Skip to content
LegalVision

I Have a Website. Do I Need a Cookie Consent Pop-Up?

By Maddison Zahra
Lawyer

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn | Share on Reddit

Summary

  • Cookies collect and store user data including browsing activity, login status, and preferences, and whilst Australian law under the Privacy Act 1988 (Cth) and the Australian Privacy Principles does not explicitly mandate cookie consent pop-ups, businesses must be transparent about the data they collect and how it is used.
  • Australian businesses targeting EU users must comply with the EU ePrivacy Directive and potentially the GDPR, which require informed, affirmative consent before placing cookies on a user’s device, genuine choice to accept or reject cookies, and the ability for users to withdraw consent at any time.
  • Cookie consent pop-ups have become widespread globally due to the influence of EU privacy regulations, and Australian businesses with an international presence should consider implementing them as best practice even where not strictly required under Australian law.
  • This article is a guide to cookie consent obligations for businesses operating websites in Australia, explaining the Australian Privacy Principles and international frameworks including the EU ePrivacy Directive and GDPR.
  • LegalVision is a commercial law firm that specialises in advising clients on data protection, privacy, and information technology law.

Tips for Businesses

Publish a clear and accessible privacy policy on your website disclosing your use of cookies, the types of data collected, and how it is stored and used. If your website targets EU users, implement a cookie consent pop-up that obtains affirmative consent and provides a genuine option to reject non-essential cookies. Review your cookie practices regularly to ensure ongoing compliance with both Australian privacy law and any applicable international frameworks.

Summarise with:
ChatGPT logo ChatGPT Perplexity logo Perplexity

Open now
On this page

The Optus data breach and Medibank cyber attack have heightened Australian awareness of privacy and data collection practices, including the use of cookies on business websites. Understanding your obligations under the Australian Privacy Principles (APPs) and international frameworks like the EU’s General Data Protection Regulation (GDPR) is essential for any business operating online. This article explains the Australian and international regulatory frameworks governing the use of cookies.

How Do Cookies Work?

When you use any website, you may have your data collected by the website and stored on a user’s internet browser. Such data can be collected through cookies. This data includes browsing activity and information a user may have previously entered (such as a password or a record of which buttons the user pressed or which pages the user viewed). 

There are different types of cookies. These are:

  • authentication cookies (which allows websites to recognise and maintain a user’s login status across different pages); 
  • session cookies (which are temporary and will enable a website to track a user’s activities while a user is using the site); and
  • persistent cookies (which are data stored on a user’s device between browsing sessions. Websites will use these cookies to remember a user’s preferences and provide the user with a personalised experience).

While cookies can enhance user experience by making websites more accessible and tailored to your needs, they can also be used for online behavioural advertising. 

Platforms like Google and Meta (Facebook) employ persistent cookies to track users’ interests based on their browsing history across multiple sites. This means that platforms can understand a user’s specific interests based on browsing history and serve targeted advertisements. For example, users may notice that if they frequently visit travel websites or research holiday destinations, they may start seeing more ads for flight deals or hotel accommodations across various sites due to behavioural advertising driven by cookies.

What is the Australian Law Regarding Cookies?

The Australian Privacy Principles (APPs) deal with “personal information” as defined in the Privacy Act 1988 (Cth). Personal information usually identifies a person. 

Not all information collected by cookies is sufficient to identify a website user. However, it is best practice to ensure transparency about a user’s use of cookies, including using a cookie consent pop-up.

Continue reading this article below the form
Need legal advice?
Call 1300 544 755 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.

A cookie consent pop-up is a banner or notification that appears when a user visits a website. It details that the website uses cookies and requests that users consent to their use before accessing it.

If users do not accept cookies, the website’s functionality may be limited, and certain personalised features or settings may not work optimally. For example, some e-commerce sites do not keep track of items in shopping carts, or streaming platforms do not remember viewing preferences between different devices. 

While Australian law does not explicitly mandate the use of cookie consent pop-ups, businesses covered by the APPs are required to be transparent about the types of data they collect and how it is used, stored, and handled. Users may notice that many Australian companies will provide clear cookie notices on their websites. However, a “pop-up” or “banner” disclosing and requiring consent to use cookies is unnecessary.  

Many businesses use cookie consent pop-ups because of the EU ePrivacy Directive. Businesses operating in Europe must obtain informed consent before placing a cookie on a user’s device.

Although the EU ePrivacy Directive does not expressly require Australian businesses to comply, a strict interpretation may require websites targeting customers in the EU to comply, even if they are not located in the EU.

While not all Australian businesses need to comply with the General Data Protection Regulations (GDPR), the GDPR has influenced global privacy practices. As a result, Australian companies with an international presence and user base will display cookie consent notices that comply with EU regulations and meet evolving global privacy standards.

Front page of publication
2025 Key Data and Privacy Developments

This factsheet outlines the Australian Government’s strengthened consumer privacy laws in 2025 following major data breaches and their alignment with global standards.

Download Now

What Does the EU ePrivacy Directive Require?

Suppose you are an Australian business operating a website that collects cookies and targets customers based in the EU. In that case, consider incorporating a cookie consent pop-up on your website as a matter of best practice.

The ePrivacy Directive has two key requirements:

  • obtain informed consent for storing or accessing information on a user’s device; and
  • ensure that consent is valid, meaning it needs to be informed and must be an indication of the individual’s wishes.

Many businesses use the cookie consent pop-up to ensure the consent provided by an individual is valid. Cookie consent pop-ups do this by providing adequate information as to:

  • the type of cookies that are being used;
  • possible data that may be collected; and 
  • a requirement for a user to actively consent to this by ticking a box before accessing the website.

What Does the GDPR Require?

Introduced in May 2018, the GDPR regulates cookies to the extent that they may identify a person. It states that “cookie identifiers” may identify a person when used with other information. Thus, cookies used to identify people may be considered personal data for the GDPR.

As the GDPR is a law based in the EU, Australian businesses will need to consider the extent to which the GDPR applies to them. If the GDPR applies to an Australian business, it imposes specific requirements regarding cookie consent where:

  • the business will need to obtain users’ consent to the use of cookies through affirmative action because implied consent is not enough;
  • genuine choice should be provided to the user visiting the website, which means the user should be able to accept or reject cookies; and
  • users should be able to withdraw their acceptance of your use of cookies (i.e. an opt-out).

The ePrivacy Directive and GDPR exist side by side. Although the ePrivacy Directive may not directly apply to Australian businesses, the GDPR may impose specific requirements regarding cookie consent. This is only where the GDPR applies to your business.

Key Statistics

  1. 69%: Proportion of Australians who consider online tracking, profiling and targeted advertising based on personal information unfair and unreasonable.
  2. 3,295: Privacy complaints received by the OAIC in the 2024–25 financial year, many relating to online tracking and cookies.
  3. 78.1%: Proportion of businesses that reported no negative impact from implementing privacy requirements including cookie consent mechanisms.

Sources

  1. Office of the Australian Information Commissioner (2024)
  2. Office of the Australian Information Commissioner (2024)
  3. Termly (2026)

Key Takeaways

Australian businesses that operate a website are becoming more aware of their customers’ concerns when it comes to privacy and data collection. Although the cookie consent pop-up is not mandatory in Australia, your business should nevertheless be considering disclosing your use of cookies on your website through a privacy policy. This is particularly relevant if the cookie can collect personal information from the user.

If you need help with cookie consent pop-ups for your business, LegalVision provides ongoing legal support for all businesses through our fixed-fee legal membership. Our experienced privacy lawyers help businesses manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee.  To learn more about LegalVision’s legal membership, call 1300 544 755 or visit our membership page.

Frequently Asked Questions

What happens if a user doesn’t accept cookies on a website?

Some websites won’t work properly without users allowing cookie use.  For instance, some sites will forget log-in details, the user’s nearest store, and more.

Can cookies improve the user experience on a website?

Yes, cookies can help a website offer a personalised experience for users.  They usually exist to remember the user’s location, preferences and likes.

Are Australian businesses legally required to display cookie consent pop-ups?

No, Australian law does not explicitly mandate cookie consent pop-ups. However, businesses covered by the Australian Privacy Principles must be transparent about the data they collect and how it is used, stored, and handled.

Why do many Australian websites display cookie consent pop-ups despite them not being legally required?

Many Australian businesses with international audiences display cookie consent notices to comply with the EU ePrivacy Directive and GDPR, meeting evolving global privacy standards and maintaining consistency across their international user base.

Register for our free webinars

ESG Failures Are Costing Boards: The Risks You Cannot Ignore

Online
Understand ESG obligations and reduce legal risks. Register for our free webinar.
Register Now

Why Investors Walk Away: The Legal Mistakes That Kill Funding Deals

Online
Legal mistakes can cost you funding. To learn more, register for our free webinar today.
Register Now

Top Legal Risks for Healthcare Practices in 2026

Online
Stay compliant with evolving healthcare regulations and AI use. Register for our free webinar.
Register Now

AI in the Workplace: New Employer Obligations and Risk Exposure

Online
Learn how to meet your AI-related workplace obligations and manage legal risks as an employer. Register for our free webinar.
Register Now
See more webinars >

Maddison Zahra

Lawyer | View profile

Maddison is a Lawyer at LegalVision, working in the Commercial Team. She has particular expertise in commercial contracts, data and privacy and regulatory compliance advice for small businesses and startups within the Australian landscape. She also has previous experience in Government and Property Law, where she worked with a variety of clients, from small to medium businesses to large corporate and Government clients.

Qualifications:  Bachelor of Laws, Bachelor of International Studies, University of New South Wales.

Read all articles by Maddison

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

How Will Google’s Removal of Third Party Cookies Impact Your Business?

Can I Collect Customer Information Without a Privacy Policy?

Website Terms and Conditions – Nine Key Clauses

Differences Between the EU General Data Protection Regulation (GDPR) and the Australian Privacy Principles (APPs)

LegalVision is an award-winning business law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards