GDPR
Data & TrackingAlso: General Data Protection Regulation · EU Privacy Law
Quick definition
The European Union's comprehensive data protection regulation that governs how organisations collect, store and use personal data of EU residents — regardless of where the organisation is based.
Where it shows up in the data
GDPR applies to any organisation processing personal data of people in the EU, regardless of where the organisation is located. An Australian business with EU customers must comply.
GDPR requires a lawful basis for every data processing activity: consent, contract, legal obligation, vital interests, public task or legitimate interests. Consent must be freely given, specific, informed and unambiguous.
EU residents have rights including: access to their data, correction of inaccurate data, erasure ('right to be forgotten'), portability and the right to object to processing. Businesses must have processes to respond to these requests.
Australia has its own Privacy Act 1988 with Australian Privacy Principles (APPs). While similar in spirit to GDPR, the APPs have different requirements. The Privacy Act is being updated with GDPR-like provisions — Australian businesses need to track both.
What it actually means
GDPR is the EU's landmark data protection law that came into effect in May 2018. It sets out how organisations can collect and use personal data of EU residents and gives those residents significant rights over their data. For marketing purposes, the most relevant requirements are around consent for tracking cookies, email marketing opt-in and the right to unsubscribe and have data deleted. For Australian businesses, GDPR is relevant if any EU residents visit your website, purchase your products or are on your email list.
GDPR is not a European problem for Australian businesses with European customers. It is your problem too.
How it shows up
GDPR compliance issues show up as: EU visitors with no consent record in your CMP, Google Analytics data missing from EU geographies, Meta Ads custom audiences without valid consent logs, and email databases that lack proper opt-in records for EU contacts.
The Australian context
Australia's Privacy Act 1988 applies to businesses with annual turnover over $3 million (with some exceptions). The Office of the Australian Information Commissioner (OAIC) enforces it. The Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill is bringing Australian law closer to GDPR standards, including increased penalties and a direct right of action for individuals.
Where people get this wrong
Related terms
Common questions
Does GDPR apply to Australian businesses?
Yes, if you process personal data of EU residents. This includes website analytics, email marketing lists and any data collected from EU visitors or customers. If you have EU traffic or customers, seek legal advice on your GDPR obligations.
What is the difference between GDPR and the Australian Privacy Act?
Both protect personal data, but GDPR is more prescriptive with stricter consent requirements, more individual rights and higher penalties. The Australian Privacy Act is being updated to align more closely with GDPR but is currently less stringent in some areas.
Do I need a cookie consent banner for Australian visitors?
Strictly speaking, GDPR cookie consent is required for EU visitors. Australian Privacy Act requirements around cookies are less explicit. However, best practice (and increasingly what Google and Meta require for advertising features) is to implement proper consent management for all visitors.
Keep exploring
About New Rebellion
New Rebellion is a marketing intelligence consultancy. We build tools, score Australian businesses on how their marketing actually performs, and publish Debrief every day. This dictionary is part of how we work in the open.
How we think →