The Australia Privacy Act (the Privacy Act 1988) governs how organisations collect, use, and disclose personal information. It is built on 13 Australian Privacy Principles and enforced by the OAIC. It applies to your website's cookies whenever they collect personal information, creating a transparency and notice duty rather than a banner mandate.
Getting the timeline right matters here. The statutory tort for serious invasions of privacy is already in force, since 10 June 2025. The new automated-decision-making rules do not start until 10 December 2026, and removal of the small-business exemption is still only proposed. This guide covers who the Act binds, what the 13 APPs require, the penalties, and each of those reforms.
What Is the Australia Privacy Act?
The Privacy Act 1988 (Cth) is Australia's primary federal law regulating how government agencies and covered organisations handle personal information. It creates the 13 Australian Privacy Principles (APPs) and is administered by the Office of the Australian Information Commissioner (OAIC).
The Act was introduced to promote and protect the privacy of individuals. It regulates how Australian Government agencies and covered organisations collect, use, store, and disclose personal information.
Beyond general privacy, the Act also governs three adjacent areas: consumer credit reporting, tax file number handling, and health and medical research data. These sit alongside the APPs as part of the same statute, though they rarely apply to a typical commercial website.
The Act is one of the world's data privacy laws built on a principles-based model rather than a prescriptive rulebook. That design gives covered organisations flexibility in how they meet each principle, unlike more rule-specific regimes.
Who Has to Comply with the Privacy Act? (APP Entities and the Small Business Exemption)
The Privacy Act binds "APP entities": Australian Government agencies and private organisations with an annual turnover above AUD 3 million. A small set of businesses are covered regardless of turnover.
Several business types are caught by the Act no matter their size. The list below covers the main ones.
- Health service providers, covering physical, emotional, psychological, and mental health services
- Businesses that trade in personal information, meaning they collect or disclose personal information for a benefit, service, or advantage
- Commonwealth contracted service providers, delivering services under a Commonwealth contract
- Credit reporting bodies
- Businesses that opt in voluntarily to Privacy Act coverage
The Act also reaches foreign organisations that carry on business in Australia and handle personal information collected here, regardless of where the organisation is based.
Most small websites and businesses fall under the AUD 3 million threshold and are exempt from the Privacy Act today. A business can still opt in voluntarily. The government has agreed in principle to review the exemption, but removing it remains a proposed reform, not current law.
What Are the 13 Australian Privacy Principles (APPs)?
The Privacy Act is built on 13 legally binding Australian Privacy Principles. Together they govern the full lifecycle of personal information, from collection through use, disclosure, security, and correction.
| APP | Name | What it requires |
|---|---|---|
| APP 1 | Open and transparent management of personal information | Maintain a clear privacy policy and manage data openly |
| APP 2 | Anonymity and pseudonymity | Let individuals interact anonymously where practicable |
| APP 3 | Collection of solicited personal information | Collect only what is reasonably necessary, with limits on sensitive information |
| APP 4 | Dealing with unsolicited personal information | Assess and, where required, destroy or de-identify unsolicited data |
| APP 5 | Notification of collection | Notify individuals when personal information is collected |
| APP 6 | Use or disclosure | Use data only for its original purpose unless an exception applies |
| APP 7 | Direct marketing | Give individuals a way to opt out of direct marketing |
| APP 8 | Cross-border disclosure | Take reasonable steps before disclosing data overseas |
| APP 9 | Government related identifiers | Restrict adoption and use of government identifiers |
| APP 10 | Quality of personal information | Keep personal information accurate, complete, and current |
| APP 11 | Security of personal information | Protect data from misuse, interference, and loss |
| APP 12 | Access to personal information | Give individuals access to their own data on request |
| APP 13 | Correction of personal information | Correct inaccurate personal information on request |
Each APP applies to every APP entity covered by the Act, with no separate tier for smaller covered businesses. A privacy policy under APP 1 is the practical starting point most website owners build toward first.
What Counts as Personal Information Under the Privacy Act?
Personal information is information or an opinion about an identified individual, or one who is reasonably identifiable. This holds whether the information is true or not, and whether it is recorded in material form or not.
That definition covers names, contact details, and government identifiers, but it also extends to information that can identify someone indirectly, including certain online identifiers. A subset called sensitive information carries stricter rules. It covers health data, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record, and genetic or biometric data. Collecting sensitive information generally requires the individual's consent before collection, not just after-the-fact disclosure.
Online identifiers connect directly to this definition. A cookie or tracker that can identify a specific visitor, even indirectly, collects data that can qualify as personal information under the Act. That is what counts as personal data in the first place.
Does the Privacy Act Apply to Cookies and Website Tracking?
Australia has no cookie-specific law, and the Privacy Act does not explicitly mandate a cookie banner. The Act and the APPs apply to cookies and trackers whenever they collect personal information. An AU-facing site must be transparent about that collection, and for sensitive information, it must obtain consent.
In practice, that transparency duty translates into a short list of concrete obligations. Four points cover most website owners.
- Disclose cookie and tracker use in a privacy policy and cookie policy, per APP 1 and APP 5
- Give visitors a genuine way to understand and control non-essential and tracking cookies
- Get consent before collecting sensitive information through any tracking technology
- Keep the privacy policy current as tracking tools and vendors change
This is a transparency-and-control duty, not a GDPR-style consent-before-loading mandate. A site can technically load non-essential cookies before a visitor responds. It must disclose what it collects and give a working way to control it. Most sites still choose a banner because it is the most practical way to satisfy APP 1 and APP 5 in one place. The Act itself does not name a banner requirement.
What Happens If You Break the Privacy Act? (Penalties and the OAIC)
The Office of the Australian Information Commissioner (OAIC) regulates and enforces the Privacy Act, investigating complaints and serious or repeated interferences with privacy. For a body corporate, the maximum civil penalty is the greater of three figures. Those figures are AUD 50 million, three times the benefit obtained from the breach, or 30 percent of adjusted turnover during the breach period.
That AUD 50 million ceiling reflects a 2022 enforcement reform that raised penalties sharply from the earlier regime. For an individual, sole trader, or partnership, the top-tier maximum is AUD 2.5 million instead. The OAIC also applies a tiered system below that top level, with mid-tier penalties and lower-tier infringement notices for less severe breaches. It can also pursue enforceable undertakings and compensation orders alongside a civil penalty.
Separately, the Notifiable Data Breaches (NDB) scheme requires organisations to notify affected individuals and the OAIC. This applies when a data breach is likely to result in serious harm. The NDB scheme runs alongside the general Privacy Act obligations rather than replacing them.
What Changed Under the 2024 Privacy Act Reforms?
The Privacy and Other Legislation Amendment Act 2024 received Royal Assent in December 2024 and delivered the first tranche of Privacy Act reforms. Some changes are already in force; others are phased in on a delay.
- Statutory tort for serious invasions of privacy: in force since 10 June 2025. Individuals can now sue directly in court for a serious, intentional, or reckless invasion of privacy. Remedies can include damages, an injunction, or an order requiring an apology.
- Automated decision-making (ADM) transparency: commences 10 December 2026. From that date, privacy policies must disclose when substantially automated decisions significantly affect an individual. This is not yet a current obligation.
- Stronger OAIC enforcement: new civil penalty tiers and the power to issue infringement notices without going to court, mostly effective from Royal Assent.
- A Children's Online Privacy Code: the OAIC is developing a dedicated code covering how online services handle children's personal information.
Further reform tranches are expected, including a likely review of the small business exemption, but none of those later changes are law yet.
How Is the Australia Privacy Act Different from the GDPR?
The Privacy Act and the GDPR both protect personal information, but they diverge on scope, consent, and enforcement. The Privacy Act scopes coverage by business size using the AUD 3 million turnover test. The GDPR applies to any organisation handling EU residents' data, regardless of size or location.
| Australia Privacy Act | GDPR | |
|---|---|---|
| Who it applies to | APP entities: turnover above AUD 3 million, plus specific smaller businesses | Any organisation processing EU residents' data, any size |
| Consent model | Express or reasonably inferred (implied) consent for most data | Explicit, informed, opt-in consent or another lawful basis |
| Cookie consent under the GDPR | Transparency and notice duty; no opt-in-before-loading mandate | Non-essential cookies wait for affirmative opt-in consent |
| Right to sue | Statutory tort from 10 June 2025, for serious invasions only | Established right to compensation under Article 82 |
| Maximum fine | AUD 50 million, three times the benefit, or 30 percent of adjusted turnover | Up to EUR 20 million or 4 percent of global annual turnover |
A site that only meets the Privacy Act is not automatically compliant with the GDPR, and the reverse holds too. A business serving both Australian and EU visitors typically needs the stricter EU model layered on top wherever it applies. That is why understanding what the GDPR is matters even for an AU-first site with European traffic.
How Consently Helps Australian Websites Meet Their Privacy Act Cookie Duties
Consently helps AU-facing websites operate the consumer-facing and policy side of the APPs' transparency and notice duties. It is not a Privacy Act compliance certification, and no tool can make that claim.
Consently's cookie consent banner shows visitors a customizable interface with accept, reject, and manage options. That lets people understand and control the non-essential cookies that may collect their personal information. Automatic geotargeting adjusts what a visitor sees by region, which matters for a site serving Australian traffic alongside stricter markets like the EU.
Two features support the documentation side directly. The Cookie Policy and Privacy Policy generators build the privacy policy APP 1 requires from guided questions, and help keep it current. Cookie auto-blocking can stop non-essential cookies and scripts from firing until a visitor responds. That gives the transparency-and-control duty a technical backstop beyond disclosure alone.
Consently does not handle the statutory tort, automated decision-making disclosures, or Notifiable Data Breach reporting. Those stay the business's legal responsibility, and the policy generators are compliance assistance, not legal advice. Consently's cookie consent solution covers the banner, scanning, and policy side. Try Consently free to see the banner and policy generator on your own site.
FAQs
What is the Australia Privacy Act in simple terms?
The Privacy Act 1988 is Australia's federal law controlling how organisations collect, use, store, and disclose personal information. It is built on 13 Australian Privacy Principles and enforced by the OAIC.
Does the Privacy Act apply to small businesses?
Most businesses with an annual turnover of AUD 3 million or less are exempt today. A business is still covered regardless of size if it trades in personal information, provides health services, or holds a Commonwealth contract. Any business can also opt in voluntarily.
Do Australian websites legally need a cookie banner?
No specific law mandates a banner. If a site uses cookies that collect personal information and the business is an APP entity, it must be transparent about that collection. A banner and cookie policy are the practical way to deliver that transparency.
What are the 13 Australian Privacy Principles?
The 13 APPs cover transparent management of personal information, anonymity, collection, notification, use and disclosure, and direct marketing. They also cover cross-border disclosure, government identifiers, data quality, security, access, and correction.
What information is covered by the Privacy Act?
The Privacy Act covers personal information: any information or opinion about an identified or reasonably identifiable individual, whether true or not. That includes names, contact details, government identifiers, and online identifiers like cookies when they can single out a person. Sensitive information, such as health or biometric data, gets stricter protection.
Does Australia have a version of the GDPR?
Not exactly. The Privacy Act is Australia's closest equivalent, but it is principles-based, scoped by business turnover, and lighter on cookie consent than the GDPR's opt-in model.
What are the penalties under the Privacy Act?
For a serious or repeated interference with privacy, a corporation can face the greater of three figures. Those figures are AUD 50 million, three times the benefit obtained, or 30 percent of adjusted turnover. The OAIC enforces these penalties.
Can you sue for a privacy breach in Australia?
Yes. Since 10 June 2025, a statutory tort lets individuals sue directly in court for a serious, intentional, or reckless invasion of privacy. Remedies can include damages.
When do the automated decision-making rules start?
The new transparency rules requiring privacy policies to disclose substantially automated decisions commence on 10 December 2026. They are not in force yet.

