google adsprivacy actaustralia

Australian Privacy Act 2024: What It Means for Google Ads

The Privacy and Other Legislation Amendment Act 2024 changes consent, data retention, and tracking. What Australian Google Ads advertisers must change now.

Pau López Cots

Pau López Cots LinkedIn

Founder Adstralis · Ex-Google Ads Consultant at Google

The Privacy and Other Legislation Amendment Act 2024, which received royal assent on 10 December 2024, is the most significant reform to Australian privacy law since the Privacy Act 1988. For Google Ads advertisers, the changes are not abstract: the new statutory tort for serious invasions of privacy, enhanced penalties reaching $50 million AUD, and tightened consent requirements all have direct implications for how you collect data, run remarketing, use Customer Match, and configure Enhanced Conversions. This guide covers what changed, what it means for your Google Ads account specifically, and what to audit now.

Quick reference — what changed:

  • New statutory tort: individuals can sue for serious invasions of privacy — tracking without adequate consent is now litigation risk, not just regulatory risk
  • Civil penalty increase: from $2.22M to up to $50M AUD (or 3x benefit gained, or 30% of adjusted turnover)
  • Enhanced consent transparency: users must be clearly told what data is collected and why before collection occurs
  • Children’s Online Privacy Code: Commissioner to develop mandatory code — advertisers targeting broad audiences must prepare
  • Automated decision-making: entities must disclose when automated systems make significant decisions affecting individuals
  • Enforcement body: Office of the Australian Information Commissioner (OAIC)

What the 2024 Amendments Actually Changed

The Privacy and Other Legislation Amendment Act 2024 does not replace the Australian Privacy Act 1988 — it amends and significantly strengthens it. Understanding which changes are already in force versus which have delayed commencement matters for prioritising your compliance work.

In force from royal assent (December 2024): The criminal offence for doxxing (malicious exposure of personal information to cause harm) and the enhanced civil penalty regime are already active. The increased penalties — up to $50 million AUD, or three times the benefit gained from the breach, or 30% of adjusted annual turnover, whichever is greatest — apply to breaches occurring after December 2024.

The statutory tort for serious invasions of privacy: This is the most significant change for advertisers. The Act creates a new cause of action allowing individuals to sue entities that seriously invade their privacy. A serious invasion requires: a deliberate or reckless act, a reasonable expectation of privacy in the circumstances, and that the privacy interest outweighs the defendant’s justification.

For Google Ads advertisers, the risk scenario is: collecting user data via tracking pixels, building remarketing audiences, or uploading Customer Match lists without adequate consent — and having an individual successfully argue their privacy was seriously invaded. The statutory tort means this is no longer only a regulatory compliance question (OAIC investigation + penalty) but also a private litigation question.

Children’s Online Privacy Code: The Act requires the Information Commissioner to develop a Children’s Online Privacy Code. While the code itself is not yet finalised, advertisers running campaigns that could reach under-18s are on notice. This will almost certainly require age-appropriate privacy notices, restrictions on behavioural targeting of minors, and enhanced consent standards for any data collected from children. Advertisers in verticals that skew young (education, gaming, entertainment, fashion) should begin auditing their audience exclusion practices now.

What This Means for Remarketing Audiences

Remarketing in Google Ads requires placing a tag on your website that drops a cookie, identifies the visitor, and adds them to an audience list. Under the amended Privacy Act, this constitutes collection of personal information. The lawful basis for this collection must be clear, documented, and communicated to the user before collection occurs.

The consent requirement in practice: Your privacy policy must explicitly disclose that you use Google Ads remarketing tags. This is not new. What is new is the enforcement environment — the $50M penalty regime and the statutory tort make “we had it buried in the privacy policy” a much weaker defence than it was before.

What to check in your Google Ads account:

  • Audience membership duration: Google allows remarketing lists to retain members for up to 540 days. Under Australian privacy law, retaining data longer than necessary for the original purpose is non-compliant. Review your audience membership durations and reduce them to what is genuinely necessary for your sales cycle. For most businesses, 30–90 days is appropriate; 540 days is almost never justified.
  • Audience exclusions: Ensure you are not retargeting users who have explicitly opted out of tracking via your cookie consent mechanism. If a user declines tracking cookies and you are still capturing them via a server-side tag, you have a compliance problem.
  • Sensitive categories: Google’s own policies restrict remarketing based on sensitive categories (health conditions, financial hardship, etc.). The amended Privacy Act’s treatment of sensitive information is stricter than general personal information. If you are retargeting based on pages that imply a health condition, financial difficulty, or similar, your data practices need review.

Customer Match and Enhanced Conversions Under the New Framework

Customer Match (uploading hashed customer email or phone lists to Google Ads for audience matching) and Enhanced Conversions (sending hashed conversion data back to Google to improve measurement accuracy) both involve transferring personal data to Google. Under the amended Privacy Act, this transfer requires lawful basis.

Customer Match: Uploading your customer email list to Google requires that those customers consented to their data being shared with third parties for advertising purposes. “We may use your data to improve your experience” buried in a sign-up form is not sufficient. The amended Act requires consent that is specific, informed, and freely given. If your marketing list was collected under a general newsletter opt-in, you likely do not have adequate consent for Customer Match. The practical fix: add explicit consent language to your email capture forms (“I agree to my email being used for targeted advertising on platforms including Google”) and segment your list to Customer Match only from those who consented after that language was added.

Enhanced Conversions: Enhanced Conversions send hashed email addresses captured at conversion (e.g., a checkout or form submission) back to Google to improve attribution. This is first-party data collected from people who have actively submitted their email to you. If your privacy policy discloses that conversion data is shared with advertising platforms for measurement, this is on stronger footing than Customer Match from a legacy list. However, if your privacy policy does not mention this, update it before deploying Enhanced Conversions. The setup guide for Enhanced Conversions (technical implementation) is covered in our Enhanced Conversions setup guide.

Google’s Consent Mode was originally developed in response to GDPR in the EU. Australian advertisers largely ignored it because there was no equivalent local regulation. The 2024 Privacy Act amendments change that calculus significantly.

Consent Mode works by receiving signals from your cookie consent banner (accepted/rejected by the user) and adjusting what data Google’s tags collect accordingly:

  • If consent is granted: full measurement as normal
  • If consent is denied: Google’s tags use modelled data instead of actual cookie data, preserving some signal without violating consent

Implementing Consent Mode does not reduce your conversion measurement significantly in practice — Google’s modelling fills the gap. What it does do is give you a documented, technical mechanism showing that users who declined tracking were not tracked. That documented mechanism is increasingly valuable as enforcement of consent requirements tightens.

If you are not running Consent Mode, implement it. The Google Consent Mode documentation covers the technical implementation for standard and advanced modes.

Practical Audit Checklist for Your Google Ads Account

Run through this audit against your current account setup.

Privacy policy and consent:

  • Privacy policy explicitly discloses: Google Ads remarketing tags, Customer Match use, Enhanced Conversions, and third-party data sharing for advertising purposes
  • Cookie consent banner is live and correctly integrated with Google Consent Mode
  • Users who decline tracking are not being added to remarketing audiences
  • Customer Match lists sourced only from contacts with explicit advertising consent

Remarketing audiences:

  • Audience membership duration reviewed — reduce lists over 90 days unless there is a clear business justification
  • No audiences built on sensitive category pages (health conditions, financial hardship, relationship status)
  • Suppression lists in place for opted-out users

Data transfers to Google:

  • Enhanced Conversions disclosed in privacy policy
  • Customer Match uploads documented with consent basis for each list segment
  • No upload of data collected before December 2024 without verifying consent standards met the new threshold

Children’s audience:

  • Age exclusions applied to campaigns in verticals that could reach minors
  • Review audience exclusions for under-18s before the Children’s Online Privacy Code is finalised

Internal documentation:

  • Data Processing Agreement with Google reviewed and current
  • Internal record of what data is collected via Google tags, for what purpose, and the lawful basis

What to Do If You Are Not Yet Compliant

Prioritise in this order:

  1. Update your privacy policy — it costs nothing and reduces your litigation exposure immediately. Add explicit disclosure of Google Ads data practices (remarketing, Customer Match, Enhanced Conversions, third-party sharing for advertising).

  2. Implement Consent Mode — the technical integration takes a few hours and gives you a documented compliance mechanism. Do this before the next major enforcement case creates urgency.

  3. Audit and reduce audience membership durations — log in to Google Ads, go to Tools → Audience Manager, and review every list with a membership duration over 90 days. Reduce where not justified.

  4. Segment Customer Match lists — identify which contacts on your marketing list have given explicit advertising consent. Only upload those to Customer Match until you have re-consent from the rest.

  5. Add age exclusions — if your product could conceivably be used by under-18s, add age exclusions to your campaign targeting now, ahead of the Children’s Online Privacy Code finalisation.

For a broader view of how Google Ads tracking is set up correctly, see our Google Ads conversion tracking guide for Australia.

The Privacy and Other Legislation Amendment Act 2024 does not require you to stop using Google Ads — it requires you to use it with proper consent infrastructure, accurate privacy disclosures, and data retention practices that reflect what your business actually needs. The advertisers who are most exposed are those who have been collecting data under pre-2024 assumptions without updating their consent flows. The fix is straightforward if you do it proactively; far more painful if you are responding to an OAIC investigation or a statutory tort claim.

If you want a review of your Google Ads account’s data practices and compliance setup, get in touch with our team.

Frequently Asked Questions

Does the Privacy Act 2024 apply to small businesses running Google Ads?

The Privacy Act 1988 has historically exempted businesses with turnover under $3 million AUD. The 2024 amendments do not remove this small business exemption for most provisions. However, the new statutory tort for serious invasions of privacy applies to individuals and entities regardless of size — it is a private right of action, not a regulatory one. If a small business seriously invades someone’s privacy (e.g., extensive tracking without consent), the affected individual can sue regardless of turnover. Additionally, the Children’s Online Privacy Code, when finalised, is expected to apply broadly. Small businesses with any digital advertising presence should review their consent practices.

What counts as a “serious invasion of privacy” under the new statutory tort?

The Act sets out two types: intrusion upon seclusion (entering someone’s private space or monitoring their private activities) and misuse of private information (collecting, using, or disclosing someone’s private information). For Google Ads, the most relevant scenario is misuse of private information — collecting browsing behaviour, health interests, or other personal data via tracking pixels without adequate consent, then using that data to serve targeted advertising. Courts will assess whether the individual had a reasonable expectation of privacy and whether that expectation outweighs the advertiser’s purpose.

Google does not require Consent Mode for non-EU advertisers. However, given the 2024 Privacy Act amendments and the OAIC’s increasingly active enforcement posture, implementing Consent Mode is now best practice for Australian advertisers. It provides a documented, technically enforceable mechanism showing that users who declined tracking were not tracked — which is exactly the kind of evidence useful in a compliance inquiry.

How long can I keep users in a remarketing audience under Australian privacy law?

The Privacy Act requires that personal data is only retained for as long as necessary for the purpose for which it was collected. For most remarketing use cases, 30–90 days covers the sales cycle. Membership durations of 540 days (Google’s maximum) are rarely justifiable and represent a compliance risk. As a practical rule: set your membership duration to match your typical customer decision cycle, not Google’s maximum.

What is the Children’s Online Privacy Code and when will it apply?

The Act requires the Information Commissioner to develop a Children’s Online Privacy Code that will set specific standards for how entities handle the personal information of children under 18. The code is not yet finalised as of 2026. When enacted, it is expected to require age-appropriate privacy notices, restrictions on behavioural profiling of minors, enhanced consent standards, and possibly restrictions on certain targeting methods for campaigns that could reach children. Advertisers in education, entertainment, gaming, sports, and similar verticals should monitor the OAIC’s consultation process.

Want to apply this to your account?

Let's talk about your project

If you have active campaigns and want to understand what's actually working, tell us your situation.

Send a message Book a free call
← Back to blog