessary.  

Why Do Many Websites Use Cookie Consent Pop-ups?

Many businesses use cookie consent pop-ups because of the EU ePrivacy Directive. It requires businesses in Europe to obtain informed consent before placing a cookie on a user’s device.

There is no express requirement for Australian businesses to comply with the EU ePrivacy Directive. However, a strict interpretation of the directive may require websites that specifically target customers in the EU to comply with the EU ePrivacy Directive, even if they are not located in the EU. Furthermore, not all Australian businesses need to comply with the General Data Protection Regulations (GDPR).

What Does the EU ePrivacy Directive Require?

If you are an Australian business operating a website that collects cookies and targets customers based in the EU, it may be worthwhile considering incorporating a cookie consent pop-up on your website as a matter of best practice.

The ePrivacy Directive requires the following:

  • informed consent for storage or access to information stored on a user’s equipment; and
  • for consent to be valid, it needs to be informed and must be an indication of the individual’s wishes.

Many businesses use the cookie consent pop-up to ensure the consent provided by an individual is valid. Cookie consent pop-ups do this by providing adequate information as to the:

  • type of cookies that are being used;
  • possible data that may be collected and the requirement for a user to actively consent to this, by ticking a box, before accessing the website.

What Does the GDPR Require?

Introduced in May 2018, the GDPR deals with cookies to the extent that they may identify a person. It states that a person may be identified by “cookie identifiers” when used with other information received. This means that cookies used to identify people may be considered personal data for the purposes of the GDPR.

As the GDPR is a law based in the EU, Australian businesses will need to consider the extent to which the GDPR applies to them. If the GDPR applies to an Australian business, the GDPR provides that:

  • you will need to obtain users’ consent to the use of cookies through affirmative action, because implied consent is not enough;
  • genuine choice should be provided to the user visiting the website, which means the user should be able to accept or reject cookies; and
  • users should be able to opt-out of their acceptance of your use of cookies.

The ePrivacy Directive and GDPR exist side by side. Although the ePrivacy Directive may not directly apply to Australian businesses, the GDPR may impose specific requirements on Australian businesses when it comes to cookie consent. This is only where the GDPR applies to your business.

Key Takeaways

Australian businesses that operate a website are becoming more aware of their customers’ concerns when it comes to privacy and data collection. Although the cookie consent pop-up is not a mandatory requirement in Australia, you should nevertheless be considering disclosing your use of cookies on your website by way of a privacy policy. This is particularly relevant if the cookie can collect personal information from the user.

Furthermore, if you target customers in the EU or are likely to be subject to the GDPR, you may wish to consider incorporating the appropriate technical and legal mechanisms to ensure you obtain express consent from your users. If you have any questions, contact LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.

Kristine Biason
If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.
If you would like to receive a free fixed-fee quote for a legal matter, please get in touch using the form on this page.