Cookie Consent Requirements in Australia

Australia does not have any specific regulatory guidance on cookie consent requirements. However, the Australian Privacy Act of 1988 specifies certain notification and consent obligations that organizations should follow in order to deploy legally compliant cookie consent banners.

Let’s look into some of the requirements of the Privacy Act of 1988 that websites need to be mindful of while designing cookie consent banners and obtaining users’ consent for the use of cookies and similar tracking technologies.

1. When Notification to Data Subjects Should be Made

The Privacy Act includes 13 Australian Privacy Principles ('APPs'). The APP 1 mandates organizations subject to the APPs’ requirements to undertake such reasonable steps that ensure the entity’s compliance with the APPs.

The APP 5 requires organizations to take reasonable steps to either notify individuals or ensure that individuals are aware when their personal information is collected. The notification should be made at the time of or before the collection of personal information, provided where such is not practicable, the organization should deploy the notification as soon as practicable after the collection of data.

Personal information is defined as information or an opinion about an identified individual or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not. Since cookies and similar tracking technologies can collect information about individuals, such technologies constitute personal information under the Privacy Act. In the Uber case, the Office of the Australian Information Commissioner (OAIC) held that the concept of the collection of personal information is broad and includes gathering, acquiring or obtaining personal information from any source and by any means, including from, individuals or other entities, or information associated with web browsing such as personal information collected through cookies.

Furthermore, the OAIC has made clear that where personal information is being collected through the use of a hidden radio-frequency identification tag (RFID tag), software (such as cookies), or biometric technology (such as voice or facial recognition), the data subjects must be adequately informed about the same.

Therefore, as a matter of best practice, organizations must display an adequate notification to website users before or at the time of the use of cookies and similar tracking technologies and the collection of personal information about data subjects with such technologies.

2. Content of the Notification

As per the APP 5, data subjects must be expressly informed of the following matters:

• The covered entity’s identity and contact details,
• The facts and circumstances of data collection where the data is collected from someone other than the individual or where the individual may not be aware that the covered entity has collected their personal information,
• Whether the collection is required or authorized by a law or a court/tribunal order, and the name or details of the law or court/tribunal order,
• The purposes of data collection (including the primary purpose which is the specific function for which the data is collected, and any secondary purpose - the specification of the latter will create a reasonable expectation for the data subject that their data will be used or disclosed for another purpose),
• Any significant consequences that could result if personal information is not collected. For example, the individual must be informed if a different level of service will be provided if personal data is not provided to the organization. The individual must also be told if such consequences can be mitigated by providing some and not all personal information,
• The entities to which such personal information is usually disclosed. Where it is impracticable to include a long list of entities, the type of entity should be described. For example, ‘health insurers,’ ‘state government motor vehicle licensing authorities,’ or ‘related bodies corporate,’
• The availability of information in the organization’s privacy policy regarding access to the collected personal information, correction of such information if required, and complaint redressal mechanism for any breach of the Australian Privacy Principles or any applicable code,
• Whether the entity is likely to disclose personal information to overseas recipients and, if practicable, the countries where they are located - otherwise, an organization may also specify a general region, such as, ‘EU countries.’

3. Format of the Notification

The notification to the data subject may be provided in layers with a full explanation to a brief refresher as individuals become more familiar with how the entity operates and how personal data is handled. Brief privacy notices on forms or signs may be supplemented by longer notices made available online or in brochures. In the case of the use of cookies, this can be achieved with the help of a cookie consent banner that provides essential information on the first information layer along with a link to the Cookie Preferences/Settings, which takes the user to the second information layer where more detailed information is provided to the data subject regarding the categories of cookies used, their purposes, storage periods, etc.

The OAIC has clarified that where it is not reasonable to notify the full range of matters in the notification, the organization should direct the data subject to specific sections of its privacy policy or any other document that contains relevant information and covers those matters sufficiently.

4. Re-Presentation of the Notice

The OAIC recommends that organizations re-present or re-show the notice to individuals if a long period has elapsed since the notice was shown to the data subject for the first time. This is so that the data subject is reminded of the collection and use of their personal information as well as their ability to consent or not. The notice must be re-presented to the data subject if there is any change in the circumstances as to how personal information is collected or the purposes of data collection.

5. Consent Requirements

Under the Privacy Act, the data subject’s consent can be express or implied. However, express consent is required for the use of sensitive personal information such as data related to health, race, criminal record or sexual orientation.

In any case, consent is considered valid if:

• the individual is adequately informed, in plain English, of how their data shall be processed and the consequences of giving or not giving consent,
• the individual provides consent voluntarily,
• the consent is current (consent cannot be assumed indefinitely) and specific, and
• the individual has the capacity to understand and communicate their consent - if a covered entity is not sure that an individual has the capacity to give consent, they should offer requisite support to such an individual, and if the support is insufficient, the entity may consider if someone can act on the individual’s behalf, provided the concerned individual is involved to the extent possible.

Consent may not be implied where an individual’s intention is ambiguous or there is any reasonable doubt regarding the individual's intention. Implied consent is considered valid only if most of the following conditions are met:

• the individual is provided with a clear and prominent opt-out facility,
• the opt-out option is freely and easily available to the data subject, and not bundled with other purposes,
• the data subject is given information regarding what would happen if they do not opt-out, and such consequences are not serious,
• it takes little effort for individuals to opt-out and the process is free or involves little cost,
• it is likely that the individual received and read the information about the proposed collection, use or disclosure of their personal information, and the option to opt-out, and
• if an individual opts-out at a later date, as far as practicable, they will be placed in the same position they would have been in if they had opted out earlier.

This means that for the use of cookies, websites can either obtain express consent with an opt-in banner having equally prominent accept and reject options, or implied consent with a prominent opt-out option whereby the user can reject the use of cookies.

Once consent is withdrawn by the data subject, the organization cannot rely on past consent for any future use or disclosure of personal information. An individual should be able to easily withdraw their consent at any time.

The OAIC recommends that covered entities should implement systems and procedures for obtaining and recording the consent of individuals.

6. Organization’s Privacy Policy

As per APP 1, a covered entity should maintain a clear and up-to-date privacy policy that specifies, amongst other things, the kind of personal information collected and maintained by the entity, how such information is collected and maintained, the purposes for which the information is collected, processed and disclosed, and whether the information is likely to be disclosed internationally. Therefore, as a matter of best practice, organizations must provide the link to their privacy policy on the cookie consent banner.

How Can Securiti Help?

In light of the above requirements, organizations are recommended to deploy a cookie consent banner for the use of cookies with an opt-out option, a link to the privacy policy of the company, and a link taking the data subjects to more detailed information regarding the use of cookies. Securiti’s Cookie Consent Management Solution enables you to achieve compliance with the help of the following features:

• Scanning and auto-classification of cookies and similar tracking technologies,
• Auto-blocking of non-essential cookies,
• Legally compliant consent banner verbiage,
• The ability to add the privacy policy URL on the cookie consent banner,
• Compliance with leading industry frameworks such as GPC and IAB EU TCF, and
• Updated and comprehensive consent records to help you demonstrate compliance.

Ask for a DEMO today to understand how Securiti can help you comply with the applicable legal requirements.