Ever wondered if your website meets current privacy requirements? Whether you’re running a data harvesting operation, a re-marketing site, or just a simple home business, you should be aware of what you need to comply with when collecting information from Australian and International internet users.
Australian Law:
In Australia, the cookie notification requirements aren’t nearly as strict as overseas, but companies do owe obligations under the Privacy Act 1988 (Cth) when handling data. If you can get your head around the maze that is the Australian Privacy Act, you’ll find that precautions need to be made when dealing with personal information.
The Australian Privacy Principles (APP) provide ‘reasonable steps’ that businesses need to take when dealing with private information. There is nothing in the act that discusses cookies explicitly, but if your cookies are collecting personal information, e.g. a postcode, then you must comply with privacy notification requirements set out by the APPs.
You might assume that because your site only uses the default WordPress cookies (login data for admins), you don’t really need to worry. The problem with this assumption is that so many WordPress plugins collect personal data from users… often without us noticing. Unless your site is purely informational and has NO way of inputting data, we recommend erring with caution and having a cookie notification.
Instead of requiring consent, you only need to inform your users about your use of cookies. The privacy notice needs to include why you collect the personal information and how you will use and disclose it. For most sites, you’ll simply need to state that the cookies are used to improve the user experience, and provide a link to your privacy policy page so they can see the finer details.
Also read: What to include in your privacy policy if you’re collecting remarketing data
GDPR Requirements (European Users):
We’ve previously discussed the implications of the General Data Protection Regulation (GDPR) laws which were passed in Europe last year. For most businesses, unless you specifically target European customers, the GDPR laws won’t apply to you. However, for the businesses that do, your notification obligations extend much further than in the Australian Privacy Act. The main things to note are:
- Implied consent is no longer enough; users can’t simply accept cookies by continuing to use the site or by scrolling
- Options need to be available, e.g. ‘Accept’ and ‘Reject’ rather than just ‘Ok’ or some other acknowledgment.
- Users of your website should be able to revoke consent to cookie collection or reject any further cookie collection
These just relate to your notification obligations. If someone decides to revoke consent to cookie collection, you’re obliged to identify their cookies and delete them.
Facebook Requirements:
Although your business may not need to comply with the GDPR requirements, Facebook does. So, if you’re conducting remarketing with lookalike audiences and tracking (sending their data to Facebook to find similar customers), you need to be upfront with your users about that. To be cautious, we recommend implementing a cookie consent popup as if you were obliged to follow GDPR requirements.
Plugins to Help Comply with Cookie Consent / Notification:
There’s a number of great plugins out there to assist with European and Australian cookie consent requirements. As it’s a relatively simple script, you should really look for one that works well with all your other plugins and suits your current theme design. Ones we’ve tried include the ‘Cookie Notice for GDPR’ plugin by dFactor and ‘Cookie Law Info’ by WebToffee.
We’ve found that ‘Cookie Notice for GDPR’ is great for Australian websites, as it allows you to essentially just have a cookie notification, or a complete system if you desire. Cookie Law Info only seems to allow for GDPR-compliant consent forms, with an ‘Accept’ and ‘Reject’ button, each able to be coded to do their own thing. With that said, Cookie Law Info seems to look better with modern WordPress themes.
Final Thoughts:
As always, if you’ve got any specialised questions relating to the GDPR laws or the Australian Privacy Act, you should consult with a lawyer. Unfortunately, laws like GDPR can make re-marketing activities more complex, but it’s something that we all need to overcome. We simply think it’s important to ensure your business stays on top of privacy obligations, no matter how big or small your operations are.
