Cookies and Australian privacy laws
A cookie is a piece of text data that is produced by a web server and exchanged with a particular device each time a user accesses a website.
Cookies make it possible for websites to restore the preferences of returning users, track online purchases or work interactively.
The Association for Data-driven Marketing & Advertising’s (ADMA) Director – Legal and Regulatory Affairs, Daad Soufi, says cookies usually make using websites easier and more enjoyable.
“Without cookies, you would have slower and less user-friendly websites. Consumers feel the benefit of cookies but most don’t realise that, without them, their online experience wouldn’t be as positive,” she says.
Soufi adds that most online users aren’t aware that websites are using cookies.
She says businesses’ privacy policies should be clear about how they are using cookies, and businesses should make it easy for users to get this information.
It is also vital that the cookies do not use any personal information or allow the user to be identified, as that would be in breach of the Privacy Act, Soufi adds.
Remarketing and Australian privacy laws
“An individual might visit the website of company A, then go onto the website of company B, but be served an advert for company A,” Soufi explains.
Remarketing is done via various ad networks, including Google AdWords. Remarketing adds a piece of code or a remarketing tag to the pages of a website. When visitors come to that site, they are added to the remarketing list and the business can then target those users while they browse other websites.
According to Soufi, using cookies for remarketing would not fall under the Privacy Act, provided the cookies do not hold any personal information that would allow the user to be identified.
“If an organisation has a demarcation between its cookies and its identification of an individual, that is not personal information and is not subject to the Privacy Act,” she explains.
Do I need cookie pop-ups?
This is because companies based in Europe are regulated by the EU ePrivacy Directive, which came into force in 2011. This requires websites to get online visitors’ informed consent before placing a cookie on their device.
This is not, however, a requirement under Australian law.
- Organisations need to know with certainty whether cookies are used in a completely anonymous manner.
- If cookies are completely anonymous, that should be clear in the policy.
- If there is a chance of cookies being linked with other data and potentially identifying a person, it would form the body of data that is personal information; organisations need to know if this is happening.
- Remarketing using online banners should be described as part of your marketing practices.
- If you are using remarketing banner advertising, consider including an icon that directs users to an opt-out preference centre.