• CMI Legal

Taking a Bite of Consumer Data: An Introduction on Australian Cookie Policy

Cookies are a popular way of obtaining consumer data. They are used by most, if not all, websites to capture various information of a user and determine his/her browsing activity and behaviour.

There are Five Types of Cookies

  1. Functionality cookie: Sent from websites to consumer browsers to remember their customized settings such as location preference;

  2. Session cookie: Cookie that only lasts for one browsing session and disappears once browser is closed;

  3. Persistent cookie: Cookie that stays on consumer computers even after their browsers are closed, the cookie is sent back to websites for data analysis;

  4. Third-party cookie: Sent by third-party organizations that operate on websites (e.g. mailchimp sends cookies to consumers who open your marketing emails); and

  5. Local stored object/Flash cookie: Only websites that use Adobe Flash are capable of storing Flashing cookies in consumer computers.

Australian Privacy Principles in General

Although there is no specific legislation governing the use of cookies, the Australian Privacy Principles (APP) apply to the collection of consumer data and information.


An “APP entity” means and agency or organisation; an “organisation” means an individual, body corporate, partnership, any other unincorporated association or trust that is not a small business operator.

A "small business" is defined as a business with an annual turnover of $3,000,000 or less.

“Personal information” means information or an opinion about an identified individual, or an individual who is reasonably identifiable. It is important to note that not all information collected by cookies is sufficient to identify a person who uses a website.

According to the APP:

  • An APP entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities;

  • Sensitive information – Information regarding a person’s racial or ethnic origin, political opinions, religious beliefs or affiliations, etc; and

  • An APP entity must not collect sensitive information about a person unless he/she consents and the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities.

  • An APP entity must notify an individual regarding the collection of personal information including: The purposes for which the APP entity collects the personal information; Any other APP entity, body or person, or the types of any other APP entities, bodies or persons, to which the APP entity usually discloses personal information of the kind collected by the entity; How consumers may access the personal information about the individual that is held by the entity and seek the correction of such information; How the individual may complain about a breach of the Australian Privacy Principles and how the entity will deal with such a complaint; and Whether the APP entity is likely to disclose the personal information to overseas recipients.

Cookie Pop-Up

Having a cookie pop-up on a website is not a mandatory requirement in Australia but if you are looking to collect data using cookies, the type of data collected and how it is used should be disclosed in the privacy policy.

However, if you collect cookies of customers based in the EU, you are required to include a cookie consent pop-up as per the EU ePrivacy Directive and the General Data Protection Regulations (GDPR).

Whether you need to comply with the GDPR depends on any of the following:

  • Is your business established in the EU?

  • Do you offer goods and services to EU based individuals?

  • Do you monitor the behavior of individuals in the EU?

Requirements of the EU ePrivacy Directive and the GDPR:

  • Consumer must provide informed consent of data collection;

  • Genuine choice should be provided to the user visiting the website, which means the user should be able to accept or reject cookies;

  • Users should be able to opt-out of their acceptance of your use of cookies; and

  • Cookie consent pop-up should include the types of cookies used and the types of data collected as best practice.

If you want to include a cookie pop-up:

  • Collection of personal information requires notification only and not consent, hence a cookie pop-up would suffice; and

  • However, if you wish to collect “sensitive information” as well, a consent/‘I agree’ button should be built into the cookie pop-up, same with if you collect cookies from consumers in the EU.

6 views0 comments