What Is a Cookie? A Legal Guide For Australian Businesses on Website Compliance

If you run a website for your business in Australia, you’ve probably seen prompts about cookie banners or privacy settings. Cookies aren’t just a tech buzzword - they’re part of how modern websites work, and they can involve personal information. That means they come with legal expectations you need to understand.

In this guide, we’ll explain what cookies are in plain English, how they work on your site, when Australian law applies, and practical steps to keep your website compliant. Our aim is to help you stay transparent with users, reduce risk, and build trust - without getting lost in legal jargon.

Cookies Explained: What They Are And Why They Matter

What Is a Cookie?

A cookie is a small text file that a website stores on a visitor’s device. When the visitor returns or moves around your site, the cookie helps the site “remember” things like login status, language preferences, or what’s in a shopping cart.

Common cookie types include:

• Session cookies: Temporary cookies that are deleted when the browser is closed (used for things like keeping a user logged in during a session).
• Persistent cookies: Remain on the device for a defined period and remember preferences between visits.
• First‑party cookies: Set by your website’s domain (often used for core functionality).
• Third‑party cookies: Set by other domains or services, such as analytics, advertising, or chat tools that you’ve embedded on your site.

In short, cookies power convenience and personalisation. But they can also capture identifiers and user behaviour, which may be “personal information” under Australian privacy law.

When Do Cookies Involve Personal Information?

Under Australian privacy law, “personal information” is information or an opinion about an identified individual (or an individual who is reasonably identifiable). Cookies can fall into this category when they store or link to identifiers such as IP addresses, device IDs, login details, or detailed browsing behaviour tied to a person.

If your cookies only store purely technical data (and can’t be linked to a person), privacy risks are lower. However, most business websites use at least some cookies that touch personal information - especially where analytics, remarketing or user accounts are involved.

How Cookies Work On Your Website

Here’s the basic flow you can expect on a typical Australian business website:

• Your site (or a third‑party script you’ve installed) sets a cookie when a visitor lands on a page or engages with features.
• The cookie stores small pieces of data: for example, login state, a unique tracking ID, language preference, or marketing opt‑in status.
• On each page load or future visit, the browser sends the cookie back so your site can recognise the visitor and apply the right settings or content.
• If you use services like analytics or advertising pixels, third‑party cookies may also be set and can track behaviour across multiple sites.

Most of this happens in the background. That’s why the law focuses on transparency - you should tell users what’s happening, why it’s necessary, and what choices they have.

Do Australian Laws Regulate Cookies?

Australia doesn’t have a single “cookie law.” Instead, your obligations come from privacy, consumer and direct marketing rules that apply when cookies collect or are used with personal information.

Privacy Act 1988 (Cth) And The APPs

The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) apply to most larger businesses (generally those with annual turnover greater than $3 million), and to some smaller businesses in specific cases (for example, if you trade in personal information or provide health services).

If you are covered (an “APP entity”), your obligations include:

• Having a clearly expressed and up‑to‑date Privacy Policy that explains the kinds of personal information you collect (including via cookies), how you collect it, and how you use and disclose it.
• Being open and transparent about any overseas disclosures (common with certain analytics or cloud providers).
• Taking reasonable steps to protect personal information you hold.
• Allowing individuals to access and correct their personal information.

If you’re not an APP entity, adopting a clear Privacy Policy is still best practice. It improves transparency, aligns with customer expectations, and can help you meet obligations in other areas (like consumer law and platform requirements).

Is Consent Required For Cookies In Australia?

Australia does not currently require cookie banners by law in the same way as Europe’s GDPR. Consent isn’t mandated for every cookie. However, you should still provide clear notice about cookie use, and offer user choice for non‑essential cookies that collect personal information (for example, analytics or marketing pixels), especially if you want to respect user expectations and reduce compliance risk.

Consent may be necessary in some contexts - for example, if your website targets or regularly attracts users from overseas jurisdictions that require explicit consent (such as the EU). In those cases, a consent management platform and category‑level controls are sensible.

Spam Act 2003 (Cth) And Direct Marketing

Cookies themselves don’t trigger the Spam Act. But if you use cookies to build audiences and then send commercial emails or texts, those messages must comply with the Spam Act (consent, sender identification and a working unsubscribe). For practical guidance on direct marketing rules, see our overview of email marketing laws.

Australian Consumer Law (ACL)

Your disclosures must not mislead users. If your banner, pop‑up or policy says one thing but your site does another, you risk breaching the Australian Consumer Law, including the general prohibition on misleading or deceptive conduct. For context, read more about section 18 of the ACL.

Do You Need Cookie Banners Or Notices In Australia?

There’s no universal requirement for a cookie pop‑up in Australia. However, a simple banner or notice can be a practical way to meet transparency expectations - and to manage consent for non‑essential cookies if you decide to give users that control.

When A Cookie Banner Makes Sense

• You use analytics, advertising or remarketing cookies that collect personal information.
• You rely on third‑party tools that set or read cookies across sites.
• You attract international visitors (especially from the EU or UK), or you intentionally target those regions.

At a minimum, your banner should let users know cookies are used and link to your policies. Ideally, it also provides a way to manage preferences for non‑essential cookies.

What Should Your Disclosures Cover?

• What cookies and similar technologies you use.
• What information they collect and why (e.g. security, performance, analytics, advertising).
• Whether any data is disclosed overseas or to third‑party providers.
• How users can change their preferences or opt out.

These points belong in your Privacy Policy, and, if your website uses advanced tracking, a dedicated Cookie Policy can provide extra clarity.

Step‑By‑Step: Make Your Website Cookie Compliant

1) Audit Your Cookies And Tracking

• Scan your site to identify all first‑ and third‑party cookies and any similar technologies (like local storage or pixels).
• Record each item’s purpose, duration, and whether it collects personal information.
• Map which providers receive data (analytics, advertising networks, chat tools, CDNs) and where they’re located.

2) Classify And Minimise

• Group cookies as strictly necessary (essential for the site to work) or non‑essential (analytics, personalisation, advertising).
• Remove redundant trackers and switch to privacy‑enhancing settings where possible (for example, IP anonymisation in analytics).
• Delay loading non‑essential cookies until a user has had a chance to review and accept settings (if you’re implementing preferences).

3) Update Your Policies

• Make sure your Privacy Policy is easy to find and clearly explains cookie‑based collection, use, disclosure and user choices.
• Consider a separate Cookie Policy if you run extensive analytics or advertising, or if you want to provide category‑level detail.
• Ensure your Website Terms & Conditions reference how the site is used and point to your privacy disclosures.

4) Implement Notice (And Consent If Needed)

• Add a straightforward banner or in‑page notice explaining that cookies are used and linking to your policies.
• If you offer preference controls, let users accept only necessary cookies or selectively enable analytics/advertising categories.
• Keep a record of consent preferences if you rely on consent for non‑essential cookies or for overseas compliance.

5) Review Third‑Party Providers And Contracts

• Check the privacy settings in your analytics and advertising tools and use the most privacy‑protective configuration that still meets your needs.
• Ensure your agreements or terms with service providers cover privacy compliance and data handling. Where a provider processes personal information for you, a Data Processing Agreement can help set expectations.

6) Governance, Security And Training

• Limit access to analytics and marketing tools to trained staff, and review permissions regularly.
• Establish an internal process to assess new tracking tools before deployment (basic privacy impact assessment).
• Keep your cookie inventory and disclosures up to date - review at least annually, or whenever you add new tools.

7) Marketing Compliance

• Remember that cookies used to build marketing audiences are separate from your direct marketing obligations. If you send commercial emails or texts, follow the rules in Australia’s email marketing laws (consent, identification, unsubscribe).

What Documents Should You Have In Place?

• Privacy Policy: Explains what personal information you collect (including via cookies), your legal basis for collection, how it’s used and disclosed, overseas transfers, and user rights. Start with a clear, tailored Privacy Policy.
• Cookie Policy: Optional but helpful. Sets out cookie categories, purposes, providers, durations, and how users can control settings. A concise Cookie Policy boosts transparency.
• Website Terms & Conditions: The “house rules” for using your site, including acceptable use, IP ownership, disclaimers and links to your privacy disclosures. See Website Terms & Conditions.
• Data Processing Agreement (where relevant): If a vendor processes personal information for you (e.g., analytics, hosting), a Data Processing Agreement helps allocate privacy and security responsibilities.
• Internal Policies: Team‑facing guidance on when new tracking tools can be added, how to configure them, and how to respond to user requests or complaints. This can sit within broader staff policies or a handbook.

Not every business needs all of these documents, but most will benefit from at least the first three. The right mix depends on your data flows, your tools, and your audience.

Consequences And FAQs: What Happens If You Get It Wrong?

What’s The Risk If I Don’t Comply?

• Regulatory complaints: Users can complain to the Office of the Australian Information Commissioner (OAIC) about privacy concerns.
• Reputational damage: Lack of transparency erodes trust and can impact conversion and retention.
• Enforcement action: APP entities can face investigations and penalties for serious or repeated interferences with privacy.
• Consumer law exposure: Inaccurate or misleading cookie disclosures may breach the ACL (including section 18).

Do I Need Consent For Every Cookie?

No. Australia does not require universal cookie consent. You should, however, be transparent and provide a practical way for users to manage non‑essential cookies that collect personal information. If you target regions that require explicit consent (like the EU), build a consent mechanism to meet those rules.

Are Cookies Considered Personal Information?

Often, yes. If a cookie contains or links to information that can identify someone (alone or in combination with other data), treat it as personal information and apply the APPs if you’re an APP entity.

Do Overseas Laws Apply To My Australian Website?

If you intentionally target users in countries with stricter rules (e.g. the EU/UK), those laws may apply to the activity. Even if you don’t target those regions, your site may still receive visits from there. Many Australian businesses choose to offer consent options to accommodate international traffic and reduce risk.

Is a Cookie Banner Legally Required In Australia?

No, not specifically. A banner is a practical way to provide notice and, if you choose, collect consent for non‑essential cookies. Think of it as a helpful tool to deliver transparency and user control, rather than a hard legal requirement in Australia.

What About Retargeting And Email Campaigns?

Cookies used for remarketing should be clearly disclosed. If you also send emails or SMS, ensure the campaign itself meets Australia’s email marketing laws (consent, identification, and a working unsubscribe) - separate from your cookie settings.

Key Takeaways

• Cookies are small files your site uses to remember users and improve experience - but many also collect personal information.
• Australia has no single “cookie law,” but the Privacy Act and Australian Consumer Law shape what you must disclose and how you handle personal information.
• Cookie banners aren’t universally required, yet clear notices and sensible user choices for non‑essential cookies are best practice and reduce risk.
• Audit and classify your cookies, minimise what you collect, and keep your Privacy Policy, Cookie Policy and Website Terms & Conditions up to date.
• Review your third‑party providers and consider a Data Processing Agreement where they process personal information for you.
• If you use email or SMS for marketing, comply with Australia’s email marketing laws - cookie settings don’t replace marketing consent rules.

If you’d like a consultation on website cookie compliance for your Australian business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.