The accessibility of the online world has opened doors for businesses and their customers alike. However, operating online comes with its own set of rules. 

If your business has a website, then you want to make sure it’s compliant with privacy laws. Following the correct rules and regulations can save you from complaints and penalties down the line. 

What Is A Privacy Policy?

A Privacy Policy lets users of your website know that you are complying with the Privacy Act 1988. It’s basically your way of assuring anyone who uses your website that their information is protected and not misused for other purposes (unless you disclose  them, of course). 

Do I Need A Privacy Policy On My Website? 

You might be legally required to have a privacy policy on your website. This depends on your business. 

If you have a business that is operating in Australia and has an annual turnover of more than $3 million, then you are legally required to have a privacy policy on your website. This is because you are classified as a business to which the Privacy Act applies. 

There are exceptions to this rule:  

  • If you are a health service provider or your business possesses the health information of others (for example, NDIS providers are often required to collect health information)   
  • If operating under a business that requires you to collect personal information
  • If you are operating under a commonwealth contract 

The general rule is that if your business is collecting personal information from people, you need to have a Privacy Policy in place and adhere to other requirements set out by privacy laws in Australia. 

This includes names, phone numbers and addresses. 

Therefore, if your website collects information from those visiting it, such as emails, phone numbers, names and addresses then you fall under the exception and need to adhere to privacy laws. 

What Does A Privacy Policy Look Like? 

A privacy policy is essentially a written statement. It is usually displayed on the screen or anywhere that is easy for users to view and access. 

A privacy statement should include your business name and how to contact you. Additionally, it needs to cover details about the information that is being collected. 

This includes:

  • The kind of information being collected
  • The purpose of collecting it
  • How it will be stored
  • How it will be used
  • Consequences if not collected

A privacy policy should also include the process for complaints when a visitor has felt their information has been misused as well as a way to access that information and make any corrections if need be. 

Essentially, your privacy policy should aim to be as transparent as possible with your customers or website users about  how you will manage their information. If you’re still unsure, you can always chat to one of our privacy lawyers. 

The Privacy Act 

The Privacy Act has thirteen Australian Privacy Principles. These principles set guidelines for handling information online, namely, the collection of information, transparency, protection, access and accuracy of the information. 

It outlines the responsibility of a business to take reasonable steps to ensure that they have met all their obligations regarding website privacy. 

Additionally, the principles also deal with disclosing information overseas. Even if your business is established in Australia and you’re expanding overseas, it’s vital to be familiar with these practices. 

Is This Legally Enforceable? 

The Office of the Australian Information Commissioner (OAIC) handles any claims of breaches of the APP. If there are multiple breaches, they do have the power to impose civil penalties on businesses. 


The EU General Data Protection Regulation (GDPR) is the document which provides online privacy for web users based in the European Union. 

Even if you’re based in Australia, if your business expands its practices to the EU, then the GDPR is applicable to you. The GDPR has a comprehensive list of requirements for a privacy policy. 

According to the GDPR, a privacy policy must be transparent, accessible, easy to understand, delivered in a timely manner and free for all users to view. Furthermore, it has stronger requirements on what must be shared on a privacy policy. If you are providing business to nations in the EU, your privacy policy must contain information such as how long data will be stored, recipients of the data and listing any third parties to the data. 

Non-compliance with the regulations will result in a heavy financial penalty of either €20 million or 4% of your global revenue. 

Even if your business does not plan on expanding to the EU, the guidelines they have provided are far more succinct and detailed. Using these as guidelines could make your privacy policy a lot more iron clad in terms of what you’re covering. 

How Serious Are They? 

The GDPR has fined major companies before for breaching privacy policies. In 2021, it was reported GDPR had fined Amazon $877 million dollars for a matter apparently regarding cookie consent. The fine was issued and Amazon was requested to make subsequent changes to its practices. 

This goes to show just how serious privacy laws are taken across the globe. Even if your business is not required to comply with the Privacy Act, it is highly recommended that you have a privacy policy in place as a protective measure for your business. 

What Other Policies Might I Need?

There are a number of other policies that may or may not be legally required of your business to include. However, there’s always a benefit to consider including these policies with or alongside your privacy policy. 

Cookies remember information and a user’s browsing history. So, it’s a common way for websites to store a user’s information and monitor their online activity. 

As such, it’s advisable to be transparent about this and include it in your Cookie Policy

Cyber Security Policy

A cyber security policy is something every business should have. Even if your business is not an ecommerce business, it is common for you to have some online element that requires compliance with privacy laws. 

This is particularly important if your business requires any handling of information from customers such as personal information, credit cards numbers and cookies. A cyber security policy will aim to protect all that information from potential hackers and scammers. 

Data Breach Response Plan 

Once you have obtained the personal information of another person, you are responsible for that information. It is crucial that you have a plan in place to protect that information. 

If a breach were to occur, then you would need to have a process ready. A Data Breach Response Plan is the best way to do this. Rather than panic, having the right steps in place can prevent further damage from happening. 

Confidentiality Clauses

A confidentiality clause is a binding agreement to keep particular information private. If you are giving a third party access to information and don’t feel the privacy act fully covers your requirements, then you may want to consider having a lawyer help you draft a confidentiality clause. 

This can also apply to employees of your business who have access to trade secrets and other valuable inside information that could potentially threaten your competitive edge in the market. 

Where Do I Begin? 

Privacy for anyone visiting your website is of utmost importance as you will likely find yourself handling some form of personal information. So, it’s essential that you craft the right Privacy Policy and appropriate response plans for any threats to your customers’ privacy. 

If you would like a consultation on how your business can go about your privacy obligations or a privacy policy, you can reach us at 1800 730 617 or for a free, no-obligations chat.

About Sprintlaw

Sprintlaw's expert lawyers make legal services affordable and accessible for business owners. We're Australia's fastest growing law firm and operate entirely online.

(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is for validation purposes and should be left unchanged.

Related Articles