WebsiteScanner.ai
SECURITY AUDITS
Privacy and Compliance · 7 min read

Cookie consent that actually meets the OAIC standard for Australian websites

Most Australian small business cookie banners don't meet the OAIC's informed-consent standard. Here is what does, what doesn't, and how to fix it without paying for an enterprise consent platform.

A
Andre Reis

Most Australian small business cookie banners don't meet the OAIC's informed-consent standard. Some load tracking cookies the moment a visitor lands on the page. Some have a single "Accept" button and no way to refuse. Some pretend the visitor consented just by scrolling. None of these would survive a complaint to the Office of the Australian Information Commissioner. This article covers what does meet the standard, what doesn't, and how to fix your banner without paying for an enterprise consent platform.

What "informed consent" actually means in Australia

Australia's Privacy Act doesn't have an explicit cookie law. It doesn't need one. The Australian Privacy Principles (APPs) require that personal information collected through cookies (including IP-derived location, device fingerprint, and behavioural data) be collected with the individual's consent. The OAIC has consistently interpreted that as requiring four things together:

  1. Voluntary: the visitor must be able to refuse without penalty. A banner that hides itself when clicked anywhere isn't voluntary; the click might mean "yes" or "I'm trying to get to the content".
  2. Informed: the visitor must know what they are consenting to. Generic phrases like "we use cookies to improve your experience" don't satisfy this.
  3. Specific: blanket consent to "all cookies" isn't enough if you set substantively different categories (analytics, advertising, social embeds). Each category should be a separate choice.
  4. Current: a consent given in 2022 isn't valid forever. Visitors must be able to update or revoke their choice at any time.

The OAIC's Australian Privacy Principles Guidelines (chapter B, paragraph B.46 onwards) lay this out in detail. Tranche 2 of the Privacy Act reforms is expected to formalise these requirements with a "fair and reasonable" overarching obligation, putting the existing OAIC interpretation into the law itself.

Three categories of cookies

Not all cookies require consent. The category determines what you must ask.

Strictly necessary (no consent required)

Cookies the website cannot function without. The standard test: would the site break for the user without this cookie? If yes, it is strictly necessary. Examples:

  • Session cookies that keep a logged-in user logged in.
  • Cookies that store a shopping cart's contents during checkout.
  • CSRF protection tokens that prevent forged form submissions.
  • Cookies that remember the visitor's accept/reject choice on the cookie banner itself (recursive but real).

You may set these without asking. You should still mention them in your privacy policy.

Functional and preference (consent required)

Cookies that improve the experience but the site works without. Examples:

  • Language preference, currency selector, theme (dark or light) preference.
  • Remembered form values across sessions.
  • Recently-viewed-products lists.

Consent required, but most users will accept these readily because they directly benefit the visitor.

Analytics, advertising, and social (consent required, separately)

Cookies set to measure, profile, or remarket. Examples:

  • Google Analytics 4, Microsoft Clarity, Hotjar, FullStory.
  • Meta Pixel, Google Ads conversion tracking, LinkedIn Insight Tag.
  • Embedded YouTube, Vimeo, Twitter, Facebook widgets that load before consent.

Consent required, and the OAIC's view is that these should be a separate ask from functional cookies. Visitors who say "yes to language preference" haven't said yes to advertising tracking.

What a compliant banner looks like

Six properties combine to meet the standard.

  1. No non-essential cookies set on first paint. The banner runs first, the tracking scripts run second, only after consent. If your scan finds Google Analytics cookies set on a fresh visit before any banner click, you have a problem.
  2. Three buttons of equal visibility on the first interaction: Accept, Reject, Customise. The reject button must be as visually prominent as accept. A small "Reject" link tucked under "Cookie Settings" while a giant green "Accept All" sits next to it doesn't pass the voluntary test.
  3. Per-category granular control under Customise. Functional, analytics, advertising as separate toggles. Visitors can turn on the categories they want and refuse the rest.
  4. Clear plain-English description of each category, including the third-party companies involved. "Analytics cookies (Google Analytics, Microsoft Clarity)" beats "Performance cookies".
  5. The choice persists for future visits. Don't ask the same visitor every page load. The banner stores the result in a first-party cookie or localStorage; that storage itself is necessary and doesn't require consent.
  6. A way to change consent later. A "Cookie Settings" link in the footer that re-opens the banner. Visitors can revoke or update without finding a hidden settings page.

Free options that work

If your business doesn't have a compliance budget, two free options cover the requirements above.

Klaro (open source)

A clean, lightweight, fully open-source consent manager. Configured with a single JSON object that lists each cookie service. No external dependency, no per-visitor pricing.

Best for: developers or technically-minded site owners who want full control over the banner copy and styling. About an hour to configure for a typical WordPress or static site.

Cookie Consent (orestbida)

Vanilla JavaScript library, no jQuery, no external server calls. Same configurable category model as Klaro. Easier to customise the look-and-feel via CSS variables.

Best for: agencies or consultants implementing for multiple sites; the same configuration pattern works everywhere.

WordPress plugins

Two free plugins regularly tested against the OAIC standard:

  • Complianz: free tier handles AU and NZ jurisdictions. Auto-blocks scripts on first paint. Generates the cookie policy text automatically based on which integrations you use.
  • CookieYes: free tier covers the basic three-category banner. Paid tier adds compliance audit features.

Both ship working out of the box if you accept the defaults. Don't trust the marketing copy alone; install, run our free scan, and confirm no analytics cookies are being set before consent.

Paid options for businesses with compliance budgets

If you have a procurement budget and want a managed service:

  • Cookiebot (now part of Usercentrics): the most-deployed paid option in Australia. Auto-scans your site weekly to discover new cookies, automatically updates the banner. Around AUD $20 to $100 per month depending on traffic volume.
  • Iubenda: includes a privacy and cookie policy generator alongside the consent manager. Useful if you also need an Australia-specific privacy policy. Around AUD $30 per month.
  • OneTrust: enterprise tool, suitable for businesses with formal compliance teams or multiple jurisdictions to manage. Pricing is quote-only; expect AUD $5,000 or more per year.

For a typical Australian SMB, the free Klaro or Complianz options are sufficient. Don't pay for what you don't need.

The four common mistakes

1. Pre-ticked boxes

A "Customise" panel where analytics is already toggled on by default. Pre-ticked consent isn't consent at all under the OAIC's interpretation. Every category except strictly-necessary should default to off.

2. The reject button hidden behind extra clicks

Accept on the first banner; reject only after clicking "Cookie Settings", scrolling, unchecking three boxes, then saving. This is what the EU calls a "dark pattern" and the OAIC has signalled they take the same view. Reject must be one click on the first banner.

3. Cookies set before consent

Google Tag Manager loaded inline in the page head. The Meta Pixel script in your theme. Both of these set cookies as soon as they execute, before the visitor has seen, let alone clicked, the banner. The fix: don't load these scripts until consent is given. Klaro, Complianz, and the others handle this for you. If you've added scripts manually, wrap their load in a "wait for consent" check.

4. No way to change consent later

Visitor accepted by accident on their first visit. Six months later they realise and want to revoke. Every compliant banner needs a footer link or persistent button to re-open the consent dialog. "Cookie Settings" in your footer is the standard pattern.

Special note: tranche 2 and where this is heading

The Privacy Act tranche 2 reforms (still being drafted) are expected to introduce a "fair and reasonable" requirement for personal information handling. The OAIC's draft guidance signals that consent obtained through dark patterns will fail the "fair and reasonable" test even if the technical click happened. That means a banner built today should aim for the OAIC's full informed-consent standard, not the bare minimum to claim a click happened.

Once tranche 2 lands, the small business exemption is also likely to disappear, putting roughly 95% of Australian businesses inside the Act's scope. A defensible cookie banner now is preparation for that change, not just compliance with current law.

Run the free scan

Run our free scanner on your domain to see which third-party tracking cookies are being set on a fresh visit, before any consent has been given. Each cookie listed in the output is a candidate for the consent flow.

Free scan

Want to know if any of this applies to your domain?

Run a free 30-second scan to see what your website and email setup actually look like.

Run free scan →

Related reading

8 min read

Privacy Act 2024 amendments: what every Australian website owner needs to do

What the Privacy and Other Legislation Amendment Act 2024 actually changes for Australian website owners, what is still being debated in tranche 2, and the five practical things every site should review this quarter.