Skip to main content

Menu

Choose a theme and configure high-contrast mode. Preferences are saved in your browser only.

User Preferences

Theme

Pick a palette or follow your system preference.

High Contrast

Sharper text and borders. System follows your OS setting.

Regulations

Australian Privacy Act — What You Need to Know

Australia's Privacy Act and the Australian Privacy Principles explained. Cookie consent, personal data, and compliance.

Australia’s Privacy Act of 1988 is one of the oldest privacy laws still in force. It’s been amended over 30 times and is enforced by the Office of the Australian Information Commissioner (OAIC).

The Act establishes 13 Australian Privacy Principles (APPs) that govern how organizations collect, use, and disclose personal information.

Here’s what most people get wrong about Australian privacy law:

Australia does not require cookie consent banners.

That’s right. Unlike the GDPR/PECR in Europe, there is no legal requirement to display a cookie banner to Australian visitors, unless you’re collecting sensitive personal information, in which case express consent is always required.

But before you delete your banner:

  1. The APPs still require transparency. You must tell people what data you collect and why, usually in your privacy policy.
  2. If you also serve EU or UK visitors, you need a GDPR/UK GDPR-compliant consent mechanism anyway, and the GDPR vs CCPA vs ePrivacy differences mean one banner rarely fits all.
  3. Australian law is currently under reform. Expect stricter cookie rules soon.

The 13 Australian Privacy Principles

The most relevant for websites:

  • APP 1 (Open management): You need a clear, accessible privacy policy. Free. Easy to find. Must disclose what data you collect, how you collect it (including cookies), why, and whether it goes overseas.
  • APP 3 (Collection): Only collect personal information that’s reasonably necessary for your functions.
  • APP 5 (Notification): Tell people what you’re collecting at or before the point of collection.
  • APP 6 (Use/disclosure): Don’t use data for a different purpose without consent.
  • APP 11 (Security): Protect personal information from misuse, loss, unauthorized access.
  • APP 12 (Access): Let people access their data.

Personal vs sensitive information

Personal information: names, addresses, IP addresses, browser history, location data. Collectable with transparency, no express consent required.

Sensitive information: race, political opinions, religion, sexual orientation, health data, biometrics, criminal history. Express consent always required.

Who must comply

  • APP entities: most organizations and government agencies
  • Small businesses (annual turnover under AUD 3 million) are generally exempt, but many exceptions exist
  • All organizations handling health data, providing benefits, or disclosing data for services

Cross-border transfers

If you send data overseas, you must take reasonable steps to ensure the recipient doesn’t breach the APPs. You remain accountable.

Penalties

The OAIC can seek civil penalties. For serious or repeated interferences with privacy, fines can reach AUD 50 million or more. Fines were significantly increased under the Privacy Legislation Amendment Act 2022.

How Zest handles it

Zest covers the transparency requirements through its consent notice and cookie disclosure features. For sites that also have EU/UK visitors, Zest’s consent banners handle the heavy lifting. Australia-only sites can use Zest in a lightweight notification-only mode.

Own your cookie banner.

Zest is free and MIT-licensed, and it doesn't phone home to anyone.
Drop the script in and you're done.