How To Create A Compliant Company Privacy Policy In Australia

Collecting customer data is part of running almost every modern business. Whether you’re taking online orders, building a mailing list or onboarding new clients, you’re handling personal information.

That’s why having a clear, legally-compliant company privacy policy is essential. It protects your customers, builds trust, and helps your business meet its obligations under Australian law.

In this guide, we’ll explain what a company privacy policy is, when you legally need one in Australia, what it should include, and how to roll it out properly across your website, app and internal processes. We’ll also cover the related documents and practices that round out a strong privacy compliance program.

What Is A Company Privacy Policy In Australia?

A company privacy policy is a public-facing statement that explains how your business collects, uses, stores and discloses personal information, and how individuals can access or correct their data or make a complaint.

In Australia, privacy policies are shaped by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). These principles set out rules for the full lifecycle of personal information-from collection at the front door to secure disposal at the end.

For small businesses, a well-written policy does more than tick a legal box. It makes your data practices transparent, reduces customer friction, and gives your staff a clear reference point for handling personal information day to day.

Do You Legally Need A Privacy Policy?

In Australia, many businesses must comply with the Privacy Act and have an APP-compliant privacy policy. You are generally required to comply if your business:

• Has an annual turnover of more than $3 million; or
• Provides health services and holds health information (regardless of turnover); or
• Trades in personal information (e.g. sells, purchases or exchanges personal data); or
• Is a contractor providing services to the Australian Government; or
• Handles tax file numbers (TFNs) or credit information in certain contexts.

Even if you’re technically below the $3 million threshold and don’t meet an exception, a privacy policy is still best practice. In reality, many partners and platforms require it (for example, payment gateways, marketplaces and ad networks). Customers also expect to see a clear policy before sharing their data.

If you are in scope, your policy needs to meet the APPs. If you’re not strictly in scope, it’s still smart to align your policy with the APPs-this keeps you future-proof as your business grows and prepares you for contracts that may impose APP-like obligations.

If you need help drafting an APP-aligned policy that fits your operations, you can put a tailored Privacy Policy in place quickly and confidently.

What Should A Company Privacy Policy Include?

An APP-compliant privacy policy must be accurate, easy to understand and cover key areas. As a starting point, your policy should address:

1) Who You Are And How To Contact You

Identify your legal entity (company name and ABN) and provide contact details for privacy enquiries and complaints.

2) What Personal Information You Collect

Explain the types of information you collect (e.g. names, contact details, payment information, account data, support interactions, device data, location data, health information if applicable). Be specific to your business model.

3) How You Collect It

Describe your collection methods (online forms, checkout, cookies, analytics, support channels, in-person). If you collect from third parties (e.g. marketing partners) or publicly available sources, say so.

4) Why You Collect It (Purposes)

Set out your purposes in plain English-providing goods/services, processing payments, customer support, marketing (including email/SMS), analytics, security/fraud prevention, and legal compliance.

5) Whether Collection Is Required Or Optional

If some information is optional but other details are required to provide your services, explain the difference and the consequences of not providing required information.

6) Disclosures To Third Parties

List the kinds of service providers you share data with (e.g. payment processors, hosting and cloud services, analytics, email platforms, support tools) and the purposes of those disclosures. If you disclose to professional advisers or for legal reasons, include that too.

7) Cross-Border Transfers

If you send information overseas (for example, to cloud servers or service providers in other countries), identify those locations where practicable and explain how you ensure appropriate safeguards.

8) Direct Marketing And Opt-Outs

Be transparent about your direct marketing practices, how people can unsubscribe, and how you handle marketing preferences. Align this with your systems for managing opt-outs.

9) Cookies And Analytics

State that you use cookies and similar technologies. A concise overview in your policy can be paired with a standalone, more detailed Cookie Policy and consent banner on your site if appropriate.

10) Access, Correction And Deletion

Explain how individuals can access the information you hold about them, request corrections, or ask for deletion where applicable (subject to legal retention requirements).

11) Security And Storage

Describe the measures you take to protect personal information (administrative, technical and physical safeguards) and outline how long you keep it (with reference to your data retention laws obligations).

12) Complaints Handling

Outline how people can make a privacy complaint to you and your process for responding. Include a note about escalation to the Office of the Australian Information Commissioner (OAIC) if they are not satisfied.

13) Updates To The Policy

Say when the policy was last updated and how you will communicate future changes.

Step-By-Step: How To Write And Roll Out Your Privacy Policy

Step 1: Map Your Data Flows

Before drafting, document what you collect, where it comes from, where it’s stored, and who it’s shared with. Include your website, app, CRM, payment gateway, analytics tools, helpdesk and any offline processes.

This data map is the foundation for a policy that’s accurate and useful. It also highlights gaps in consent, security or retention that you can fix before publication.

Step 2: Draft A Policy That Matches Your Business

Use your data map to write in plain English about your practices. Avoid copy-pasting generic policies-they rarely fit and can be misleading.

Ensure the core APP topics above are covered, and tailor each section to your actual processes. If you need a robust, tailored document, a lawyer-drafted Privacy Policy aligned with your sector and tech stack is the most reliable option.

Step 3: Add A Privacy Collection Notice At Key Touchpoints

In addition to your full policy, show a short-form notice wherever you collect personal information (e.g. sign-up, checkout, contact forms). This should summarise what you collect, why, and link to the full policy. A tailored Privacy Collection Notice helps you comply with the APPs without overwhelming users.

Step 4: Update Your Website And App

Place the policy in your footer, checkout, and sign-up flows, and reference it in your account or settings pages. If your platform uses cookies and trackers, pair the policy with a visible banner and, where appropriate, a separate Cookie Policy.

While you’re updating your site, make sure your Website Terms and Conditions are also in place so you’re clear about user conduct, IP ownership and liability on your website.

Step 5: Align With Your Vendors (Data Processors)

If you use third-party tools that process personal information on your behalf (e.g. cloud hosting, email and analytics providers), put a Data Processing Agreement (DPA) in place. A DPA sets out how your vendors handle security, sub-processors, cross-border transfers and breach reporting-so your obligations to customers are supported by your supply chain.

Step 6: Train Your Team And Embed Processes

Make sure staff who handle personal information know what the policy says and how to action it. Train on access and correction requests, opt-out handling, secure disposal, and how to recognise a potential data breach.

Step 7: Prepare For Incidents

Data breaches can happen even with good security. Have a practical Data Breach Response Plan that sets out roles, timelines and notification steps under Australia’s Notifiable Data Breaches scheme. Running a table-top exercise can help ensure your team knows what to do under pressure.

Step 8: Review Regularly

Revisit your policy and processes at least annually, and whenever you change tools, expand offshore, launch a new product, or shift your marketing stack. Regular reviews keep your public promises aligned with reality.

Privacy Compliance Beyond The Policy: What Else Should You Put In Place?

A strong company privacy policy is the centrepiece of compliance, but it’s most effective when supported by a few other documents and practices.

• Privacy Collection Notice: The concise notice that appears at data collection points. Pair it with your full policy to meet APP requirements. You can tailor this using a Privacy Collection Notice template aligned to your forms and funnels.
• Website Terms and Conditions: Set out the rules for use of your site or platform, your IP rights, disclaimers and limitations of liability in your Website Terms and Conditions.
• Cookie Policy and Consent Banner: Be transparent about cookies, analytics and advertising technologies. A standalone Cookie Policy supports clarity and consumer trust.
• Vendor and Processor Contracts: Where a vendor processes personal information for you, use a Data Processing Agreement to lock in security standards and breach notifications.
• Data Retention Policy: Keep data only as long as you need it, and securely dispose of it when you don’t. Align your practices with relevant data retention laws.
• Data Breach Response Plan: Document how you identify, assess and respond to suspected breaches with a practical Data Breach Response Plan.

If you send commercial emails or SMS, ensure your marketing flows respect consent and opt-out requirements, and that your policy accurately reflects your practices. Keeping your public commitments and your operational reality in sync is critical.

Common Mistakes To Avoid With A Company Privacy Policy

We regularly see small businesses stumble on a few avoidable issues. Here’s how to stay on track:

• Copying A Generic Template: A one-size-fits-all policy rarely matches your actual data flows. Mismatches create legal risk and undermine trust. Tailor your policy to your systems, vendors and purposes.
• Burying Consent And Opt-Outs: Make opt-outs easy and visible. Ensure unsubscribe links work and are promptly actioned across all tools (email platform, CRM and any clones in other systems).
• Forgetting To Update As You Scale: New features, analytics tools, or cross-border vendors can change your privacy posture overnight. Review your policy and vendor contracts when you change your tech stack.
• Over-Promising On Security: Be accurate about your measures. Don’t make claims you can’t back up in practice. Focus on what you actually do (access controls, encryption at rest/in transit, staff training).
• Ignoring Third-Party Risk: Your obligations don’t end at your firewall. Use a Data Processing Agreement and vendor assessments to ensure processors protect your customers’ information to your standard.
• No Plan For Breaches: Time is critical in an incident. Without a clear Data Breach Response Plan, small issues can escalate, and you may miss mandatory notifications.
• Policy Doesn’t Match The Website: If you say you don’t use cookies but your site drops trackers on first load, you’ve created a compliance (and credibility) issue. Align your Cookie Policy, consent banner and actual scripts.
• Overlooking Linked Documents: Your privacy policy should be consistent with your Website Terms and Conditions and any product or service terms that reference data usage.

How To Keep Your Privacy Policy Practical (And Not Just Legal)

Compliance is non-negotiable, but the most effective privacy policies are also customer-friendly and operationally useful. A few tips:

• Write For Humans: Use plain English and short paragraphs. Avoid jargon, and explain any technical terms you need to use.
• Make It Actionable For Staff: Tie the policy to internal procedures. For example, include a simple workflow for access/correction requests and a named point of contact.
• Surface The Essentials At The Right Time: Use a short Privacy Collection Notice at forms and checkout, while keeping the full policy one click away.
• Be Transparent About Marketing: Tell users what they’ll receive and how often, and honour their choices quickly.
• Close The Loop: After updates, test your consent flows, opt-out links, and cookie banner across devices and browsers to make sure everything works as promised.

If you’re unsure how to translate legal requirements into simple, real-world processes, it’s worth getting tailored advice so your documents and operations line up from day one.

Key Takeaways

• A company privacy policy explains how you collect, use, store and disclose personal information and is required for many Australian businesses under the Privacy Act and APPs.
• Even if you’re a small business under the $3 million threshold, a clear, APP-aligned policy is best practice and often required by partners, platforms and customers.
• Cover the essentials: who you are, what you collect, how and why you use it, third-party disclosures, cross-border transfers, direct marketing, cookies, access/correction, security, retention and complaints.
• Make your policy operational: map data flows, add a Privacy Collection Notice at forms, align vendors with a Data Processing Agreement, and prepare a Data Breach Response Plan.
• Keep your website consistent by pairing your policy with up-to-date Website Terms and Conditions and a clear Cookie Policy.
• Review regularly as your tools and products evolve, and align your practices with Australian data retention laws and customer expectations.

If you’d like a consultation on drafting or updating your company privacy policy for Australia, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.