Australian Privacy Act

Privacy Act 1988, as amended by the Privacy and Other Legislation Amendment Act 2024

Flag of AU
AustraliaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
December 10, 2024
Enacted
January 1, 1988
Enforcing Authority
Office of the Australian Information Commissioner (OAIC)
Consent Model
Opt-in
Fulfillment Time
30 days
Applies To
Government agencies and private organizations with >AUD 3M turnover (with exceptions for health, credit, and PI trading)

Overview

Australia's December 2024 amendments are the most significant update to the Privacy Act since 1988. Personal information now explicitly includes technical identifiers like IP addresses, device IDs, and cookie identifiers. Consent must be voluntary, informed, current, specific, and unambiguous. Pre-ticked boxes and dark patterns are prohibited.

What This Means for Your Website

  • Cookies, IPs, and device IDs are now explicitly personal information under Australian law
  • Consent must be voluntary, informed, current, specific, and unambiguous
  • Pre-ticked boxes, vague wording, and dark patterns are restricted
  • Penalties can reach AUD 50 million, 3x benefit obtained, or 30% of turnover
  • A new statutory tort for serious privacy invasion creates a private right of action
  • A Children's Online Privacy Code must be developed by December 2026
  • The small business exemption (under AUD 3M turnover) remains but is under review

Key Requirements

The OAIC enforces the Privacy Act with the power to issue compliance and infringement notices directly. Penalties reach the greater of AUD 50 million, three times the benefit obtained, or 30% of adjusted turnover. Automated decision-making transparency requirements commence December 2026. Breach notification has been mandatory since February 2018.

How ConsentStack Handles This

ConsentStack detects Australian visitors and applies the strengthened consent requirements. All cookies are treated as personal information per the 2024 amendments, with no pre-ticked boxes or dark patterns.

Penalties

Bodies corporate: greater of AUD 50M, 3x benefit, or 30% of adjusted turnover. Individuals: up to AUD 2.5M. New tiered civil penalty process.

Maximum Fine
A$50,000,000 aggregate

Key Requirements

  • Consent must be voluntary, informed, current, specific, and unambiguous
  • Pre-ticked boxes, vague wording, and dark patterns restricted
  • Personal information includes IPs, device IDs, cookie identifiers
  • Mandatory data breach notification
  • New statutory tort for serious invasion of privacy
  • Children's Online Privacy Code to be developed by December 2026

Notable Provisions

  • December 2024 amendments — most significant ever
  • IPs, device IDs, cookies now explicitly personal information
  • AUD 50M or 30% of turnover penalties
  • New statutory tort creates private right of action
  • Small business exemption (under AUD 3M) still in place

Data Subject Rights

Access your data30 days

Right to access personal information held by an organization under APP 12

Correct your data30 days

Right to request correction of personal information under APP 13

Other Asia Pacific Regulations

PIPLChina
China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Thailand PDPAThailand
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
South Korea PIPASouth Korea
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
APPIJapan
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
Singapore PDPASingapore
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
Indonesia PDP LawIndonesia
Indonesia's first comprehensive data protection law provides individuals greater control over personal data. Explicit, informed, specific consent is required including for cookies collecting personal data. Despite the transitional period ending October 2024, the Indonesian DPA has not yet been established, creating a current enforcement gap.

Frequently Asked Questions

What changed in Australia's Privacy Act in 2024?

The most significant amendments since 1988: personal information now explicitly includes cookies, IPs, and device IDs. Consent standards were strengthened. A statutory tort for privacy invasion was created.

Are cookies now personal information in Australia?

Yes. The December 2024 amendments explicitly include IP addresses, device IDs, and cookie identifiers in the definition of personal information.

What are Australia's privacy penalties?

The greater of AUD 50 million, three times the benefit obtained, or 30% of adjusted turnover during the relevant period.

Does Australia have a private right of action?

Yes. The new statutory tort for serious invasion of privacy creates a private right of action, commencing by June 2025.

Stay compliant with Australian Privacy Act

ConsentStack helps you implement Opt-in consent for Australia automatically.

Get started free