15 January 2025

Consent banner best practice

Jetty in fog

This article is not written, or presented as legal advice nor opinion.

Readers should neither act, nor rely on opinion(s) in this, article and linked materials without seeking legal counsel.

In summary

  • Since the release of Apple’s ITP in 2013 online privacy has been a rising demand amongst the public and Government bodies.
  • This has resulted in the transition away from third party cookies to first party data as the catch-all solution to audience creation and cross device tracking.
  • With the advent of updates to the Australian Privacy Principles (APP) within the Australian Privacy Act passing in November of 2024, websites should be aware of the implications of alternative solutions which may include the usage of first party data to ensure their consent banners follow APP compliance best practice.

The Australian Privacy Act of 1988 had a major update, which passed both houses, on 29th November, 2024. Many of these changes were in reaction to changes in Europe based on the General Data Protection Regulation (GDPR) requiring websites to achieve visitor’s consent for the collection of user information for personalised advertising.

To the delight of advertisers, the Australian regulatory changes are far less strict than those of the GDPR however, there are still some changes that need to be considered when implementing consent banners on websites.

Consent banner implementation has been effectively required for most digital advertisers since March 2024, due to Google requirement for advertisers to adopt consent mode to continue utilising specific features in order to ensure that Google complies with the GDPR. The exact implementation of said banner was not a factor with Google’s enforcement. With the changes to the Australian Privacy Principles (APP) there are now some consent banner display guidelines for Australian advertisers to be aware of.

Firstly, let’s be clear on the definitions for express and implied consent as provided by the Privacy Act.

  • Express consent: Express consent is given openly and obviously, either verbally or in writing. For example, when you sign your name (by hand, or by an electronic or voice signature). An organisation or agency must receive your express consent before handling your sensitive information.
  • Implied consent: An organisation or agency doesn’t need your express consent to handle your non-sensitive personal information, but they need to reasonably believe that they have your implied consent. It’s not sufficient for an organisation or agency simply to tell you of their collection, use or disclosure of your personal information. Unless they presented you with an opt-out option they cannot assume your implied consent.

Express consent is currently only required for the collection of sensitive information, such as a user’s medical history. Collection of sensitive information for most advertisers is a niche case.

More relevant to advertiser’s is how these regulatory changes impact their collection of personal information, most notably: email, address, first name, last name and phone number for the utilisation of first party data in marketing.

Guidance for using personal information for marketing

Unlike sensitive information handling, personal information only requires implied consent, which describes the user having inherently consented to tracking due to it being implied they would understand it to be so. This is allowed in limited circumstances provided a series of criteria is being met, as outlined:

  • Collection of data would reasonably be considered part of running the business
  • The opt-out option is clearly and prominently presented
  • Direct marketing needs to be easy to opt-out of by users. Unlike with GDPR however, the act doesn’t require opt-in and opt-out options to be of equal ease
  • It is likely that the individual received and read the information about the proposed collection, use or disclosure, alongside the option to opt-out
  • The individual was given information on the implications of not opting out
  • The opt-out option is freely available and not bundled with other purposes
  • It was easy for the individual to exercise the option to opt-out, for example, there was little or no financial cost or effort required by the individual
  • The consequences of failing to opt-out are not serious
  • An individual who opts-out after opting in initially, will be treated after the fact as if they had always opted out.

Read the OAIC’s consent to the handling of personal information in detail.

The OAIC documentation, also explicitly states that under the new laws ignoring of the consent banner does not constitute implied consent.

Generally, it should not be assumed that an individual has given consent on the basis alone that they did not object to a proposal to handle personal information in a particular way.

An APP entity cannot infer consent simply because it provided an individual with notice of a proposed collection, use or disclosure of personal information. It will be difficult for an entity to establish that an individual’s silence can be taken as consent.

Consent may not be implied if an individual’s intent is ambiguous or there is reasonable doubt about the individual’s intention.

Key takeaways

The most important aspects for advertisers regarding consent implementation:

  • The user needs to have seen the opt-out option in order to assume implied consent, alongside having read the information on opting-in or out. It is yet to be seen how these factors will be interpreted legally, but best practices regarding the consent banner should involve it being front and centre upon the visitor’s arrival to the website, to ensure that the user has a lesser chance of missing it.
  • It is unlikely that a pop-up in the corners of the website will be considered suitable however, as mentioned, there is still yet to be a precedent set.
  • The prior suggestion runs counterintuitively with the idea of implied consent, since by placing the banner in the middle of the screen, the user is forced to interact with the consent banner, thereby ensuring a form of express consent is given.
  • The act in general recommends advertisers to err on the side of caution and implement express consent for all personal information alongside sensitive information, suggesting that the act is pushing businesses to implement consent tracking in an opt-in format similar to the European model.
  • There is enough leeway at this time for less visible consent banners to hypothetically pass the legislation.
  • The requirement to retro-actively opt users out who previously consented. Suggests that advertisers will need to collect consent status within their CRM system alongside customer match data. So they can include and remove user’s from said lists as their consent evolves.

Louder’s recommendations

  • Begin your consent banner implementation or refinement by including as many of the caveats listed above as possible that are unlikely to heavily impact your digital campaign’s performance. Some options include:
  • Provide easy opt-out option for users exposed to direct marketing
  • Supply users with all information around the implications of not opting-out
  • Outline that the consequences of failing to opt-out are not serious
  • Make it easy for individuals to exercise the option to opt out, for example, there was little or no financial cost or effort required.
  • Collect consent status within your CRM system.
  • It is recommended but not required for most advertisers to implement a consent banner that is front and centre on the webpage, and the user must engage with it, in order to dismiss the consent management banner.
  • It is recommended to ensure that the user’s ability to opt out of tracking is clearly communicated to the user, a first step could be ensuring that the opt in and opt out buttons are clearly identifiable. Opting out can still be a two step process within the Australian market, unlike the GDPR requirements in Europe.

Get in touch

Get in touch with Louder or sign up to Louder’s newsletter to receive the latest industry updates straight to your inbox.

Resources



About Alex Byrne

Alex is a Digital Advertising Specialist at Louder. In his spare time, he enjoys reading classic novels, meditating and training at the gym.