You’ve seen the cookie pop-ups on other websites and wondered if you’re supposed to have one too. Maybe someone mentioned “GDPR” in a meeting, and now you’re not sure if that applies to you. Or you’re just trying to work out, plainly, whether your website needs a privacy policy at all.
These are two different questions with two different answers, and most of the confusion online comes from people mixing them up. This post covers what Australian law actually requires for a website privacy policy, and separately, what it requires around cookie consent, which is a lot less than most people assume.

Do You Need a Privacy Policy?
Under the Privacy Act 1988, most small businesses aren’t covered at all. The general threshold is annual turnover of $3 million or less. If you’re under that, the Act doesn’t apply to you by default.
There are exceptions, though, and they catch more businesses than people expect. Regardless of turnover, the Privacy Act covers your business if you fall into any of these categories:
- Health service providers, including traditional medicine, gyms, counsellors, and therapists.
- Businesses that trade in personal information, such as selling, buying, or swapping customer or marketing lists.
- Contractors delivering services under a Commonwealth contract.
- Operators of a residential tenancy database.
If any of these apply, you need a compliant privacy policy, no matter how small your turnover is.
It’s also worth knowing that this threshold is under active review. In February 2026, the Attorney-General confirmed the government is progressing a second tranche of privacy reform that would remove the $3 million exemption entirely, with a target implementation date of December 2026. That change hasn’t been legislated yet, so it doesn’t apply to you today, but if you’re anywhere near that turnover line, it’s worth keeping an eye on. Separately, a set of anti-money laundering reforms that took effect on 1 July 2026 already pulled more than 100,000 small businesses under the Privacy Act for specific activities, regardless of the broader exemption.
If the Act does cover you, your privacy policy needs to describe what personal information you collect, why, how you store it, who you share it with, and how someone can access or correct their own data.
Do You Need a Cookie Consent Pop-up?
Not the kind you’re picturing, in most cases. This is where a lot of Australian websites overcomply because they’re copying what they’ve seen on European or American sites.
The Australian Privacy Principles don’t require you to get affirmative, click-to-accept consent before a cookie is allowed to fire. What they require is transparency: telling visitors what you’re collecting and why, generally through your privacy policy. There’s no legal obligation under Australian law to block a visitor or force a click before they can use your site.
That’s a meaningfully different standard to the EU’s GDPR, which does require opt-in consent for non-essential cookies before they load, and doesn’t accept implied consent as good enough. If your website has EU visitors or customers, particularly if you sell to them, GDPR can apply to you regardless of where your business is based, and that’s usually the real reason Australian sites end up with a full consent banner.
So the honest answer for most local small businesses: you’re not legally required to have a cookie pop-up. You are required to be upfront about what you collect.
What This Actually Means for Your Site
If the Privacy Act doesn’t cover you and you don’t have meaningful EU traffic, a simple, honest privacy policy covers your legal bases. It doesn’t need to be dense or lawyer-written; it needs to accurately describe what your site actually does: what forms collect data, what analytics or advertising tools you run, and what happens to that information.
If you do fall under the Privacy Act, or you’re anywhere close to the turnover threshold, it’s worth treating your privacy policy as a live document rather than something you copied once and forgot about. Every time you add a new tool, a new analytics platform, or a new payment processor, it should be reflected in the policy.
If you’re targeting or transacting with EU customers, a proper cookie consent tool that blocks non-essential cookies until the visitor opts in is the safer approach, even though Australian law alone wouldn’t require it.
A Quick Decision Framework
Run through this in order:
If none of these applies, you’re likely fine with a clear, accurate privacy policy and no pop-up at all.
Not sure which category your business falls into, or want a second opinion before you publish anything? Happy to talk it through, no obligation, no pitch.