Australia – SetupAnalytics

// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Australia. English-language privacy notices presumed. Sectoral rules (health records, credit reporting, telecommunications) are touched only where they intersect with the analytics layer.

National addons

Country-specific statutes layered on the EU baseline.

Privacy Act 1988

Privacy Act 1988 (Cth) + 13 Australian Privacy Principles (APPs)

Federal privacy law covering Commonwealth agencies + private-sector organisations with annual turnover > AU$3M (plus health-service providers, credit reporting, TFN handlers, and traders in personal information regardless of size). 13 APPs cover the full lifecycle: open and transparent management, anonymity/pseudonymity, collection, notice, use/disclosure, direct marketing, cross-border, government identifiers, quality, security, access, correction.

APP 1 Open and transparent management — privacy policy must exist, be free, and cover collection/use/disclosure/access/complaints
APP 3 Collection — only what is reasonably necessary; sensitive info needs consent
APP 5 Notification of collection — at or before collection, including overseas disclosure
APP 6 Use or disclosure — limited to primary purpose unless consent or related secondary purpose within reasonable expectations
APP 7 Direct marketing — opt-out at every contact; sensitive info needs consent
APP 8 Cross-border disclosure — accountability for overseas recipient's APP-equivalent handling
APP 11 Security — reasonable steps to protect; destroy or de-identify when no longer needed

Act No. 119 of 1988, Schedule 1 (APPs); APPs replaced the IPPs and NPPs from 12 March 2014

NDB Scheme

Notifiable Data Breaches Scheme — Privacy Act Part IIIC

Mandatory notification to the OAIC + affected individuals when an eligible data breach is likely to result in serious harm. Assessment must be completed within 30 days of becoming aware. Applies to all APP entities. Distinct from GDPR's 72-hour rule — Australia uses a serious-harm threshold, not strict liability.

s 26WE Eligible data breach — unauthorised access/disclosure/loss + likely serious harm
s 26WH Assessment obligation — 30 days from suspicion to determination
s 26WK Notification to Commissioner + affected individuals — as soon as practicable

Privacy Amendment (Notifiable Data Breaches) Act 2017, in force 22 February 2018

Privacy Amendment 2012

Privacy Amendment (Enhancing Privacy Protection) Act 2012

Foundational reform that consolidated the IPPs (public sector) and NPPs (private sector) into the unified 13 APPs, introduced credit reporting reforms (Part IIIA), and gave the OAIC stronger investigative and enforcement powers (civil penalties up to AU$2.22M for serious or repeated interference). Set the architecture that the 2024 amendment reinforced.

Schedule 1 13 APPs replacing the 10 NPPs and 11 IPPs
Schedule 2 Credit reporting — Part IIIA reform
Part V OAIC powers — assessments, enforceable undertakings, civil penalty proceedings

Act No. 197 of 2012, in force 12 March 2014

Privacy Act 2024

Privacy and Other Legislation Amendment Act 2024

Most consequential privacy reform since 2014. Three pillars relevant to analytics: (1) penalties — maximum civil penalty for serious interference raised to the greater of AU$50M, 30% of adjusted turnover, or 3× the benefit obtained from the conduct; (2) statutory tort — new cause of action for serious invasions of privacy (commences within 6 months of assent); (3) automated-decision transparency — privacy policies must disclose substantially-automated decisions that significantly affect individuals. Subsequent tranches (children's privacy code, small-business threshold removal, fair-and-reasonable test) are flagged but not yet law.

Schedule 1 Pt 1 Civil penalty tiers — serious interference AU$50M / 30% turnover / 3× benefit
Schedule 2 Statutory tort for serious invasions of privacy — actionable per se
Schedule 1 Pt 14 Automated-decision transparency in APP 1 privacy policies
Schedule 1 Pt 15 Children's online privacy code — to be developed by OAIC

Act No. 130 of 2024, assented 10 December 2024 — first tranche of the long-awaited Privacy Act review reforms

Spam Act 2003

Spam Act 2003 (Cth)

Commercial electronic messaging — email, SMS, instant messaging. Three core requirements: (1) consent (express or inferred from existing business relationship), (2) sender identification (clear who sent it + valid contact details), (3) functional unsubscribe (working for at least 30 days, honoured within 5 business days). Note: Australia does not require double opt-in — a single express consent or qualifying inferred consent suffices. ACMA has fined major brands (Kmart, DoorDash, Optus, Commonwealth Bank, Ticketek) AU$3M–AU$10M each for unsubscribe failures.

s 16 Consent — express or inferred from existing business/customer relationship
s 17 Sender identification — accurate, clear, contactable for at least 30 days
s 18 Functional unsubscribe — present, working, no fee, no extra info collection beyond email/number

Act No. 129 of 2003; enforced by ACMA

Regulators

Supervisory authorities that interpret and enforce privacy law here.

FEDERAL

OAIC · Office of the Australian Information Commissioner

Federal privacy regulator — Commonwealth agencies + private-sector entities subject to the Privacy Act. The Privacy Commissioner role was separated from the Information Commissioner in 2023, restoring a dedicated commissioner for privacy after years of combined office. Powers: investigate, conciliate complaints, accept enforceable undertakings, apply to Federal Court for civil penalties, issue determinations, conduct assessments, develop APP guidelines.

https://www.oaic.gov.au

Coordination body

OAIC + state privacy authorities · Federal–state coordination on privacy and information access

The Privacy Act 1988 covers Commonwealth agencies + private-sector organisations meeting the threshold; state and territory public sectors are governed by their own privacy laws and DPAs. Coordination is informal but active, especially on cross-jurisdictional incidents and joint guidance. Private-sector controllers in any state generally answer to the OAIC; state DPAs handle their own public-sector entities (hospitals, schools, councils, agencies).

2023-08-15 · OAIC + state DPAs joint statement on health-data breach response — OAIC, NSW IPC, OVIC and Qld OIC issued coordinated guidance on cross-jurisdictional health-data breach handling — encouraging joint investigations where private health providers and state-funded hospitals overlap.
2024-09-12 · OVIC + OAIC joint position on AI and privacy — Victoria's OVIC and federal OAIC published aligned guidance on generative-AI use in regulated sectors — both endorsing privacy impact assessments before deployment and rejecting blanket consent for unspecified AI training uses.
2025-03-04 · NSW IPC + OAIC alignment on automated-decision disclosure — Following the December 2024 amendment, NSW IPC indicated it would adopt OAIC's automated-decision disclosure guidance for state-sector controllers — reducing fragmentation across jurisdictions.

https://www.oaic.gov.au/about-us/who-we-are

Notable enforcement

Australian privacy enforcement was historically constrained by a maximum civil penalty of AU$2.22M per contravention — small enough that even Australia's largest breaches rarely produced fines that grabbed boardroom attention. The 2022 Optus and Medibank breaches changed the political calculus overnight. Within weeks of Medibank's October 2022 disclosure, Parliament passed the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 lifting the penalty ceiling to AU$50M / 30% of adjusted turnover / 3× benefit obtained — whichever is greater. The December 2024 Privacy and Other Legislation Amendment Act codified that ceiling permanently and added a statutory tort for serious invasions of privacy that operates independently of the Privacy Act, opening direct civil litigation as a parallel enforcement track. The OAIC's June 2024 Federal Court representative complaint against Medibank is the first major test of post-amendment penalties — outcome pending. Telecommunications carriers face overlapping ACMA enforcement under the Telecommunications Consumer Protections Code, which is how Optus drew an additional AU$1.5M ACMA fine separate from the OAIC investigation.

2024-12 €4.2M

Commonwealth Bank ACMA · Spam Act s 18 stood

AU$7.5M fine (~€4.15M) for sending ~170M marketing emails over 4 years without functional unsubscribe or with non-compliant sender identification. Largest Spam Act fine to date. Part of ACMA's enforcement focus on banks and retailers post-2023.
2023-05 €920k

Optus (Singtel Optus) OAIC + ACMA · APP 11, TCP Code stood (ACMA); OAIC ongoing

Concurrent investigations into the September 2022 breach exposing ~10M records (passport, licence, Medicare numbers). ACMA imposed AU$1.5M fine for telco identity-verification failures (~€920K). Separate OAIC representative complaint pending — Federal Court class actions also underway.

GA4 status

GA4 is generally usable on Australia-targeted websites with appropriate notice (APP 5) and reasonable steps to protect data (APP 11). The OAIC has not issued a CNIL-style determination against GA4 — Australia's regulator is markedly more pragmatic than EU DPAs. Cookie consent is not a hard prerequisite under Australian law (no ePrivacy equivalent), but APP 6 requires use to be within reasonable expectations and APP 8 governs transfers to Google's US servers. The 2024 amendment's automated-decision transparency obligation applies if GA4-derived data feeds substantially-automated decisions about individuals.

DPA	Stance
OAIC	Pragmatic — privacy notice + reasonable security expected; no consent-banner mandate. Increased scrutiny of cross-border disclosures and automated-decision use.
OVIC (Vic)	Aligned with OAIC for private sector; stricter for state-sector controllers using GA4 — public-sector PIA expected.
NSW IPC	Public-sector focus; private-sector deferred to OAIC. Notes APP 5 notification adequacy as the most-cited gap.
Qld OIC	Public-sector focus; aligned with OAIC for cross-jurisdictional matters.

Cross-border transfers + Schrems II

Australia has no formal adequacy regime equivalent to the EU DPF. APP 8 (cross-border disclosure) operates on an accountability principle — the Australian discloser remains responsible for the overseas recipient's handling unless the recipient is subject to a substantially-similar privacy regime, the individual consents after notification, or other narrow exceptions apply. The 2024 amendment did not introduce adequacy decisions but the Privacy Act review's later tranches are expected to add a cross-border transfer impact assessment requirement and possible whitelist mechanism.

No mandated SCC template. Best practice in Australian privacy transfer agreements mirrors APP 8 obligations contractually — onward-transfer restrictions, security commitments, breach-notification cooperation, audit rights, and dispute resolution. Many controllers layer GDPR Module 2 SCCs on top when the recipient is also subject to GDPR, but this is voluntary in Australian law.

Topic: International transfers

Employee data

Employee records exemption — Australia's most distinctive rule

The Privacy Act contains an explicit employee records exemption (s 7B(3)) — acts and practices of a private-sector employer directly related to a current or former employment relationship and to an employee record are exempt from the APPs. This is the single biggest difference from GDPR/UK GDPR. The exemption does not apply to: prospective employees (recruitment is covered), contractors who are not employees, sensitive information held outside the employment context, or the new statutory tort introduced in 2024 (which can ground a claim regardless of APP exemption). The Fair Work Act 2009 still imposes record-keeping and confidentiality obligations on employers. The 2024 amendment did not remove the exemption, but the Privacy Act review's Recommendation 7.1 calls for it to be repealed in a later tranche — controllers should treat current carve-out as time-limited.

Key thresholds

Child consent age

15 years

Article 27 representative

Not required

Marketing consent

Single opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 12 · 6 green · 5 yellow · 1 red

Vendor	Status	Rationale
	GREEN	Cookieless by design. EU-routed via Cloudflare. No DPA required for Lite tier (no PII).
	GREEN	Self-hosted on your infrastructure. Full data control, configurable IP anon. Meets every jurisdiction with cookieless config.
	GREEN	EU-hosted with cookieless mode available. With cookies disabled qualifies for §25(2) exception in Germany.
	GREEN	German-hosted, cookieless, GDPR-aligned by design.
	GREEN	EU-hosted, no cookies, no PII processed. ePrivacy-exempt for cookieless tracking. No banner required.
	GREEN	Open-source, cookieless, fully self-hostable. Default-green when self-hosted.
	YELLOW	Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
	YELLOW	EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
	YELLOW	APP 8 cross-border accountability; Privacy Act reform pending.
	YELLOW	—
	YELLOW	EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
	RED	Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.

Consent management platforms · 5 · 5 green · 0 yellow · 0 red

Vendor	Status	Rationale
	GREEN	Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
	GREEN	Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
	GREEN	Open-source, self-hosted. No managed updates — site owner maintains vendor list.
	GREEN	GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
	GREEN	German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.

Tag managers · 1 · 0 green · 1 yellow · 0 red

Vendor	Status	Rationale
	YELLOW	Container only — verdict depends on which tags fire and when. Block until consent. Server-side GTM in EU recommended.

Session replay · 3 · 0 green · 3 yellow · 0 red

Vendor	Status	Rationale
	YELLOW	—
	YELLOW	—
	YELLOW	—

Ad pixels · 3 · 0 green · 0 yellow · 3 red

Vendor	Status	Rationale
	RED	Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
	RED	Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
	RED	PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.

Server-side · 3 · 2 green · 1 yellow · 0 red

Vendor	Status	Rationale
	GREEN	EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
	GREEN	EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
	YELLOW	"EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE

Australia vs New Zealand

COMPARE

Australia vs Singapore

COMPARE

Australia vs Japan

COMPARE

Australia vs United Kingdom

Common questions

Is Google Analytics legal in Australia in 2026?

Yes, in most cases. The OAIC has not issued a determination against GA4 and Australia has no ePrivacy-style cookie-consent regime. You need: (1) an APP 5 collection notice that names Google Analytics and the US disclosure, (2) APP 8 cross-border accountability — Google's contractual terms generally satisfy this, (3) APP 6 use within reasonable expectations. GA4 is yellow rather than green because the 2024 amendment introduced automated-decision transparency obligations that bite when GA4-derived audiences feed automated targeting.

Does the Privacy Act apply to my small business?

Maybe. The Privacy Act applies to (a) Commonwealth agencies, and (b) private-sector organisations with annual turnover > AU$3M. Below the threshold, you are still caught if you: handle health information, are a credit reporting body or credit provider, hold tax file numbers, trade in personal information, or are a contracted service provider for a Commonwealth contract. The 2024 review's later tranches are expected to remove the small-business exemption entirely — most commentators expect this within 2 years. Plan as if it will apply.

What is the employee records exemption and does it apply to my analytics?

The Privacy Act exempts an employer's acts and practices that are directly related to a current or former employment relationship and to an employee record (s 7B(3)). This is Australia's most distinctive privacy rule and has no GDPR equivalent. Practically: HR analytics, productivity tracking, internal-dashboard Hotjar deployments are largely outside the APPs for current employees. But it does not cover prospective employees (recruitment is in scope), contractors, sensitive information outside the employment context, or the new 2024 statutory tort for serious invasions of privacy. Treat the exemption as time-limited — repeal is on the reform roadmap.

What changed with the 2024 Privacy Act amendment?

Three things matter for analytics: (1) maximum civil penalty for serious interference rose to the greater of AU$50M / 30% of adjusted turnover / 3× benefit obtained — this codifies the interim 2022 ceiling, (2) a statutory tort for serious invasions of privacy commenced within 6 months of the December 2024 assent, opening direct civil claims independent of the OAIC, (3) APP 1 privacy policies must now disclose substantially-automated decisions that significantly affect individuals — relevant if you feed analytics into pricing, eligibility, or lending decisions.

What is the Notifiable Data Breaches 30-day window?

Under Privacy Act Part IIIC (in force since 22 Feb 2018), once you suspect an eligible data breach you have 30 days to assess whether it is in fact eligible (i.e. unauthorised access/disclosure/loss + likely serious harm). If eligible, notify the OAIC and affected individuals as soon as practicable. This is more generous than GDPR's 72-hour rule but uses a serious-harm threshold rather than strict liability — many breaches that would be GDPR-notifiable are not NDB-notifiable in Australia. Document your assessment either way; the OAIC reviews assessment quality.

What happened with Optus and Medibank?

Optus (September 2022) exposed ~10M records — passport, driver licence, Medicare numbers — through an unauthenticated API. ACMA fined Optus AU$1.5M for telco identity-verification failures; OAIC representative complaint and class actions are ongoing. Medibank (October 2022) was a ransomware breach exposing ~9.7M records including health-claim data, with the attacker publishing data on the dark web after Medibank refused to pay. The OAIC commenced a Federal Court representative complaint in June 2024 — the first major post-amendment civil penalty action with potential exposure into the billions under the 30%-turnover formula. Together these breaches drove the December 2022 interim penalty increase and the December 2024 codified reform.

What is the child consent age in Australia?

OAIC guidance treats 15 as the default threshold for children to consent independently to the handling of their personal information — younger children require parental or guardian consent. This is not codified in the Act with a sharp number (unlike GDPR's 16 / configurable to 13). The 2024 amendment mandates an OAIC-developed Children's Online Privacy Code which is expected to formalise the threshold and add platform obligations. Until that code is finalised, treat 15 as the working baseline and document parental-consent flows for younger users.

Do I need a DPO in Australia?

No. The Privacy Act does not mandate a Data Protection Officer or equivalent role at any threshold. The OAIC strongly recommends appointing a Privacy Officer with named contact details (often surfaced through the APP 1 privacy policy) — this is the practical equivalent. Larger organisations and federally-regulated entities frequently appoint a Chief Privacy Officer voluntarily, and the role has become de facto expected for any controller > AU$50M turnover or handling sensitive information at scale.

Do I need an Australian representative if my business is overseas?

No representative regime exists. Australia uses extraterritorial applicability instead — the Privacy Act applies to overseas organisations that have an Australian link (carrying on business in Australia and collecting/holding personal information about Australians). The 2024 amendment confirmed and clarified this reach. There is no equivalent of GDPR Art 27 representative designation. Overseas controllers should ensure they have an Australian-resident Privacy Officer point-of-contact for OAIC correspondence, even if not formally required.

What does the Spam Act require for email marketing?

Three things, no double opt-in: (1) consent — express (someone explicitly agreed) or inferred (existing business or customer relationship plus message reasonably related to it), (2) sender identification — the message must accurately identify the sender with valid contact details that remain functional for at least 30 days, (3) functional unsubscribe — present in every commercial message, working without fee, processed within 5 business days, no extra information collected beyond the email/number being unsubscribed. ACMA enforces aggressively — AU$3M–AU$10M fines against Kmart, DoorDash, Optus, Commonwealth Bank, Ticketek for unsubscribe failures. The Spam Act overlay sits on top of APP 7 (direct marketing); compliance with one does not cure breach of the other.

// EDITORIAL · NOT LEGAL ADVICE This page summarises Australia's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.