Updated May 4, 2020.
Your website has cookies – most websites do. Your website likely has both first-party cookies (necessary for the basic functions of your domain) and third-party cookies (for analytics and marketing purposes).
This means that your website – like most websites in the world today – is faced with protecting its users’ privacy on the one hand and processing their personal information for website optimization and marketing on the other.
But your website has many hidden cookies and trackers from third-party companies that harvest personal data from your users, and these can create a real liability for your website, company or organization.
A 2020 study of more than ten thousand websites shows the difficulties for website owners of being compliant –
72% of cookies are set by fourth parties that are loaded in secret by the third-party cookies embedded, also known as trojan horses.
18% of cookies are deeper trojan horses, i.e. derive from secretly loaded fifth, sixth, seventh or eighth parties.
50% of trojan horses will have changed and have different trackers on repeated visits.
In Australia, privacy policies must list all cookies and trackers embedded on a website, even the hidden ones.
These findings make it very clear how difficult it is for website owners to know exactly what goes on on their domain without deep-scanning technology that can uncover not only third-party trackers, but all the trojan horses that third-party cookies load unbeknownst to you, the website owner.
This is where Cookiebot comes in.
Cookiebot is a deep-scanning technology developed to enable website owners to detect all cookies and trackers and take control of them to protect the privacy of their users and obtain compliance with data protection laws across the world.
When you implement Cookiebot on your website, it automatically performs scans of your entire domain and all of its subpages. After it has found all there is to find, Cookiebot then takes automatic control of all cookies (also third-party cookies and the trackers they secretly load).
Cookiebot’s unmatched website scanner can help you obtain compliance with Australia’s data laws and their requirements for your privacy policies to inform exhaustively about all cookies, trackers and other ways you collect, process and share personal information on your website.
Protect your website, its users and their personal information with Cookiebot’s deep-scanning technology.
With Cookiebot, you can rest assured that all cookies, trackers and trojan horses will be found and control of them handed over to you.
Cookiebot also enables compliance with both the EU’s GDPR and California’s CCPA –
In the EU, the General Data Protection Regulation (GDPR) demand websites to obtain and securely store the explicit consent of users before any collection of their personal data is allowed to take place. You must be compliant with the GDPR if you have visitors to your website from inside the EU.
In the US, the California Consumer Privacy Act (CCPA) requires businesses to give more control to California residents over the personal information they generate online, including giving them an option to opt out of having their data sold to third parties.
Australia’s Privacy Act of 1988 is the main piece of data protection legislation on the continent. Though it originally dates from 1988, it has been amended more than thirty times.
It regulates all companies, organizations and websites who operate in Australia and creates a national standard for collecting, processing and sharing personal information.
The Privacy Act does this by creating the so-called Australian Privacy Principles (APPs) – a set of thirteen codes of conduct that must be followed in order to be compliant with the Act. These are the backbone of personal data protection for websites that operate in Australia.
Enforcement of the Privacy Act and the Australian Privacy Principles befalls the Office of the Australian Information Commissioner (OAIC), who both guides companies in legal compliance, investigates and enforces breaches of the privacy law.
Fines for non-compliance and breaches of Australia’s Privacy Act can reach $10 million.
The Australian Privacy Principles (APPs) create a legal landscape for websites that is carved in two: between personal information and sensitive personal information. It's important to know which type of data your website collects in order to be compliant.
Personal information includes –
Sensitive personal information includes –
With personal information, the Australian Privacy Principles (APPs) state that your website is only allowed to collect and process it if it is reasonably necessary for or directly related to your website’ functions and activities.
With sensitive personal information, websites must usually ask users for their express consent before collection.
Australlian privacy law operates with two different types of consent: express and implied.
Express consent is the user's "open and obvious" devision to accept, where implied consent is the "reasonable belief" by websites, organizations and companies that they have the user's consent.
You can do this through Cookiebot’s consent management solution that automatically handles all consents, documentation and secure storage.
Cookiebot’s consent management solution enables compliance for your website with many of the world’s data laws, including the Australian Privacy Principles (APPs) requirement for consent in case of sensitive information collection.
The Australian government has announced that it will amend the Privacy Act to increase fines for data breaches, as well as creating a whole new privacy code to regulate the collection and processing of personal information on digital platforms, such as Facebook and Google.
It has also announced that a broad review of the Privacy Act will take place in 2020 to assess whether it accurately protects users privacy and their personal information online.
The Australian Privacy Principles (APPs) are thirteen codes of conduct created by the Privacy Act that websites, companies and organizations who operate in Australia must follow for compliance.
The Australian Privacy Principles (APPs) apply to what is known in the law as “an APP entity”, defined as an agency or organization.
Small businesses are in general exempt from compliance with the Australian Privacy Principles, however, numerous exceptions exist, such as if a small business discloses personal information for “a benefit, service or advantage”.
The thirteen APPs concern the following areas –
All thirteen APPs must be applied in order to be compliant with Australia’s Privacy Act, but we’ll highlight the most important and relevant ones regarding websites here.
Cookiebot’s website scanner automatically uncovers all cookies and trackers, their purposes, duration and provenance.
It also detects who your website shares personal information with – all vital information for you to obtain in order to be compliant with the Privacy Act and its Australian Privacy Principles.
This APP is where the legal difference between personal information and sensitive personal information is created, and the compliance requirements stated (see above for more).
At or before the time of collection – or as soon as possible after – your website must notify users that you are collecting personal information.
While this could sound like that the APPs create the legal need for what is in Europe known as a cookie banner (i.e. a consent notification that pops up, when a user land on a website), it actually doesn’t.
Australian data protection laws do not require cookie banners, unless your website collects sensitive personal information, in which case you must obtain the express consent of users.
A substantial amount of exceptions exists to this APP, if you want to know more read here.
If your website collects personal information on users for one purpose, you are not allowed to use or disclose it for any other purposes – unless you obtain the consent to this from your users.
And remember, if this is sensitive personal information, you must always obtain express consent from your users.
It is your responsibility as the website owner to ensure that the personal information you collect is accurate, up-to-date and complete.
It is also your responsibility as the website owner to protect the personal information you collect from misuse, interference and loss, unauthorized access, modification or disclosure.
You must enable your users to request access to the personal information you have collected on them.
You are required to respond to such a request within a reasonable period after the request is made, and to give access to the information in the way that was requested by the user.
Access to personal information must be free of charge.
You must enable your users to request corrections of the personal information you have collected on them.
If such requests are made, you must ensure that the information is up to date, complete, relevant and not misleading.
You are also required to notify third parties of such correction requests.
Try Cookiebot’s website scanner free for 30 days for deep-scanning technology that enables you to uncover all cookies on your website, so you can become compliant with the Privacy Act and its APPs today.