• CMI Legal

Taking a Bite of Consumer Data: An Introduction on Australian Cookie Policy

Cookies are a popular way of obtaining consumer data. They are used by most, if not all, websites to capture various information of a user and determine his/her browsing activity and behaviour.

There are Five Types of Cookies

  1. Functionality cookie: Sent from websites to consumer browsers to remember their customized settings such as location preference;

  2. Session cookie: Cookie that only lasts for one browsing session and disappears once browser is closed;

  3. Persistent cookie: Cookie that stays on consumer computers even after their browsers are closed, the cookie is sent back to websites for data analysis;

  4. Third-party cookie: Sent by third-party organizations that operate on websites (e.g. mailchimp sends cookies to consumers who open your marketing emails); and

  5. Local stored object/Flash cookie: Only websites that use Adobe Flash are capable of storing Flashing cookies in consumer computers.

Australian Privacy Principles in General

Although there is no specific legislation governing the use of cookies, the Australian Privacy Principles (APP) apply to the collection of consumer data and information.


An “APP entity” means and agency or organisation; an “organisation” means an individual, body corporate, partnership, any other unincorporated association or trust that is not a small business operator.

A "small business" is defined as a business with an annual turnover of $3,000,000 or less.

“Personal information” means information or an opinion about an identified individual, or an individual who is reasonably identifiable. It is important to note that not all information collected by cookies is sufficient to identify a person who uses a website.

According to the APP:

  • An APP entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities;

  • Sensitive information – Information regarding a person’s racial or ethnic origin, political opinions, religious beliefs or affiliations, etc; and

  • An APP entity must not collect sensitive information about a person unless he/she consents and the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities.

  • An APP entity must notify an individual regarding the colle