Most people have clicked 'Accept All' on a cookie banner without a second thought. But if you're running a website in Australia, understanding what's happening behind that banner matters, especially as the OAIC takes an increasingly active approach to privacy enforcement.
Cookies are small text files that websites store on a user's device during a visit. They help sites remember preferences, maintain sessions and recognise returning visitors.
Where it gets more complicated is with third-party cookies: files dropped by external domains such as advertising or analytics platforms running in the background of the site you're visiting. These can track behaviour across multiple websites and are at the centre of most of the privacy debate. Browsers like Safari and Firefox already block them by default and the broader industry is moving away from them.
Cookie consent is a user's agreement to allow a website to place certain cookies on their device. Under most modern privacy frameworks, websites need clear, informed consent before setting any non-essential cookies, including analytics, personalisation or advertising cookies.
In Australia, the relevant legislation is the Privacy Act 1988, administered by the Office of the Australian Information Commissioner (OAIC). While Australia doesn't have a cookie-specific law like Europe's GDPR, the Privacy Act still creates real obligations for businesses collecting personal information through their websites, which cookies often do.
The Privacy and Other Legislation Amendment Act 2024, passed in December 2024, handed the OAIC expanded enforcement powers including the ability to issue infringement notices of up to $66,000 per breach without needing a formal complaint. The OAIC has been open about its intent to use those powers. If your business hasn't reviewed its consent setup recently, that's reason enough to do so now.
Consent is typically captured through a banner or pop-up on a user's first visit. Users should have a genuine choice between three options:
Best practice means making all three options equally accessible. Burying the reject option or pre-ticking boxes does not constitute valid consent. Users should also be able to update or withdraw their consent at any time.
Deploying a cookie banner is only the first step. The harder part is making sure your website actually respects what the user chooses.
A properly implemented consent solution will:
This is where many organisations fall short. A banner that looks compliant but doesn't control what actually loads on your site is not compliance, it's the appearance of it. The OAIC is increasingly focused on this distinction.
Do Australian websites legally need a cookie consent banner? Not in every case, but if your site uses cookies that collect personal information, which most analytics and advertising cookies do, then yes, the Privacy Act 1988 creates obligations around how that data is collected and consented to.
What happens if we don't comply? Since December 2024 the OAIC can issue infringement notices of up to $66,000 per breach without a formal complaint being lodged. Larger or repeated breaches can attract significantly higher penalties.
Is a basic cookie banner enough? Only if it actually controls what loads on your site. A banner that doesn't technically enforce the user's choice is not compliant, regardless of how it looks.
What's the difference between first-party and third-party cookies? First-party cookies are set by the website you're visiting and generally support basic site functionality. Third-party cookies are set by external domains and are typically used for advertising and cross-site tracking.
How often should we review our consent setup? At minimum whenever you add new third-party tools to your site or when privacy legislation changes. Given the pace of regulatory change in Australia right now, an annual review is a reasonable baseline.
Proud members of
.png)
Subscribe to receive our thoughts on the latest issues that matter most in marketing, data & technology.
