Australian Privacy Act Reforms 2026: The Publisher and Advertiser Guide to Cookie Consent, the Statutory Tort, and the Children's Online Privacy Code
For most of the last two decades, Australian privacy law has been quieter than its European or American counterparts. That era has ended. The Privacy and Other Legislation Amendment Act 2024, passed in November 2024, is the largest reform of the Privacy Act 1988 in a generation. It introduces a statutory tort for serious invasions of privacy, stronger enforcement powers for the Office of the Australian Information Commissioner (OAIC), a dedicated Children's Online Privacy Code, significant new transparency requirements for automated decision-making, and a clear trajectory toward opt-in consent for most targeted advertising. If you run digital advertising, analytics, or any user tracking into the Australian market in 2026, the reform reshapes your compliance obligations in a way you cannot ignore. This guide walks through what has changed, what is still coming, and exactly what publishers and advertisers should be doing right now.
The Structure of the 2024-2026 Reform
The reform is being rolled out in two tranches, and only the first has fully landed. Understanding the sequencing matters for knowing what is legally in force versus what is coming.
Tranche 1 — In Force from 2024-2025
The Privacy and Other Legislation Amendment Act 2024, assented in November 2024, delivered several changes that already apply:
- Statutory tort for serious invasions of privacy — individuals can sue directly for serious privacy invasions, without needing to show a breach of the Privacy Act itself
- New civil penalties — the OAIC can seek penalties for any interference with privacy, not only for serious or repeated breaches
- Transparency requirements for automated decision-making — entities must disclose when significant decisions about individuals are made using automated systems
- Doxxing criminalized — intentional publication of personal data to cause harm is now a criminal offence
- Children's Online Privacy Code — the OAIC is required to develop a binding code for services likely to be accessed by children, with the code due in 2026
Tranche 2 — Under Active Consultation for 2026-2027
The second tranche covers the more structural changes and is working through government agreement in 2025 and 2026. Expected elements include:
- Removal or significant narrowing of the small business exemption that currently excuses entities with annual turnover under AUD 3 million
- A clearer fair and reasonable test that applies to every handling of personal information, independent of consent
- Explicit regulation of targeted advertising, with opt-in consent likely for sensitive categories
- A new right to erasure, bringing Australian law closer to GDPR
- Tighter controls on cross-border data transfers
What Counts as Personal Information Under Australian Law
The Australian Privacy Act defines personal information broadly. It covers any information about an identified or reasonably identifiable individual, and the OAIC interprets reasonably identifiable to include online identifiers, device IDs, IP addresses combined with other data, and advertising identifiers. In practice, cookies, pixel tracking, device fingerprinting, and identity graphs used for cross-site advertising all process personal information under Australian law and are fully in scope for Australian Privacy Principles (APP) compliance.
How Cookie Consent Works Under Australian Law in 2026
Australian law does not currently require a full GDPR-style opt-in banner for all cookies. But it is also not a free-for-all, and several recent developments have tightened the bar.
APP 3 — Collection Requires Notice
Australian Privacy Principle 3 requires that personal information be collected only by lawful and fair means, with notice of the purposes. For cookies that collect personal information, this means a visible, informative notice must be presented before or at the time of collection. Hidden tracking does not satisfy APP 3.
APP 6 — Use and Disclosure Requires a Purpose Match
Personal information can only be used for the purpose it was collected, for a reasonably related secondary purpose, or with the individual's consent. Sharing cookie-derived data with a digital advertising platform for cross-context behavioral advertising typically falls outside the primary purpose, which pushes it toward consent.
OAIC Guidance on Tracking
The OAIC's 2024 guidance on tracking technologies is unambiguous: entities should provide a clear mechanism for individuals to opt out of tracking, and for any use case that involves sensitive information or profiling for significant decisions, the OAIC expects opt-in consent. That puts targeted advertising, programmatic retargeting, session replay, and behavioral analytics firmly in opt-in territory in practice, even if the statute has not yet made it mandatory in every case.
The Practical 2026 CMP Configuration
Most publishers operating in Australia now run a CMP that presents a three-state banner: Accept, Reject, and Customize. For EU or UK traffic, opt-in is strict. For Australian traffic, opt-in is the recommended default for targeted advertising and session replay, while analytics can often run under a notice-and-choice model as long as IP anonymization and data minimization are in place.
The Statutory Tort — What It Actually Enables
The new statutory tort is the most significant change for digital advertisers in practical terms. Previously, only the OAIC could enforce privacy rights, and individual remedies were limited. The statutory tort changes this.
What Is a Serious Invasion of Privacy?
The tort covers intentional or reckless conduct that causes a serious invasion of privacy, either through intrusion upon seclusion or through misuse of private information. Courts will weigh the seriousness against the public interest and other considerations.
Why Advertisers Should Care
Aggressive tracking, especially session replay that captures keystrokes and cursor behavior on sensitive pages, fingerprinting that circumvents a user's opt-out, or unauthorized linking of anonymous behavior to a named identity — all of these are now plausible factual bases for a tortious claim. Expect plaintiffs' firms to begin testing the boundaries in 2026. Australia does not have the class-action culture of the United States, but representative actions are possible and some firms are clearly positioning for them.
The Children's Online Privacy Code
The Children's Online Privacy Code is the single most specific piece of new regulation for publishers whose sites are likely to be accessed by children.
Who Is In Scope
The Code applies to social media services, relevant electronic services likely to be accessed by children, and certain designated internet services. In practice, this reaches far beyond pure children's sites — any general-audience platform that a meaningful number of minors access is likely to be captured, and the OAIC is expected to take an inclusive reading.
Core Obligations Expected in the Code
- High-privacy default settings for under-18 users
- Restrictions on targeted advertising to minors
- Prohibitions on dark patterns that nudge children toward weaker privacy settings
- Age-appropriate explanations of data handling
- Assessments of best interests of the child before deploying features that process their personal information
What to Prepare Now
Publishers whose audience includes significant numbers of under-18 visitors should start auditing their tracking stack, advertising configuration, and default settings before the Code is finalized. Retrofitting after the fact is typically more expensive and more disruptive than designing compliance into the stack from the start.
Enforcement Posture in 2026
The OAIC has received significantly enhanced resourcing alongside the reforms. Audit activity has increased, and the Commissioner has signalled a more public enforcement approach.
Penalties in Force
The maximum civil penalty for serious or repeated interference with privacy is the greater of AUD 50 million, three times the benefit obtained from the conduct, or 30 percent of the entity's adjusted turnover during the breach period. The reform also introduced a second tier of penalty for any interference with privacy that does not meet the seriousness threshold, giving the OAIC more calibrated enforcement tools.
Notifiable Data Breaches
Australia has had a mandatory data breach notification scheme since 2018, and the OAIC has been visibly aggressive on enforcement following the major Australian data breach incidents of 2022 and 2023. Any cookie or tracking-related incident that leads to unauthorized disclosure is likely to be in scope.
Cross-Border Transfers and Global Traffic
Australian Privacy Principle 8 requires that entities take reasonable steps to ensure overseas recipients handle personal information consistently with the APPs. For a publisher using global ad tech, this means either a jurisdiction with substantially similar laws, a contractual binding commitment from the overseas recipient, or informed consent from the individual.
United States Transfers
The US is not currently recognized as having substantially similar laws. Transfers to US ad tech vendors therefore require either binding contractual commitments or explicit consent. Publishers relying on Data Privacy Framework certifications — which cover EU-US transfers — should note that those certifications do not satisfy the Australian APP 8 requirement automatically.
Audit Checklist for Australian Traffic in 2026
- CMP presents clear Accept, Reject, and Customize options with equal visual prominence on Australian traffic
- Targeted advertising, retargeting, and session replay require opt-in consent; analytics run under notice plus data minimization
- Privacy policy clearly identifies cookies, pixel tracking, and advertising identifiers, with a purpose statement aligned to APP 3 and APP 6
- Cross-border transfer mechanisms are documented for every non-Australian processor (vendor list, contractual protections, or consent)
- Automated decision-making is disclosed where significant decisions are made using such systems
- Children's Online Privacy Code readiness assessment is complete, with high-privacy defaults available for detected minor users
- Doxxing risk review is complete for any functionality that could publish user-submitted personal information
- Data breach response plan is aligned to the 30-day notification window and current OAIC reporting format
The 2026 Outlook
Australia is in the middle of a structural shift from a lighter-touch privacy regime to one that looks increasingly similar to the European and Californian frameworks — with its own Australian characteristics. The first tranche is already enforceable and already reshaping litigation. The second tranche, including the narrowing of the small business exemption and explicit regulation of targeted advertising, is likely to take effect in 2026 or 2027. Publishers and advertisers who have invested in a GDPR-grade consent stack already have most of the machinery they need to comply. Those who have been relying on Australia's historically lighter posture are entering the new regime with known gaps. The right move is to close those gaps now — before the statutory tort, the Children's Code, or an OAIC audit forces the question on a timeline no one controls.