Australia doesn't have a cookie law. There's no ePrivacy-style rule that says you must show a banner and collect opt-in before setting a tracker. What Australia has is the Privacy Act 1988 and its 13 Australian Privacy Principles (APPs), which regulate cookies only when they collect "personal information". That single fact explains why Australian cookie practice looks so different from Europe's, and why so many Australian sites run a notice rather than a consent wall.
But the ground is shifting. In late 2024 Australia passed the first tranche of the biggest privacy overhaul in a generation, and more is coming. This guide covers what applies to cookies today, what the 2024 reform changed, who enforces it, and what to build now so you're not caught out by the second tranche.
The Model: Notice, Not Opt-In
The Privacy Act attaches to personal information, meaning information about an identified individual or an individual who is reasonably identifiable. A cookie that builds a profile tied to a person, or that a data broker can re-identify, is generally caught. A purely technical, non-identifying cookie may fall outside the Act altogether.
When the Act does apply, the relevant obligations are transparency and fair handling, not mandatory opt-in:
- APP 5 requires you to notify individuals, at or before collection, about what you collect and why. This is the notice your cookie banner and privacy policy provide.
- APP 3 limits collection to what's reasonably necessary for your functions.
- APP 6 restricts using or disclosing information for a secondary purpose the person wouldn't expect.
- APP 7 governs direct marketing and gives individuals a right to opt out.
Express consent is generally reserved for sensitive information (health, sexual orientation, political views, and similar). For ordinary tracking, the Australian baseline is a clear notice plus a genuine opt-out for marketing, not a European-style consent gate. That's a real compliance difference, and it's why a global site can serve Australia with a lighter-touch banner than it serves the EU.
What the 2024 Reform Changed
The Privacy and Other Legislation Amendment Act 2024 passed Parliament on 29 November 2024 and received Royal Assent on 11 December 2024. It's the first of two planned tranches, and it's already reshaping enforcement:
- A statutory tort for serious invasions of privacy. For the first time, individuals can sue directly for serious invasions arising from intentional or reckless conduct. It commenced by 11 June 2025. This creates litigation risk that didn't exist before, on top of regulator action.
- A Children's Online Privacy Code. The OAIC is required to develop a binding code for online services likely to be accessed by children, and must register it by 10 December 2026. A draft was released for consultation in March 2026. If children can reach your service, this will set additional handling rules.
- Automated decision transparency. Organisations will have to disclose in their privacy policies where automated systems make decisions that significantly affect individuals. This obligation phases in through late 2026.
- Stronger enforcement. New tiers of civil penalty for less-serious interferences, and infringement-notice powers, give the regulator faster, more graduated tools than the old all-or-nothing model.
Who Enforces It, and the Penalty Ceiling
The regulator is the Office of the Australian Information Commissioner (OAIC), headed by the Privacy Commissioner. It investigates complaints, conducts own-motion inquiries, and takes enforcement action. Its guidance lives at the OAIC's official site.
The headline penalty was raised sharply back in 2022: for serious or repeated interferences with privacy, the maximum is now the greater of AUD $50 million, three times the benefit obtained from the misuse, or 30% of the company's adjusted turnover for the relevant period. That's a GDPR-scale ceiling. The reality of it landed in December 2024, when Meta agreed to a AUD $50 million settlement over the Cambridge Analytica matter, the largest privacy payment in Australian history. The Government's reform agenda is set out by the Attorney-General's Department.
The Second Tranche: What's Still Coming
The 2024 Act deliberately left the harder questions for a second tranche, which the Government agreed to in principle but hadn't legislated as of mid-2026. Watch for:
- A "fair and reasonable" overarching test for collection and use, regardless of consent.
- A tightened definition of consent (voluntary, informed, current, specific, unambiguous), which would move Australia closer to the opt-in world.
- A clearer statement that technical identifiers like cookie IDs are personal information.
- Removal or narrowing of the small-business exemption that today exempts many businesses under AUD $3 million turnover.
None of this is law yet. But the direction is unmistakable: Australia is drifting from a notice model toward a consent model. Building a banner that can flip from notice to opt-in without a re-platform is the smart hedge.
A Practical Setup for Australian Traffic
- Run a clear notice. A cookie banner that links to a plain-language privacy policy satisfies APP 5 today. You don't need an opt-in gate for ordinary analytics.
- Give a real marketing opt-out. APP 7 entitles people to say no to direct marketing; make it easy and honour it.
- Get express consent for sensitive data. If any tracker touches health, sexual orientation, or similar, that's the opt-in case.
- Prepare for children. If your service is likely accessed by under-18s, follow the Children's Online Privacy Code as it finalises through 2026. Our age-assurance guide covers the methods.
- Keep your consent tooling flexible. The second tranche may require opt-in. Choose a setup where switching Australia from notice to opt-in is a config change, not a rebuild.
How CookieBeam Handles Australia
CookieBeam ships an Australia Privacy Act framework preset, and it's deliberately a notice-mode banner rather than an opt-in one, because that's what the APPs require today. It presents transparency and controls without gating scripts behind consent the way the GDPR preset does. Through the regional consent engine, an Australian visitor sees that notice model while an EU visitor sees strict opt-in, from the same banner.
The important part is what happens when the second tranche lands. If Australia moves to an opt-in consent standard, switching the Australia region from notice to opt-in is a setting, not a migration, and your existing consent logs and script inventory carry over. That's the flexibility to plan for, given how clearly Australia is signalling the shift. Verify the current OAIC position and the status of the reform before you finalise; this guide reflects mid-2026.
Related Guides
For the opt-in regime Australia is drifting toward, see the GDPR cookie compliance checklist. For the children's-code angle, read age assurance for cookie consent. For how penalties compare worldwide, see cookie consent penalties by country. For serving different rules per location, read regional consent for global sites, and for other non-EU regimes, our emerging-markets guide.