How Do Cookies Work?
A user of any website may have their data collected by a website and stored on the user’s internet browser. This data includes browsing activity and information the user may have previously entered. For example, which buttons a user has clicked and which pages they have viewed.
There are different types of cookies. These are:
- authentication cookies;
- session cookies; and
- persistent cookies.
What is the Australian Law Regarding Cookies?
The APPs deal with “personal information” as defined in the Privacy Act 1988 (Cth). Personal information is usually information which identifies a person. Not all information collected by cookies is sufficient to identify a person who uses a website.
What is a Cookie Consent Pop-up?
Why Do Many Websites Use Cookie Consent Pop-ups?
Many businesses use cookie consent pop-ups because of the EU ePrivacy Directive. It requires businesses in Europe to obtain informed consent before placing a cookie on a user’s device.
There is no express requirement for Australian businesses to comply with the EU ePrivacy Directive. However, a strict interpretation of the directive may require websites that specifically target customers in the EU to comply with the EU ePrivacy Directive, even if they are not located in the EU. Furthermore, not all Australian businesses need to comply with the General Data Protection Regulations (GDPR).
What Does the EU ePrivacy Directive Require?
If you are an Australian business operating a website that collects cookies and targets customers based in the EU, it may be worthwhile considering incorporating a cookie consent pop-up on your website as a matter of best practice.
The ePrivacy Directive requires the following:
- informed consent for storage or access to information stored on a user’s equipment; and
- for consent to be valid, it needs to be informed and must be an indication of the individual’s wishes.
Many businesses use the cookie consent pop-up to ensure the consent provided by an individual is valid. Cookie consent pop-ups do this by providing adequate information as to the:
- type of cookies that are being used;
- possible data that may be collected and the requirement for a user to actively consent to this, by ticking a box, before accessing the website.
What Does the GDPR Require?
Introduced in May 2018, the GDPR deals with cookies to the extent that they may identify a person. It states that a person may be identified by “cookie identifiers” when used with other information received. This means that cookies used to identify people may be considered personal data for the purposes of the GDPR.
As the GDPR is a law based in the EU, Australian businesses will need to consider the extent to which the GDPR applies to them. If the GDPR applies to an Australian business, the GDPR provides that:
- genuine choice should be provided to the user visiting the website, which means the user should be able to accept or reject cookies; and
The ePrivacy Directive and GDPR exist side by side. Although the ePrivacy Directive may not directly apply to Australian businesses, the GDPR may impose specific requirements on Australian businesses when it comes to cookie consent. This is only where the GDPR applies to your business.
Furthermore, if you target customers in the EU or are likely to be subject to the GDPR, you may wish to consider incorporating the appropriate technical and legal mechanisms to ensure you obtain express consent from your users. If you have any questions, contact LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.
Was this article helpful?
We appreciate your feedback – your submission has been successfully received.