15 January 2025

Consent banner best practice

Updated: 6 February 2026

This article is not written, or presented as legal advice nor opinion. Readers should neither act, nor rely on opinion(s) in this, article and linked materials without seeking legal counsel.

In summary

• Public expectations around online privacy have steadily increased since Apple’s ITP and accelerated post-cookie deprecation.
• First-party data has replaced third-party cookies even though Google back-tracked on the Chrome deprecation, but as always, user consent governs how that data can be used.
• Updates to the Australian Privacy Act mean consent banners are no longer optional window dressing.
• Poor consent or privacy design creates measurement, compliance and operational risk, not just legal, privacy or edge-case concerns.

Privacy legislation and consent

Australia’s privacy framework shifted materially with the passage of amendments to the Privacy and Other Legislation Amendment Bill 2024, which came into effect late last year.

While Australia has not adopted a full GDPR-style opt-in regime, the direction of travel is clear: greater transparency, clearer consent expectations, and stronger scrutiny of how personal information is collected and used, particularly for marketing.

At the same time, global platforms have moved faster than local legislation.

Google’s enforcement of Consent Mode v2 and broader platform restrictions mean consent requirements are already being applied in practice, regardless of jurisdiction.

For a deeper look at how consent now underpins measurement and media performance, see our article: Why Australian businesses should care about tracking consent in 2026.

Consent banner requirements in 2026

Consent banners have effectively become table stakes for advertisers since early 2024, driven less by local regulation and more by platform enforcement.

What has changed is that Australian Privacy Principles (APPs) now provide clearer guidance on how consent, particularly implied consent, should be interpreted.

This means the design, placement and clarity of consent banners matter more than before.

Types of consent and use of information

The Privacy Act distinguishes between express consent and implied consent.

Express consent

Given explicitly, verbally or in writing. Required for handling sensitive information, such as health or biometric data.

Implied consent

Applies to non-sensitive personal information, but only where it is reasonable to believe the individual understands and agrees to the collection and use of their data.

For advertisers, this distinction matters most when collecting and using:

• Email addresses
• Names
• Phone numbers
• Address data
• Customer identifiers used for first-party marketing and audience matching

OAIC guidance for using personal information in marketing

Under current guidance from the OAIC, implied consent may be relied upon only where all of the following conditions are met:

The data collection is reasonably necessary to run the business

• Opt-out options are clearly and prominently presented
• Direct marketing opt-out is easy and accessible
• Individuals are informed of how their data will be used
• The consequences of not opting out are clearly explained
• Opt-out options are not bundled with unrelated purposes
• Exercising opt-out requires minimal effort or cost
• Consequences of failing to opt-out are not serious
• If a user opts out later, they must be treated as if they had always opted out

Full guidance is available via the OAIC’s consent to the handling of personal information documentation.

##

Ignoring a consent banner does not imply consent

The OAIC has been explicit on this point. Silence, inaction or dismissal of a banner cannot be assumed to represent consent. An organisation cannot infer consent simply because notice was provided. Where intent is ambiguous, consent should not be assumed.

This has direct implications for banner design and placement.

Key takeaways for marketers

• Users must realistically see and understand opt-out options for implied consent to be valid.
• Low-visibility banners (e.g. corner pop-ups) may struggle to meet this threshold.
• More prominent banners reduce legal ambiguity but push businesses closer to an express-consent model.
• The Privacy Act increasingly encourages opt-in-style behaviour, even where not strictly required.
• Consent status must be treated as dynamic, not static, especially where CRM or similar data sources are used to generate customer match profiles, which inherently involves sending data to third parties.

Louder’s recommendations

• Treat consent banners as governance infrastructure, not a UX afterthought.
• Clearly communicate opt-out options and their implications.
• Make opting out simple, visible and low-friction.
• Store and manage consent status within CRM and activation systems.
• Ensure consent signals are enforced consistently across analytics, media and data platforms.
• Where possible, align consent banner behaviour with Consent Mode v2 requirements to avoid measurement loss.
• Follow the OAIC’s updates on LinkedIn and Newsletters, as well as key industry commentators; Carly Kind, Angelene Falk, Helios Sallinger, Peter Leonard (Data Synergies)

Keep in touch

Sign up to Louder’s newsletter to receive the latest industry updates straight to your inbox.