Australia

Can you place cookies without consent?

There are no specific cookie-related laws in force in Australia. However, entities subject to the Australian Privacy Act must handle personal information in accordance with the Australian Privacy Principles (APPs).

What is “personal information”?

“Personal information” is defined under the Australian Privacy Act as information or an opinion about an identified individual or an individual who is reasonably identifiable. If an entity handling data collected via cookies and similar technologies has reasonable access to other information which would enable that data to be associated with an individual, that individual is “identifiable”, regardless of whether the entity makes that link. To be considered personal information, the data collected via cookies and similar technologies must also be considered information “about” a person, meaning that the individual is the subject matter of the information.

In its report in relation to the Digital Platforms Inquiry, the Australian Competition and Consumer Commission (ACCC) stated that there is “considerable legal uncertainty on the issue of whether technical data collected in relation to individuals is within the scope of the definition of personal information”. Recently, in its report in relation to the Privacy Act Review published in February 2023 (Privacy Act Review Report), the Attorney-General’s Department has proposed changes to the definition of personal information in an effort to address this, including:

  • changing the word “about” in the definition of personal information to “relates to”; and
  • including a non-exhaustive list of information which may be personal information (with suggestions including online identifiers, location data, technical or behavioural data and inferred information).

These proposals were agreed to in-principle by the Australian Government in its response to the Privacy Act Review Report published in September 2023 (Australian Government Response to the Privacy Act Review). Agreement in-principle means that the Australian Government will conduct further engagement and impact assessments on these proposals.

Is consent required for placing cookies or similar technologies?

In some circumstances. Under the APPs consent is required:

  • for the collection of sensitive information.
  • if an APP entity wishes to use or disclose personal information for a secondary purpose (does not apply to the use or disclosure of personal information by private sector organisations for the purpose of direct marketing)
  • for an organisation to use or disclose personal information for the purpose of direct marketing, where:
  • the information is collected from the individual, but they would not reasonably expect the use or disclosure;
  • the information is collected from someone other than the individual; or
  • the information is sensitive information about an individual.

To the extent that data collected via cookies and similar technologies constitutes personal information, consent is required in the circumstances set out above unless an exception applies.

Are cookie rules (whether specific or within general data protection laws) followed in practice?

There are a couple of different approaches taken:

  • due to the unclear position on whether an online identifier is personal information, some publishers take the view that notice and consent is not required in the case of anonymous website users. Instead, they only give notice and (if required) obtain consent when users create an account; or
  • publishers give notice and (if required) obtain consent from all users, e.g., via a cookie banner.

The obligation to give notice and (if required) obtain consent is frequently managed by imposing an obligation on the publisher by way of contract.

Are there any exemptions if consent is required?

The consent requirements referred to above are subject to limited and narrow exemptions (for example, using or disclosing personal information where reasonably expected by the individual and related to the primary purpose of collection or, in the case of direct marketing, using or disclosing personal information by contracted service providers in relation to a specific Commonwealth contract).

Can you place the following cookies automatically:

i. Analytics cookies, ii. Advertising cookies, iii. Social media cookies

Not without regard to the APPs. To the extent that the data collected by each of these types of cookies constitutes personal information, the handling of the data will be subject to the same rules as are set out above and below.

Are you able to gain consent without a user ticking ‘accept’, i.e., imply consent from a user continuing to browse the site?

The APP Guidelines state that use of an opt-out mechanism to infer consent will only be appropriate in limited circumstances, as the individual’s intention in failing to opt out may be ambiguous. One relevant circumstance where an opt out mechanism is permissible for private sector organisations, pursuant to the APPs, is where:

  • the organisation collects the information from the individual;
  • the individual would reasonably expect the organisation to use or disclose the information collected for the purpose of direct marketing;
  • the organisation provides a simple means by which the individual may opt out; and
  • the individual has not made such a request.

The APP Guidelines also include additional, narrower circumstances where an opt-out mechanism is permissible.

Can you set cookies without a cookie notice? 

The APP Guidelines require entities collecting personal information to take reasonable steps to notify individuals of certain matters, or otherwise ensure that they are made aware of them. To the extent that the data collected via cookies or similar technologies constitutes personal information, entities must take reasonable steps to notify individuals of these matters, or otherwise ensure that they are aware of them. This is not always done in practice, and some publishers only provide notice once a user creates an account.

Can you set cookies without a cookie banner/ management tool?

This is done in some circumstances. See question 2 above.

Are you able to use cookie walls? 

There is no specific guidance from the Office of the Australian Information Commissioner (OAIC) in relation to cookie walls. Their guidance in relation to consent more generally is that there are four key elements:

  • the individual is adequately informed before giving consent;
  • the individual gives consent voluntarily;
  • the consent is current and specific; and
  • the individual has the capacity to understand and communicate their consent.

The Privacy Act Review Report refers to a submission by the OAIC to the effect that, depending on the circumstances, consent is unlikely to be voluntary when the provision of service is conditional on consent to personal information handling that is not necessary for the provision of the service.

Considering the above, the use of cookie walls may not be an effective means of obtaining consent.

Is the local regulator currently enforcing decisions against breaches of cookie rules?

While enforcement action in relation to cookies and similar technologies has previously been uncommon in Australia, significant enforcement actions have recently been brought against Facebook and Google by both the ACCC and OAIC.

In October 2019, the ACCC brought proceedings against Google in the Federal Court. In April 2021, the Federal Court ruled in favour of the ACCC in that case, finding that Google had made misleading representations about the collection and use of location data on Android phones between January 2017 and December 2018. In August 2022, the Federal Court ordered Google to pay AU $60 million in penalties in relation to this conduct.

Two other relevant enforcement actions were brought by the ACCC in the Federal Court against Google and Facebook respectively, namely:

  • proceedings brought against Google in July 2020 in which the ACCC alleged that Google obtained user consent to expand the scope of personal information that it could collect and combine about their internet activity, for use by Google for other purposes including targeted advertising, without adequately informing consumers. The Federal Court dismissed this case in December 2022, finding that Google had not misled Australian consumers;
  • proceedings brought against Facebook (now Meta) in December 2020 in which the ACCC has alleged that Facebook and its subsidiaries told consumers that the Onavo Protect app would not be used for any purpose other than to provide Onavo Protect services, which has now been challenged. The matter is listed for hearing in June 2023. In March 2020, the OAIC brought proceedings against Facebook (now Meta) in the Federal Court in relation to Cambridge Analytica. Facebook attempted to set aside service of the legal documents on the US-based entity. In September 2020, the Federal Court found the OAIC had established a prima facie case that Facebook carried on business and collected personal information in Australia within the meaning of the Privacy Act through, amongst other things, its installation of cookies on Australian devices. That finding was made in the context of an application by Facebook for leave to appeal an interlocutory decision upholding service on the US-based entity. Facebook appealed the September 2020 decision and, in February 2022, the Full Federal Court dismissed the appeal. In September 2022, Facebook was granted special leave to appeal to the High Court but, in March 2023, that special leave was revoked (because the matter no longer raised an issue of public importance following a change to the Federal Court’s procedural rules). The proceeding will return to the Federal Court and the substantive proceeding seeking civil penalties against Facebook will now progress.

Are there any current consultations relating to ad tech/cookies?

The Privacy Act Review is ongoing with feedback sought in relation to various reform proposals including proposals in relation to direct marketing, targeting and trading. This specifically includes:

  • a proposal to introduce definitions for direct marketing, targeting and trading;
  • proposals to provide individuals with unqualified rights to opt-out of their personal information being used or disclosed for direct marketing purposes and to opt-out of receiving targeted advertising;
  • a proposal to require that an individual’s consent be obtained to trade their personal information;
  • proposals to prohibit direct marketing to a child (unless in the child’s best interests), targeting to a child (unless in the child’s best interests) and trading in the personal information of children;
  • proposals to require that targeting be fair and reasonable in the circumstances and prohibit targeting based on sensitive information (with an exception for socially beneficial content); and
  • a proposal to require entities to provide information about targeting (including clear information about the use of algorithms and profiling).

Agreement in-principle means that the Australian Government will conduct further engagement and impact assessments on these proposals.

A proposal to provide individuals with an unqualified right to opt out of receiving targeted advertising which was included in the Privacy Act Review Report was not agreed to (either in full or in-principle) by the Australian Government.

Are there any anticipated changes to the rules and/ or have there been changes to the attitudes in the market (for example, case law or industry body decisions)?

Yes.

The Privacy Act Review Report follows a two-year review of Australian privacy laws and contains over 110 proposals which are designed to better align those laws with global standards of privacy protection and give individuals more control over their personal information.

In addition to the reform proposals referred to in Q1 and Q10 above, the proposed reforms also relevantly include:

  • new requirements, and guidance, in relation to privacy policies and collection notices;
  • new requirements, and guidance, in relation to consent;
  • a new requirement that the collection, use and disclosure of personal information must be fair and reasonable in the circumstances;
  • a new requirement to take additional steps where information is not collected directly from an individual;
  • new requirements in relation to children; and
  • new requirements in relation to overseas data flows.

In December 2022, following two major data breaches impacting Australian consumers, several reforms were enacted including, among other things:

  • expanding the extra-territorial application of the Privacy Act by requiring foreign organisations who carry on business in Australia to meet the obligations under the Privacy Act even if they do not collect or hold personal information in Australia; and
  • increasing the maximum penalties for serious or repeated privacy breaches from the current $2.22 million penalty to whichever is the greater of:
    • $50 million;
    • three times the value of any benefit obtained as a result of the contravention; or
    • 30% of a company’s adjusted turnover, during the breach turnover period, if the court cannot determine the value of the benefit.

The Australian Government Response to the Privacy Act Review signals significant changes to the rules are on the horizon with most of the proposals referred to in this guide either agreed to or agreed to in-principle. The Australian Government has committed to introduce draft legislation in 2024 concerning those proposals which have been agreed. There will however be further engagement and impact assessments for the proposals only agreed ‘in-principle’.

In response to the Digital Platforms Inquiry, the Australian Government also directed the ACCC to conduct an inquiry into markets for the supply of digital advertising technology services and digital advertising agency services.

There was a consultation process, following which a final report was published on 28 September 2021 (the Final Ad Tech Report). The ACCC made the following recommendations in the Final Ad Tech Report:

  • “The ACCC should be given powers to develop sector specific rules to address conflicts of interest and competition issues in the ad tech supply chain.”
  • “The power to introduce sector specific rules should allow the ACCC to address competition issues caused by an ad tech provider’s data advantage.”
  • “Industry should establish standards to require ad tech providers to publish average fees and take rates for ad tech services, and to enable full, independent verification of demand side platform services.”
  • “The ACCC should be given powers to develop and enforce rules to improve transparency of the price and performance of ad tech services.”

The Final Ad Tech Report also relevantly refers to stakeholder concerns regarding potential consumer harms arising from the use of data for ad targeting purposes.

The Digital Platform Services Inquiry, which is taking place between 2020 and 2025, may also have an impact on this area.