IDC Names Securiti a Worldwide Leader in Data PrivacyView
Australia does not have any specific regulatory guidance on cookie consent requirements. However, the Australian Privacy Act of 1988 specifies certain notification and consent obligations that organizations should follow in order to deploy legally compliant cookie consent banners.
The Privacy Act includes 13 Australian Privacy Principles ('APPs'). The APP 1 mandates organizations subject to the APPs’ requirements to undertake such reasonable steps that ensure the entity’s compliance with the APPs.
The APP 5 requires organizations to take reasonable steps to either notify individuals or ensure that individuals are aware when their personal information is collected. The notification should be made at the time of or before the collection of personal information, provided where such is not practicable, the organization should deploy the notification as soon as practicable after the collection of data.
Personal information is defined as information or an opinion about an identified individual or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not. Since cookies and similar tracking technologies can collect information about individuals, such technologies constitute personal information under the Privacy Act. In the Uber case, the Office of the Australian Information Commissioner (OAIC) held that the concept of the collection of personal information is broad and includes gathering, acquiring or obtaining personal information from any source and by any means, including from, individuals or other entities, or information associated with web browsing such as personal information collected through cookies.
Furthermore, the OAIC has made clear that where personal information is being collected through the use of a hidden radio-frequency identification tag (RFID tag), software (such as cookies), or biometric technology (such as voice or facial recognition), the data subjects must be adequately informed about the same.
As per the APP 5, data subjects must be expressly informed of the following matters:
The OAIC recommends that organizations re-present or re-show the notice to individuals if a long period has elapsed since the notice was shown to the data subject for the first time. This is so that the data subject is reminded of the collection and use of their personal information as well as their ability to consent or not. The notice must be re-presented to the data subject if there is any change in the circumstances as to how personal information is collected or the purposes of data collection.
Under the Privacy Act, the data subject’s consent can be express or implied. However, express consent is required for the use of sensitive personal information such as data related to health, race, criminal record or sexual orientation.
In any case, consent is considered valid if:
Consent may not be implied where an individual’s intention is ambiguous or there is any reasonable doubt regarding the individual's intention. Implied consent is considered valid only if most of the following conditions are met:
Once consent is withdrawn by the data subject, the organization cannot rely on past consent for any future use or disclosure of personal information. An individual should be able to easily withdraw their consent at any time.
The OAIC recommends that covered entities should implement systems and procedures for obtaining and recording the consent of individuals.
Ask for a DEMO today to understand how Securiti can help you comply with the applicable legal requirements.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row Suite 450. San Jose,