Under Australia's updated Privacy Act, IP addresses, device IDs and cookie identifiers are now explicitly personal information. Pre-ticked consent boxes are restricted.
1 min read
What changed
The definition of personal information now explicitly includes IP addresses, device IDs and cookie identifiers
Consent must be voluntary, informed, current, specific and unambiguous
Pre-ticked boxes and dark patterns are restricted
Targeting children is prohibited except where it's in their best interests
What it means
Every Australian business running Google Analytics, Meta Pixel, LinkedIn Insight Tag or any tracking pixel is now collecting personal information under the expanded definition. If your cookie consent banner uses pre-ticked boxes or doesn't clearly explain what you're collecting, you're non-compliant. The "she'll be right" approach to AU privacy is over.
What to do
Audit your cookie consent implementation. Replace pre-ticked opt-ins with clear opt-in flows.
Update your privacy policy to explicitly cover device IDs and cookie identifiers.
If you're targeting users under 18 with ads, stop.
Check your CMP (OneTrust, Cookiebot, etc.) is configured for AU requirements, not just GDPR defaults.
Source: Privacy and Other Legislation Amendment Act 2024 via Didomi