(Cth) Require Consent for Online Tracking

Author: Anamarie Raič, Despina Pavlou & Hamish Wallace | Publish date: 28/4/2026

• P: In Australia, websites and apps are not required to request explicit consent before collecting data to track individuals.

• S: The Attorney-General should amend Australian Privacy Principle 3 in Schedule 1 of the Privacy Act 1988 (Cth) to prohibit the collection of personal information via non-essential cookies and other tracking technologies without first gaining explicit consent.

• E: Associate Professor Katharine Kemp: ‘A plain default rule that cookies and similar tracking technologies must not be used without clear, unequivocal and active consent is appropriate, except for strictly necessary cookies and technologies used for functionality.’

Problem Identification: 

Privacy Principle 3 in Schedule 1 of the Privacy Act 1988 (Cth) (the Act) states that relevant entities ‘must collect personal information only by lawful and fair means’ and limit collection to what is ‘reasonably necessary for [their] functions or activities’. This is understood to allow the collection of personal information through online tracking methods as soon as a website or app is accessed.

The ACCC’s (Australian Competition and Consumer Commission) Digital Platforms Inquiry stated that the Act ‘does not contain sufficient mechanisms to allow consumers to understand and control how their data is collected [online] and for what purposes.’ 

Context: 

The most common form of online tracking is cookies, which refer to ‘small files that web pages save to your device.’ Essential cookies are required for websites to function. In contrast, non-essential cookies are used for analytics and advertising tracking, typically through third-party services.

Other tracking technologies used by websites and apps include ‘web beacons or pixel tags’, ‘device or browser fingerprinting’, ‘mobile device tracking’ (including for approximate or precise location), and ‘cross-device tracking’. 

NordVPN found that Australian websites use an average of 18.6 trackers to collect data. 

Arguments:

A survey by the Office of the Australian Information Commissioner (OAIC) from 2023 found that ‘84% [of Australians] want more control … over the collection and use of their personal information’, and noted that 50% of people ‘feel they have no choice but to hand over their personal information … to access a service’. James Patto from Scildan Legal described online tracking as an ‘opaque data-sharing ecosystem’ where ‘consent is often meaningless or absent’ and ‘control and accountability are fragmented’. According to a Consumer Policy Research Centre (CPRC) survey from 2020, ‘94% of Australian consumers are uncomfortable with how their personal information is collected and shared’. An Australian Economic Review (AER) article noted that ‘people are barely aware of the extent to which their personal information is collected and shared; nor do they have full control over their personal information.'

According to the Australian Signals Directorate, ‘the more personal data from customers that businesses hold the more … risk if a data breach occurs.’ The OAIC stated that ‘data breaches can cause significant harm in multiple ways’, as victims ‘may be at risk of serious harm … to their physical or mental well-being, financial loss, or damage to their reputation.’ In 2023, The Observer found that 20 National Health Service trusts in the UK had installed Meta’s Pixel tracker on their websites, ‘sharing intimate details about patients’ medical conditions, appointments and treatments with Facebook without consent and despite promising never to do so.’ Former Australian Information Commissioner and Privacy Commissioner Angelene Falk stated that the ‘increased occurrence of incidents that affect multiple parties is a reason … data breaches [are growing] in complexity, scale and impact,’ particularly when personal information handling is outsourced to third-party providers.

The AER article noted that stricter privacy laws ‘may help protect privacy but stifle innovation and competition, and harm data-driven businesses.’ However, Australian Privacy Commissioner Carly Kind argued that ‘good privacy practices and clear laws will support innovation’ because a ‘more productive economy is contingent upon Australian consumers confidently participating in the digital economy and businesses retaining the trust of their customers’. Falk argued that ‘trust based on an organisation’s solid privacy foundations will play a fundamental role in supporting successful innovation’. The AER article suggested ‘that a desirable cookie policy is the one that leads to the collection of more data types with larger benefits [for firms] and lower privacy costs [for consumers].’

Advice/Solution Identification:

Kemp, the ACCC's Digital Platforms Inquiry, the CPRC, and Digital Rights Watch have all called for requiring consent for online tracking. According to the ACCC, ‘a requirement to obtain consent … will both increase the transparency of information processing and significantly reduce the … power imbalance between consumers and [digital platforms]’. They stated this ‘assists consumers to make rational and informed choices about which digital platform service to use’, and noted that ‘strong privacy protections … can promote competition, innovation, and the welfare of individual consumers’.

Precedent:

There is international precedent for requiring consent for online tracking. In the EU, ‘“consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes’.

Public support:

1. Associate Professor Katherine Kemp

2. ACCC's Digital Platforms Inquiry

3. Consumer Policy Research Centre

4. Digital Rights Watch

   
   

This list reflects publicly stated positions and should not necessarily be taken as endorsement of this specific brief.

News Coverage:

• The Conversation - “What does it mean to ‘accept’ or ‘reject’ all cookies, and which should I choose?” The article explained what cookie consent options mean and how they affect online privacy. By: Ahmed Ibrahim and David Cook | 19 May 2025 - Read the article here.

• The Guardian - “Get a VPN and delete your cookies, Australia’s privacy laws are still lagging behind”. The article highlighted weaknesses in Australia’s privacy laws, with consumer protections delayed due to industry lobbying. By: Paul Karp | 9 September 2024 - Read the article here.

• Forbes - “94 Billion Stolen Browser Tracking Cookies Published To Dark Web”. The article analysed the ramifications of stolen cookies and outlined practical mitigation strategies. By: Davey Winder | 27 May 2025 - Read the article here.

• News.com.au - “Aussies’ private data being shared without consent through online advertisers exposing them to scammers”. The article covered data collection, data reselling, and scam risks in an Australian context. By: Emma Kirk | 4 October, 2024 - Read the article here.

Where to go to learn more: 

1. (2019) Digital Platforms Inquiry | Australian Competition and Consumer Commission - This inquiry covered a wide variety of issues surrounding digital platforms and made several recommendations, including requiring consent for online tracking. Read the full report here.

2. (2022) Privacy Act Review Report | Attorney-General’s Department - This report discussed proposals for ongoing Privacy Act 1988 (Cth) reforms, including consent for online tracking. Read the full report here.

3. (2023) Australian Community Attitudes to Privacy Survey | Office of the Australian Information Commissioner - This report contained the results of a broad survey that covered public attitudes towards many aspects of privacy and data collection. Read the full report here.

4. (2024) ‘Singled Out’ Report | Consumer Policy Research Centre - This report explored consumer understanding of privacy notices and the impacts of data broking. Read the full report here.

5. Privacy Act 1988 (Cth) - Read the full Act here. 

Human Perspective: 

Emily is a 28-year-old who enjoys online shopping and browsing social media. She always made sure to ‘reject all’ tracking when presented with a website pop-up, but was unaware that most websites in Australia track without asking or even notifying. This meant her personal data, including her location, purchases, and online habits, was still being shared hundreds of times a day, often through unknown third parties. One afternoon, she received a warning message claiming to be from her bank, and it was particularly convincing as it referenced brands she had recently shopped at and her postcode. Having believed it to be legitimate, Emily used the included phishing link to view her account, which quietly provided her banking information to the scammers. A series of fraudulent purchases was rapidly made using her account before Emily realised what had happened. As a result, Emily became anxious, stressed, and exhausted as a result of the subsequent month-long effort to secure her banking and reclaim her lost finances. She no longer knows who she can trust online. 

To protect the anonymity of those involved, this is a fictionalised account drawn from an amalgamation of real-life stories, experiences and testimonials gathered during the research process for this brief. Any resemblance to actual individuals is purely coincidental.

Conflict of interest/acknowledgment statement: 

N/A

Support 

If your organisation would like to add your support to this paper or suggest amendments, please email Info@foreaustralia.com. 

Disclaimers

Please review all FORE disclaimers here.