If you think data collection under Australia Privacy Law only refers to your customers filling out forms on your website, think again: In the Uber case, the Office of the Australian Information Commissioner (OAIC) decided that data collection via “any means”, including cookies and similar technologies, is also subject to the Australia Privacy Act (APA).
If you operate in Australia or have website visitors from Australia, your use of cookies and online identifiers to collect Australians’ personal data must comply with the Australia Privacy Act.
To learn if this applies to you and how you can comply, read more.
Summary
What is the landscape around privacy laws in Australia?
The Australia Privacy Act 1988 is the main legislation that imposes various requirements on businesses for how they can collect and use Australians’ personal information. The Act’s primary goal is to enhance the protection of Australians’ personal information.
When does the Act apply to you? Australia Privacy act applies to your organisation if the following conditions are met:
1. Personal Scope of the Act
The Act applies to all businesses unless it does not satisfy the following annual threshold criteria:
|
“those organisations (including all their related bodies corporate each) with less than AUD 3 million (approx. €1.9 million) annual turnover at any time” |
However, businesses will automatically be subject to the Australia Privacy Act if:
|
“..they use or disclose personal information for a benefit or collect and use health information” |
In short, even if a business’s annual turnover is below the threshold, it will still have to comply with Australia Privacy Act if it processes personal information for a benefit, or if it collects health information.
2. Territorial Scope of the Act
The Australian Privacy Act applies to both Australian and foreign organizations that carry on business in Australia.
For example, if your business is involved in following activities, it will fulfill this condition whether you are an Australian or a foreign organisation:
- Actively collecting personal information in Australia
-
Promoting a non-Australian website to residents of Australia
3. Material Scope of the Act
All processing activities such as collection, sharing and use related to personal information falls under the scope of the Act. However, anonymized data or de-identified data is not subject to the Act.
New draft Privacy Bill, new requirements
In March 2019, The Australian Government announced that it will introduce a new Online Privacy Bill (OPB) to strengthen the protection of personal information on social media and other online platforms.
The new privacy bill will impose new requirements on how personal data can be collected and used via social media platforms and online channels.
The Online Privacy Bill will only apply to the following types of organizations:
- Businesses that provide social media services
- Companies that provide data brokerage services
- Large online platforms
The Online Privacy Bill will introduce requirements such as specific rules on how organizations should obtain consent from children and other vulnerable people. Additionally, when an individual requests that his/her data should not be disclosed to third parties or used, the organization should implement reasonable steps to comply with such requests.
Alongside this Act, there are other laws that apply to specific sectors and organizations, including the Privacy Credit Reporting Code or specific regulations relating to health information and tax file numbers (TFNs).
Requirements to comply with the Australia Privacy Act
Any organisation that is subject to Australia Privacy Act 1988 is called “APP Entity”. An APP Entity must comply with the 13 principles of the Act:
1. An APP entity must handle personal information in a transparent manner
2. Individuals should be provided with the option of not being identifiable or with pseudonym, subject to limited exceptions
3. APP Entities can only collect “solicited” information
4. APP Entities should manage unsolicited personal information in compliance with specific standards
5. APP Entities must inform individuals about the collection and use of their information in specific manner
6. APP Entities should only disclose personal information to third parties under specific circumstances and subject to specific conditions
7. An APP Entity can only use personal information of individuals subject to specific conditions
8. An APP Entity must fulfil certain requirements before it discloses personal information to overseas recipients.
9. An APP Entity can only adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual under certain circumstances.
10. APP Entities should ensure that personal information it holds is accurate and up to date.
11. An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.
12. An APP Entity must fulfill individuals’ request to access their personal information if specific conditions are met.
13. APP Entities must keep personal information it holds correct.
Do I need a cookie consent banner on my website in Australia?
Under the Australia Privacy Act, you only need to obtain consent if you are collecting sensitive personal information such as data related to health, race, criminal record or sexual orientation.
Therefore, it appears that cookie banners are not mandatory in Australia.
However, businesses must comply with all requirements of the Australia Privacy act when they collect personal information via cookies. This includes complying with a transparency principle, which implies that that the right level of information must be provided to users, be it in a notice at collection point or through the privacy policy.
Organizations do not need to obtain consent if the personal information was collected for a specific purpose (the primary purpose) or a different (secondary) purpose related to the primary purpose of collection - when the individual can reasonably expect the organization to use or disclose the information for that secondary purpose.
Some companies in Australia may consider that behavioural advertising is a secondary purpose which cannot be reasonably expected by the users and, as a result, decide to obtain users consent to abide by the Australia Privacy Act.
If you choose to go that route, check out our Consent Management Platform and book a call to learn how Didomi can help:
Complying with EU & UK GDPR and E-privacy directive
Even though the APA does not require websites to display a cookie banner, most global Australian businesses are subject to other privacy laws that do cover cookie banner requirements: The EU & UK GDPR and the E-Privacy Directive.
If your website and business operations targets EU & UK-based individuals, it is likely that you will be subject to the European Union and United Kingdom's strict cookie compliance requirements.
In the EU and the UK, you need to comply with two distinct regulations on cookies: The General Data Protection Regulation (GDPR) and E-Privacy Directive.
How to comply with the E-Privacy Directive?
The E-Privacy Directive includes rules on how businesses can store cookies and similar technologies on EU users’ devices.
It should be noted that each EU country and the UK has implemented the E-Privacy Directive into their national laws by making changes, and businesses should check country-based differences for compliance.
However, the E-Privacy Directive introduces the following requirements when it comes to cookies:
- As a rule, cookies cannot be stored on user devices unless the user provides consent to storage of cookies.
There are two exceptions to this consent rule:
- If the cookie is necessary for transmission of communication, consent is not needed.
-
If the cookie is strictly necessary, consent is no longer required.
How to comply with EU&UK GDPR?
In addition to the E-Privacy Directive, businesses must also comply with the EU and the UK GDPR when they collect personal information via cookies.
Under the GDPR, organisations must rely on one of the six “legal bases” to collect personal data through cookies and similar technologies. Two of those legal bases are highly relevant to the use of cookies: Consent and legitimate interest.
While legitimate interest seems like a convenient option to avoid asking for consent, it is far from being so. Different EU data protection authorities published guidance on whether consent is required for different cookie categories and each country has different requirements.
For example, the UK Authority stated that websites must obtain consent when they use analytics cookies.
The French data protection authority (CNIL), on the other hand, stated that cookies for audience measurement may be used without consent under certain circumstances.
Furthermore, when you rely on user consent, you must ensure that you obtain consent as required by the GDPR. When you rely on legitimate interests to use cookies such as analytics cookies, you also need to document and justify this.
How Didomi can help
The data privacy revolution may have started in Europe with the GDPR, but it is rapidly spreading across the world, and the growing number of privacy fines from Australia and the new Online Privacy Bill shows that businesses cannot overlook Australia when it comes to privacy compliance.
Customer privacy has to become a priority for brands, and for Australian businesses, this means complying with local and international privacy regulations.
Talk to an expert and find out how Didomi’s Consent Management Platform and Preference Management Platform can help you turn privacy into a business opportunity:
