Figuring out whether a website needs a cookie consent banner or privacy policy has always been a confusing question for me. The answer is actually pretty simple and, mercifully for people who hate cookie consent popups, not all bad news.
Does my website need to show a cookie consent banner to use Google Analytics?
Websites for Australian-based companies with no EU presence and that don’t sell to or deal with people in the EU don’t need to comply with the GDPR, even if people from the EU could use your site. For Australian sites with Australian customers, it isn't usually necessary to get explicit consent from visitors in order to use cookies and, therefore, you don't need a cookie consent banner in order to use Google Analytics.
Do I need a Privacy Policy to use Google Analytics?
Australian law says you do need to have written and made available a privacy policy to use GA, but you don’t have to get explicit consent from your site's visitors. Your site should include a privacy policy, usually on a dedicated page or PDF linked from the site's footer or main navigation, if you want to use Google Analytics. For example, we make Paper Moose's Privacy Policy available as a PDF we link to from our site's main menu.
In fact, you don't actually need a privacy policy at all just to use cookies themselves. The reason you need a privacy policy to use GA specifically, is that the cookies it creates are used for a secondary purpose (tracking users across other website) by a third-party (Google). Some other site analytics providers such as Matomo avoid using cookies at all, avoiding the need for consent banners or a privacy policy entirely.
Do I need a privacy policy to collect personal information from my site's visitors?
Australian websites that collect personal or private information must obtain consent for collecting and using that information, or reasonably believe that they have their users’ implied consent. The collection and use of that information must also be described in a privacy policy made available to users.
Summary
Sites anywhere in the world that don’t use GA, cookies or don’t collect personal info:
❌ Don’t need a privacy policy
❌ Don’t need a cookie consent popup
Sites using GA or collecting personal info with a primarily Australian audience that don’t target or sell to people in the EU:
✅ Need a privacy policy to comply with the Privacy Act
❌ Don’t need a cookie consent popup
Sites using GA or collecting personal info that may target or sell products to an EU audience or for companies with an EU presence:
✅ Need a privacy policy to comply with the Privacy Act
✅ Need a cookie consent popup and to comply with the GDPR
We acknowledge the Traditional Custodians of the land upon which we create, the Gadigal People of the Eora Nation. We pay our respect to their Elders past and present, and extend that respect to all Aboriginal and Torres Strait Islander peoples today.
Always was, always will be, Aboriginal land.