Privacy-proof your website for Australia Privacy Act
Achieve regulatory compliance with our easy-to-use cookie consent solution to notify and obtain individual consent for all your data collection.
The #1 cookie consent solution, trusted by 1.5 Million+ websites
The Privacy Act Australia is a comprehensive legislation that regulates how personal information is handled by private sector organizations, federal Government agencies, and not-for-profit organizations. The Act outlines the Australian Privacy Principles (APPs) which govern the collection, use, storage, and disclosure of personal information. Privacy Act Australia first took effect in 1988, with the APPs established in a 2014 amendment.
Australia Privacy Act Compliance Checklist
- Obtain user consent for direct marketing and enable opt-out
- Notify individuals about data collection with the required information
- Only use or disclose information for primary purposes or with consent
- Ensure overseas recipients handle data consistent with Privacy Principles
- Notify data breaches to the affected individuals within 30 days
Comply with the Australia Privacy Act using CookieYes
Display cookie consent banner for visitors
The Australia Privacy Act requires businesses to notify users about their data collection, (including data collected through cookies) and provide them the option to opt out.
With CookieYes you can
Automate consent management
Ensure up-to-date and ongoing compliance with the Privacy Act’s requirements for consent by automating your consent management.
With CookieYes you can
Under the Privacy Act, businesses should be open and transparent on how they collect, use, or disclose users’ personal information.
With CookieYes you can
Achieve regulatory compliance with ease with our no-code cookie consent solution
Learn more about the Privacy Act and take the next step towards compliance
What is Australia Privacy Act?
The Privacy Act 1988 is the primary federal legislation designed to regulate personal information and safeguard the data privacy of individuals in Australia. After its introduction in 1988, the Act has undergone significant expansion, including the establishment of the Office of the Australian Information Commissioner (OAIC) in 2000, the addition of 13 Australian Privacy Principles in 2014 and the introduction of notifiable data breaches in 2018.
In 2022, a new amendment introduced important changes such as increased penalties for serious infringements and strengthened the investigative and enforcement powers of the Information Commissioner.
Who does the Privacy Act Australia apply to?
The Privacy Act applies to federal agencies and organizations with an annual turnover exceeding AUD 3 million that handle the personal information of Australian residents. The Act’s definition of an ‘organization’ includes individuals, companies, partnerships, unincorporated associations, or trusts with certain exemptions like small business operators, registered political parties, and specific government entities.
Additionally, irrespective of their size, organizations involved in credit reporting, businesses engaged in selling or buying personal information, and private health service providers, also are covered under the Act.
What are consumer rights under the Privacy Act?
Right to information
The right to know why their personal information is being collected, how it will be used, and who it will be disclosed to.
Right to anonymity
The right to not identify themselves or use a pseudonym in certain circumstances.
Right to access
The right to access their personal information, including health information.
Right to complain
The right to make a complaint about an organization or agency if personal information has been mishandled.
Right to correction
The right to rectify incorrect personal information.
Right to opt-out
The right to stop receiving unwanted direct marketing.
What are the penalties under the Privacy Act?
The maximum penalty for organizations in case of serious and repeated infringements of privacy is:
- AUD 50 million,
- 3 times the interference’s benefit (if the court can determine this), or
- 30% of the company’s adjusted turnover during the breach period if the court can’t decide the benefit’s value.
The maximum penalty for individual infringements is AUD 2.5 million.
FAQ on Australia Privacy Act
The current Australian data protection is the Privacy Act 1988. This legislation regulates how personal information is handled by Australian government agencies and businesses. The Privacy Act includes the Australian Privacy Principles (APPs), which set out the standards, rights, and obligations for the handling, holding, and use of personal information.
Under the Australia Privacy Act, personal information is defined as:
“information or an opinion about an identified individual, or an individual who is reasonably identifiable: whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.“
Examples of personal information include an individual’s name, address, phone number, medical records, bank account details, photos, or employment details.
Sensitive information related to health, genetic information, racial/ethnic background, sexual orientation, and political opinions are also considered personal information and given extra protections under the Act.
The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 was passed on 12 December 2022, to implement significant reforms to the Privacy Act Australia. The amendment aims to strengthen the protection of personal information, enhance individual privacy rights, and improve transparency and accountability in data handling.
The Act brings significant changes including:
- Expanding the extraterritorial reach of the Privacy Act 1988
- Increased penalties for serious or repeated interferences
- Strengthening the Notifiable Bata Breaches Scheme
- Enhancing the powers of the OAIC to address privacy violations
The Office of the Australian Information Commissioner (OAIC) oversees compliance with the Privacy Act and handles privacy-related complaints and investigations. The OAIC is an independent statutory agency that oversees the Privacy Act, which sets out the standards, rights, and obligations for the handling of personal information.
Under the Australia Privacy Act 1988, express consent is required for the collection of sensitive information or to use or disclose personal information for any purpose other than the purpose it was collected for.
Cookie consent Australia
To process non-sensitive personal information, express consent is not mandatory. However, implied consent is required, through the use of a notification at or before the time of data collection. Organizations are obligated to ensure that individuals understand the purpose of data collection and are also presented with an option to opt-out.
According to the Office of the Australian Information Commissioner (OAIC), consent should be:
- Informed: individuals should be clear about the consequences of giving or not giving their consent
- Voluntary: consent cannot be forced or pressured, and individuals should have the choice to give consent or not.
- Current and specific: Consent granted by individuals should be time and context-specific and for the stated purpose alone.
The Privacy Act Australia exempts entities that include small businesses with an annual turnover of less than $3 million, state government agencies, most universities and public schools, individuals acting in a personal capacity, and registered political parties.
Additionally, some acts and practices related to employee records, related bodies corporate, and acts done or practices engaged in by a media organization in the course of journalism are also exempt from the Privacy Act.
While the GDPR does not directly apply to Australia, businesses need to understand the extraterritorial reach of the GDPR and assess whether it falls within its scope. GDPR can apply to Australian businesses that operate within the EU or offer goods and services to individuals in the EU.
In such cases, businesses are required to comply with the GDPR’s requirements, such as obtaining explicit consent for data processing, implementing appropriate security measures, and respecting individuals’ rights regarding their personal data.
The Australian equivalent of the General Data Protection Regulation (GDPR) is the Privacy Act 1988. This legislation governs the handling of personal information by Australian government agencies and businesses. The Privacy Act outlines the Australian Privacy Principles (APPs), which regulate the collection, use, and disclosure of personal information and ensure its accuracy and security.
The Australia Privacy Principles (APPs) are a set of 13 principles that regulate the handling of personal information under the Privacy Act 1988 and provide a framework for the collection, use, and disclosure of personal information. The principles are:
- Open and transparent management of personal information: organizations must implement transparent privacy practices and systems.
- Anonymity and pseudonymity: individuals can remain anonymous or use a pseudonym when dealing with an APP entity
- Collection of solicited personal information: organisations can only collect personal information necessary for legitimate purposes.
- Dealing with unsolicited personal information: organisations must take certain steps when receiving unsolicited personal information.
- Notification of collection: organisations must inform individuals about the purpose and details of collecting their personal information.
- Use and disclosure: organisations are subject to restriction on the use or disclosure of PI for the purpose it was collected, with exceptions.
- Direct marketing: organisations must refrain from using personal information for direct marketing purposes.
- Disclosing personal information overseas: organizations must ensure cross-border disclosure of personal information meets privacy protection standards.
- Government-related identifiers: organisations must limit the adoption, use, or disclosure of government-related identifiers.
- Quality of personal information: organisations must ensure that collected information is accurate, up-to-date, and complete.
- Security of personal information: organisations must take reasonable steps to safeguard personal information from misuse or unauthorized access.
- Access to personal information: individuals have the right to access their personal information and request corrections.
- Correction of personal information: organisations must correct personal information upon request and notify relevant entities if necessary.
Fast-track your Australia Privacy Act compliance in minutes
Set up an opt-out banner in 3 simple steps and automate your compliance.