The Australian Privacy Act is the key legislation regulating the handling of personal information by Australian government agencies and certain private sector organizations, establishing principles for collecting, using, storing, and disclosing personal data to protect individuals' privacy rights. Are you ready to safeguard data privacy?
Under the Australian Privacy Act, cookies and similar technologies that collect personal information are subject to privacy obligations. Businesses must notify users when cookies are being used to collect data and, in some cases, obtain informed consent—particularly when sensitive or identifiable information is involved. This means clear cookie notices and options for users to manage their preferences are essential for compliance.
Your business must understand that any collection of personal data—including via digital tracking or cookies—falls under the Privacy Act. As part of compliance, organizations are required to:
Disclosure:
Clearly disclose data collection practices.
Data minimization:
Limit data use to the stated purposes.
Data protection:
Ensure data security.
Right of access:
Provide individuals access to their data.
Transparency:
Be transparent and responsive to privacy complaints.
Notification:
Notify individuals when collecting personal information, including via cookies.
Privacy Policy:
Have a clear and up-to-date privacy policy.
Privacy Impact Assessment:
Conduct a privacy impact assessment and audit data practices regularly.
The Privacy Act applies to:
Australian Government agencies.
All businesses with an annual turnover of 3 million AUD or more.
Smaller businesses involved in trading personal information or providing health services.
Any organization handling sensitive data or operating under specific regulations (e.g., credit reporting, healthcare, and so on).
The Australian Privacy Act gives residents in Australia a set of data privacy rights, including the:
Right to be informed about the purpose for personal information data collection, how it will be used, and to whom it might be disclosed
Right to request access to their personal information
Request corrections to inaccurate, out-of-date, irrelevant information
Request to remain anonymous or use pseudonyms when interacting with organizations
Right to lodge complaints with the relevant external dispute resolution scheme
Request to stop receiving direct marketing from an organization
Right to be notified when data is collected
Requires organizations to take reasonable steps to protect information from misuse, interference, loss, unauthorized access, modification or disclosure
Cookies that track user behavior, store preferences, or collect identifiable information are considered a form of personal information under the Act. Therefore, businesses must disclose cookie use and offer users a way to accept or reject non-essential cookies. Transparency and user control are key.
Non-compliance with the Australian Privacy Act can result in severe penalties. The maximum fine for serious or repeated breaches has been increased to 50 million AUD, three times the benefit obtained through misuse, or 30% of adjusted turnover—whichever is greater. Reputational damage and legal action can also result from non-compliance.
Compliance with the Australian Privacy Act can be more easily achieved by following a consent-first approach and data privacy best practices:
Conduct data and cookie audits:
Review current data practices to identify areas that need adjustment to align with the Australian Privacy Act and document cookie and tracker purposes
Update privacy and cookie policies:
Revise privacy notices to clearly outline data practices, consumer rights, and how to exercise those rights
Implement consent management:
Get effective management and control of cookie use with a comprehensive consent management platform like CookieHub
Educate employees:
Offer staff education programs on the importance of data privacy and Australian Privacy Act compliance
Implement breach processes:
Develop internal systems to detect, evaluate, and notify breaches within specified time period
Assign a privacy officer:
Appoint a privacy officer to oversee compliance
The Australia Privacy Act 1988 governs how personal information is collected, used, stored, and disclosed by Australian Government agencies and many private sector organizations. It applies to entities with an annual turnover of more than AUD 3 million, as well as some smaller businesses that handle sensitive information or provide health services.
Personal data (or personal information) refers to any information or opinion that identifies or could reasonably identify an individual. This includes names, addresses, email addresses, phone numbers, and other details that make a person identifiable.
Sensitive data is a special category of personal information that includes details such as racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal records, and health or genetic information. The APA imposes stricter rules on handling sensitive data.
The Office of the Australian Information Commissioner (OAIC) is the regulatory authority responsible for overseeing and enforcing the Privacy Act.
Certain organizations are exempt from the APA, including most small businesses with an annual turnover of less than AUD 3 million, unless they handle health information, provide services under contract to the government, or trade in personal information.
For comprehensive information, guidance materials, and updates, visit the Office of the Australian Information Commissioner (OAIC) website.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
