Australia’s Privacy Act and its Australian Privacy Principles (APP) require a website to have an updated privacy policy (known as APP privacy policy) that also informs users of how it collects and handles personal information.
Most cookies and trackers on your website will collect personal information from visitors and must therefore be disclosed in your APP privacy policy. However, most cookies and trackers require deep-scanning technology to be uncovered.
In this blogpost, we look at the privacy policy requirements for Australian websites, the issues around detecting hidden cookies and trojan horses, and the technology needed to uncover it all.
Australia: privacy policy and cookies
Your website has cookies – most websites do. Your website likely has both first-party cookies (necessary for the basic functions of your domain) and third-party cookies (for analytics and marketing purposes).
This means that your website – like most websites in the world today – is faced with protecting its users’ privacy on the one hand and processing their personal information for website optimization and marketing on the other.
Australia’s Privacy Act and its Australian Privacy Principles (APP) require your website to have a privacy policy, in which you also inform your users of all cookies and trackers that collect, process or share personal information.
But your website has many hidden cookies and trackers from third-party companies that harvest personal data from your users, and these can create a real liability for your website, company or organization.
The issues of cookies on websites
A 2020 study of more than ten thousand websites shows the difficulties for website owners of being compliant –
72% of cookies are set by fourth parties that are loaded in secret by the third-party cookies embedded, also known as trojan horses.
18% of cookies are deeper trojan horses, i.e. derive from secretly loaded fifth, sixth, seventh or eighth parties.
50% of trojan horses will have changed and have different trackers on repeated visits.
These findings make it very clear how difficult it is for website owners to know exactly what goes on on their domain without deep-scanning technology that can uncover not only third-party trackers, but all the trojan horses that third-party cookies load unbeknownst to you, the website owner.
In the end, it is the responsibility of the website owner to make sure that their privacy policy is not only up to date, but exhaustive, i.e. informing users of all cookies and trackers that can be privacy-infringing.
This is where Cookiebot consent management platform (CMP) comes in.
Cookiebot CMP: deep-scans for APP privacy policies
Cookiebot CMP is a deep-scanning technology developed to enable website owners to detect all cookies and trackers and take control of them to protect the privacy of their users and obtain compliance with data protection laws across the world.
When you implement Cookiebot CMP on your website, it automatically performs scans of your entire domain and all of its subpages. After it has found all there is to find, Cookiebot CMP then takes automatic control of all cookies (also third-party cookies and the trackers they secretly load).
The Privacy Act and its Australian Privacy Principles (APP) establish certain requirements for how a website must inform and disclose its collection, processing and sharing of personal information.
Cookiebot CMP unmatched website scanner can help you obtain compliance with Australia’s data laws and their requirements for your privacy policies to inform exhaustively about all cookies, trackers and other ways you collect, process and share personal information on your website.
The biggest struggle of having a Privacy Act-compliant APP privacy policy on your website is making sure that it is exhaustive and correct, i.e. informs clearly about all cookies and trackers embedded, even the trojan horses that are loaded by other trackers.
With Cookiebot CMP, you can rest assured that all cookies, trackers and trojan horses will be found and control of them handed over to you.
Cookiebot CMP also enables compliance with both the EU’s GDPR and California’s CCPA –
In the EU, the General Data Protection Regulation (GDPR) demand websites to obtain and securely store the explicit consent of users before any collection of their personal data is allowed to take place. You must be compliant with the GDPR if you have visitors to your website from inside the EU.
In the US, the California Consumer Privacy Act (CCPA) requires businesses to give more control to California residents over the personal information they generate online, including giving them an option to opt out of having their data sold to third parties.
Try Cookiebot CMP free for 14 days
Australia’s Privacy Act
Australia’s Privacy Act of 1988 is the main piece of data protection legislation on the continent. Though it originally dates from 1988, it has been amended more than thirty times.
It regulates all companies, organizations and websites who operate in Australia and creates a national standard for collecting, processing and sharing personal information.
The Privacy Act does this by creating the so-called Australian Privacy Principles (APPs) – a set of thirteen codes of conduct that must be followed in order to be compliant with the Act. These are the backbone of personal data protection for websites that operate in Australia.
Enforcement of the Privacy Act and the Australian Privacy Principles befalls the Office of the Australian Information Commissioner (OAIC), who both guides companies in legal compliance, investigates and enforces breaches of the privacy law.
Personal information vs sensitive information
The Australian Privacy Principles (APPs) create a legal landscape for websites that is carved in two: between personal information and sensitive personal information. It’s important to know which type of data your website collects in order to be compliant.
Personal information includes –
- name,
- signature,
- addresses,
- e-mail,
- phone number,
- social security numbers,
- date of birth,
- signature,
- credit or bank information,
- IP addresses and browser history,
- location data.
Sensitive personal information includes –
- racial or ethnic origin,
- political opinions,
- religious beliefs,
- sexual orientation,
- criminal history,
- health information,
- genetic data,
- biometric information.
With personal information, the Australian Privacy Principles (APPs) state that your website is only allowed to collect and process it if it is reasonably necessary for or directly related to your website’ functions and activities.
This must be clearly stated in your privacy policy. We will get to this in a minute.
With sensitive personal information, websites must usually ask users for their express consent before collection.
Australlian privacy law operates with two different types of consent: express and implied.
Express consent is the user’s “open and obvious” devision to accept, where implied consent is the “reasonable belief” by websites, organizations and companies that they have the user’s consent.
OAIC on express consent and sensitive personal information.
You can do this through Cookiebot CMP that automatically handles all consents, documentation and secure storage.
Try Cookiebot CMP free for 14 days… or forever if you have a small website.
New amendments to the Privacy Act on the way
The Australian government has announced that it will amend the Privacy Act to increase fines for data breaches, as well as creating a whole new privacy code to regulate the collection and processing of personal information on digital platforms, such as Facebook and Google.
It has also announced that a broad review of the Privacy Act will take place to assess whether it accurately protects users privacy and their personal information online.
Australian Privacy Principles
The Australian Privacy Principles (APPs) are thirteen codes of conduct created by the Privacy Act that websites, companies and organizations who operate in Australia must follow for compliance.
Who does the Australian Privacy Principles apply to?
The Australian Privacy Principles (APPs) apply to what is known in the law as “an APP entity”, defined as an agency or organization.
Small businesses are in general exempt from compliance with the Australian Privacy Principles, however, numerous exceptions exist, such as if a small business discloses personal information for “a benefit, service or advantage”.
OIAC on who the Australian Privacy Principles apply to.
What are the Australian Privacy Principles?
The thirteen APPs concern the following areas –
- open and transparent management of personal information
- enabling user anonymity and pseudonymity
- collection of solicited personal information
- dealing with unsolicited personal information
- notification of the collection of personal information
- use or disclosure of personal information
- direct marketing
- cross‑border disclosure of personal information
- adoption, use or disclosure of government related identifiers
- quality of personal information
- security of personal information
- access to personal information
- correction of personal information
Go in detail on the Australian Privacy Principles guidelines here.
All thirteen APPs must be applied in order to be compliant with Australia’s Privacy Act, but we’ll highlight the most important and relevant ones regarding websites here.
Australian Privacy Principle 1 – open and transparent management of personal information
The first Australian Privacy Principle is essentially the one that establishes the requirement for websites to have a clear, transparent and exhaustive privacy policy.
A compliant APP privacy policy must inform users about –
- the kinds of personal information that your website collects, stores and shares,
- the ways your website collects personal information (e.g. cookies),
- the purposes for which you collect, store and share personal information,
- the ways in which your users can access the personal information you’ve collected on them,
- the ways in which your users can correct their personal information if wrong,
- whether or not you send users’ personal information overseas.
You are required to make your APP privacy policy available free of charge and in an easily accessible way on your website.
The Cookiebot CMP website scanner automatically uncovers all cookies and trackers, their purposes, duration and provenance.
It also detects who your website shares personal information with – all vital information for you to obtain in order to be compliant with the Privacy Act and its Australian Privacy Principles.
Try Cookiebot CMP free for 14 days… or forever if you have a small website.
Australian Privacy Principle 3 – collection of solicited personal information
This APP is where the legal difference between personal information and sensitive personal information is created, and the compliance requirements stated (see above for more).
Australian Privacy Principle 5 – notification of the collection of personal information
At or before the time of collection – or as soon as possible after – your website must notify users that you are collecting personal information.
While this could sound like that the APPs create the legal need for what is in Europe known as a cookie banner (i.e. a consent notification that pops up, when a user land on a website), it actually doesn’t.
Australian data protection laws do not require cookie banners, unless your website collects sensitive personal information, in which case you must obtain the express consent of users.
A substantial amount of exceptions exists to this APP, if you want to know more read here.
Australian Privacy Principle 6 – use or disclosure of personal information
If your website collects personal information on users for one purpose, you are not allowed to use or disclose it for any other purposes – unless you obtain the consent to this from your users.
This means that if you have stated that you collect personal information for one purpose through cookies and trackers in your APP privacy policy, you are legally bound to only collect, use or share it for that purpose without asking for the consent of users.
And remember, if this is sensitive personal information, you must always obtain express consent from your users.
Australian Privacy Principle 10 – quality of personal information
It is your responsibility as the website owner to ensure that the personal information you collect is accurate, up-to-date and complete.
Australian Privacy Principle 11 – security of personal information
It is also your responsibility as the website owner to protect the personal information you collect from misuse, interference and loss, unauthorized access, modification or disclosure.
Australian Privacy Principle 12 – access to personal information
You must enable your users to request access to the personal information you have collected on them.
You are required to respond to such a request within a reasonable period after the request is made, and to give access to the information in the way that was requested by the user.
Access to personal information must be free of charge.
Australian Privacy Principle 13 – correction to personal information
You must enable your users to request corrections of the personal information you have collected on them.
If such requests are made, you must ensure that the information is up to date, complete, relevant and not misleading.
You are also required to notify third parties of such correction requests.
Summary
Australia’s data protection regime consists of the Privacy Act and its Australian Privacy Principles. These require your website to have a clear and exhaustive APP privacy policy that lists all cookies, trackers and trojan horses embedded on your website by you or third parties.
Try Cookiebot CMP website scanner free for 14 days for deep-scanning technology that enables you to uncover all cookies on your website, so you can become compliant with the Privacy Act and its APPs today.
FAQ
What is the Australia Privacy Act?
The Privacy Act of 1988 is the main data privacy law in Australia today. It regulates how companies, organizations and websites are allowed to collect, process and share personal information inside Australia. Enforcement of the Privacy Act is the responsibility of the Office of the Australian Information Commissioner (OAIC). The Privacy Act established the Australian Privacy Principles (APPs) that govern lawful handling of personal information in Australia.
What are the Australian Privacy Principles?
The Australian Privacy Principles are 13 codes of conduct that websites, companies and organizations who operate in Australia must follow in order to be compliant the Privacy Act. They include but are not limited to the following areas: open and transparent management of personal information, enabling user anonymity, notification of the collection of personal information, use and disclosure of personal information and direct marketing.
What is personal information under the Australian Privacy Act?
Personal information includes name, signature, addresses, e-mail, phone number, identification numbers (e.g. social security, passport), date of birth, IP addresses and browser history and location data. Sensitive personal information includes racial or ethnic origin, political opinions, religious beliefs, sexual orientation, health data, genetic data, biometric data and criminal history.
Learn more about Cookiebot CMP and how we protect your website’s users
What must a compliant privacy policy include?
Under the Australian Privacy Principles (APPs), your website’s privacy policy must be clear, transparent and exhaustive. Your privacy policy must inform users about the kinds of personal information that your website collects and shares, including the ways your website collects personal information (e.g. through cookies and trackers) and the purpose for which you collect and share personal information. Your website must also tell its user how they can access and correct already collected personal information, and whether your website discloses personal information to other countries.
Try Cookiebot CMP free for 14 days… or forever if you have a small website
Resources
Office of the Australian Information Commissioner
OAIC on who Australian Privacy Principles apply to
OAIC on personal and sensitive personal information