How To Write A Privacy Policy In Australia

If your business collects names, emails, phone numbers, payment details or any other information that can identify a person, you need a clear plan for handling that data - and you’ll almost certainly need a Privacy Policy.

A well-written Privacy Policy isn’t just a legal checkbox. It builds trust with customers, reduces regulatory risk, and sets a consistent internal standard for your team.

In this guide, we’ll walk you through how to write a Privacy Policy in Australia step-by-step, what it must include, and the common mistakes to avoid. We’ll also cover related documents you should have in place to properly back up your privacy commitments.

What Is A Privacy Policy In Australia?

A Privacy Policy is a public statement that explains how your business collects, uses, discloses and protects personal information. In Australia, it’s shaped by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), which set out obligations like transparency, security and access to information.

Even if your small business isn’t technically required to comply with the Privacy Act (more on that below), customers expect to see a clear Privacy Policy - especially if you sell online, run a web form, use cookies, or do email marketing.

Your Privacy Policy should be tailored to your operations (not copied from someone else) and written in plain English so customers can actually understand it.

Do You Need A Privacy Policy?

Under the Privacy Act, businesses with annual turnover of more than $3 million are generally required to comply with the APPs, including having a Privacy Policy (APP 1).

Many small businesses under $3 million are also required to comply if they fall into specific categories, including businesses that:

• Provide health services (including allied health, fitness, wellness and many app-based services)
• Trade in personal information (e.g. sell or purchase mailing lists)
• Handle Tax File Numbers (TFNs) or credit reporting information
• Are contractors to the Commonwealth or a Commonwealth agency

Even if you sit outside these categories, it’s still best practice to have a Privacy Policy if you collect personal information. Customers expect it, app stores and third‑party platforms may require it, and it helps you standardise how your team handles data day-to-day.

How To Write A Privacy Policy: Step-By-Step

The most effective way to write a Privacy Policy is to first map your data flows, then translate that into clear, customer-friendly disclosures that align with the APPs.

1) Map Your Data

List out the types of personal information you collect, where you collect it, why you collect it, where it’s stored, who can access it, and when it’s deleted. Include your website, app, point-of-sale, email, analytics tools, CRM, payment gateways, and any integrations.

This exercise will drive accurate, specific disclosures (and often reveals quick wins to reduce data risk).

2) Identify The Legal Frameworks That Apply

For most Australian businesses, the Privacy Act and APPs will be the primary framework. Consider whether other laws apply to how you use personal information, such as the Spam Act for email marketing and SMS, sector-specific health records laws, or overseas privacy laws if you target offshore users.

3) Draft Clear, Plain-English Sections

Your Privacy Policy should be structured around the key topics customers care about (and the APPs require). Use headings, short paragraphs and straightforward language.

4) Align Internal Processes To Your Policy

Your policy is only as good as your practices. If you say you’ll action access or correction requests within 30 days, make sure your team can actually do it. If you commit to deleting data on request, have a process to follow through.

5) Publish And Keep It Up-To-Date

Host the policy on your website or app, link it in your footer and anywhere you collect data, and add a “Last updated” date. Review it regularly or whenever you change how you collect or use information.

What Should Your Privacy Policy Include?

Here are the essentials most Australian small businesses should cover. Tailor each item to your actual practices:

Who You Are And How To Contact You

State your full legal name, ABN and contact details for privacy enquiries. If you have a Privacy Officer, list their email address.

What Personal Information You Collect

Describe the types of personal information you collect, for example: names, contact details, order history, payment information (noting what’s handled by third-party gateways), support communications, device identifiers, and behavioural data (analytics).

How You Collect It

Explain your sources: website forms, checkout pages, phone/email, social media, cookies/SDKs, third-party partners, and CCTV if applicable. If you collect information about someone from another person (e.g. a referral), say so.

Why You Collect It (Purposes)

Be specific about your purposes: providing products and services, processing orders and payments, customer support, personalising experiences, analytics and product improvement, direct marketing, fraud prevention, and legal compliance. Avoid vague “catch-all” phrases.

Use And Disclosure To Third Parties

Identify the categories of third parties you disclose to (not necessarily by name): payment processors, cloud hosting providers, marketing platforms, analytics providers, logistics/fulfilment partners, professional advisors and regulators. Explain why disclosures happen and any limits you place on these partners.

Overseas Disclosure

If personal information is stored or accessible outside Australia (common with global SaaS or support teams), state the countries or at least the regions where recipients are likely to be located and how you protect that data (e.g. contractual safeguards and due diligence) in line with APP 8.

Cookies, Analytics And Tracking

Explain your use of cookies or SDKs for essential site functions, performance analytics, and advertising/retargeting. Link to your Cookie Policy if you maintain one and note how users can manage preferences.

Direct Marketing

Set out how you use personal information for marketing, how people can opt out, and how you comply with the Spam Act (e.g. unsubscribe links in emails and a clear way to stop SMS). It’s worth aligning this section with your approach to email marketing laws.

Security Measures

Describe in plain terms how you protect personal information (e.g. encryption in transit and at rest, access controls, MFA, staff training). Avoid listing tools that might change often - focus on outcomes and standards.

Retention And Deletion

Explain how long you keep personal information and the criteria you use (legal obligations, operational needs, account activity), and summarise your deletion or de‑identification practices.

Access And Correction

Outline how individuals can request access to their information or ask for corrections, including how they can contact you and any identity verification process.

Complaints Handling

Explain how to make a privacy complaint to you, your process and timeframes for responding, and that the individual can escalate to the Office of the Australian Information Commissioner (OAIC) if they’re not satisfied.

Notifiable Data Breaches

Briefly note your approach to assessing suspected data breaches and notifying affected individuals and the OAIC where legally required under the Notifiable Data Breaches scheme.

Changes To This Policy

Tell users how you’ll notify them about material updates (e.g. posting on your website and updating the date, or emailing affected users for significant changes).

Website And App Considerations

Your online touchpoints are often the first place customers look for privacy information. Make your Privacy Policy easy to find and consistent with your actual tech stack.

Placement And Consent

• Link the Privacy Policy in your website footer, sign-up forms, checkout pages and app store listings.
• If you use cookies beyond strictly necessary, consider a cookie banner with clear choices and a link to your policy.
• Make sure consent mechanisms (e.g. “I agree” boxes) are not pre-ticked and link to the relevant policies.

Connect The Dots With Other Terms

Privacy doesn’t live in a silo. Ensure your Privacy Policy aligns with your Website Terms and Conditions, refund/returns statements, and your marketing practices. Inconsistencies can amount to misleading conduct under the Australian Consumer Law.

Use Of Third-Party Tools

If you embed third-party tools (analytics, chat widgets, payment gateways), confirm they are configured in a privacy-conscious way and reflect them accurately in your policy. Keep a register so you can update disclosures as vendors change.

Common Mistakes (And How To Avoid Them)

Here are pitfalls we regularly see - and how you can steer clear.

• Copying a competitor’s policy: Their data flows, vendors and risk profile will differ. Start with your own data map and tailor every section.
• Promising the world: Over-committing (e.g. “we never share data with third parties”) can be false if you use hosting, analytics or support tools. Be accurate and specific.
• Skipping overseas disclosures: If your tools store or access data offshore, you must address this under APP 8.
• Ignoring marketing laws: Privacy and the Spam Act interact. Build opt‑in, consent and unsubscribe features into your sign‑up and messaging flows from day one.
• Forgetting internal alignment: Your team needs clear processes for access/correction requests, complaint handling and breach response. The policy should match your playbook.
• Set‑and‑forget: Review your policy when you launch new features, change vendors, expand to new countries or start new marketing programs.

Essential Documents To Support Your Privacy Policy

A strong Privacy Policy is supported by internal processes and a small suite of companion documents. Depending on your business model, consider putting the following in place:

• Privacy Policy: Your public-facing statement explaining how your business handles personal information under the APPs.
• Privacy Collection Notice: A short notice shown at the point of collection (e.g. sign-up forms) highlighting key information like purposes, disclosures and contact details for queries.
• Data Breach Response Plan: An internal playbook outlining roles, timelines and steps to identify, contain, assess and notify if a breach occurs.
• Data Processing Agreement: Contracts with vendors who process personal information on your behalf (cloud providers, CRMs, marketing platforms) to ensure proper data safeguards and compliance.
• Cookie Policy: A clear explanation of the cookies and similar technologies you use, why you use them, and how users can manage preferences.
• Website Terms and Conditions: The rules for using your website or platform, working alongside your Privacy Policy to manage risk and user expectations.

You may also need internal policies and training for staff, data retention schedules, and vendor due diligence processes so that your day-to-day handling of personal information actually matches your public commitments.

Template Outline: A Privacy Policy You Can Build On

Here’s a simple structure you can adapt to your business. Remember to tailor it to your data map and operations.

1. About Us (legal name, ABN, contact details)
2. Types Of Personal Information We Collect
3. How We Collect Personal Information
4. Why We Collect, Use And Disclose Personal Information
5. Disclosures To Third Parties (by category) and Overseas Recipients
6. Cookies And Online Analytics
7. Direct Marketing And Opt-Outs
8. How We Keep Personal Information Secure
9. Data Retention And Deletion
10. Accessing And Correcting Your Information
11. Complaints Handling
12. Notifiable Data Breaches
13. Changes To This Policy
14. Contact Us

Privacy Law FAQs For Australian Small Businesses

Do I need consent to collect personal information?

Not always. Under the APPs, consent is required in particular scenarios (e.g. for sensitive information), but many routine collections are lawful without express consent if reasonably necessary for your functions and collected by fair means. That said, clarity and choice build trust - use concise notices and avoid surprise uses.

What about email and SMS marketing?

Marketing is regulated by the Spam Act. You generally need consent (express or inferred in limited cases), clear sender ID and a functional unsubscribe for each message. Ensure your Privacy Policy and sign‑up flows reflect how you handle consent and opt‑outs, and align with your approach to email marketing laws.

How long should we keep personal information?

Only as long as needed for your purposes and legal obligations. Define practical retention periods (for example, active account data vs. dormant accounts) and implement deletion or de‑identification processes that you can actually follow.

Do we have to notify people about cookies?

In Australia, the Privacy Act doesn’t mandate cookie banners per se, but transparency is required. If you use non-essential cookies or ad tech, it’s good practice to provide clear disclosures and controls (banner or preference centre) and a supporting Cookie Policy.

Maintaining And Operationalising Your Privacy Policy

Once your Privacy Policy is published, focus on embedding it in your operations so it remains accurate and useful.

• Assign ownership: Nominate a privacy lead to coordinate updates, training and vendor reviews.
• Review cadence: Check your policy when you adopt new tools, change markets or launch new features.
• Test your processes: Run a mock access request or breach drill to see if your team can deliver what your policy promises.
• Vendor governance: Keep contracts and data maps up to date, and ensure processors meet your security and privacy standards via a current Data Processing Agreement.
• Marketing alignment: Reconcile your consent records, list hygiene and unsub processes with what your policy and the Spam Act require.

Key Takeaways

• A Privacy Policy is a clear, public summary of how you handle personal information and is required for many Australian small businesses.
• Start by mapping your data flows, then write plain‑English disclosures that align with the Australian Privacy Principles.
• Cover what you collect, how and why you use it, disclosures (including any overseas), security, retention, marketing, access/correction and complaints.
• Make your policy easy to find on your website or app and align it with your marketing, cookies and terms.
• Back up your policy with practical tools and documents like a Privacy Collection Notice, Data Breach Response Plan and vendor Data Processing Agreements.
• Review and update regularly as your business, vendors and regulations evolve.

If you’d like help drafting or reviewing a Privacy Policy tailored to your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.