Privacy Notice In Australia: What To Include And How To Comply

Collecting customer information is part of running a modern business - whether you’re taking online bookings, processing payments, or building a mailing list. But if you collect any personal information in Australia, you should be thinking about your privacy notice and how it’s presented to your customers.

Getting this right builds trust and keeps you on the right side of the law. The good news: a clear, well-placed privacy notice isn’t hard to implement once you understand the basics.

In this guide, we’ll explain what a privacy notice is (and how it differs from a Privacy Policy), when you need one, what to include, and practical steps to roll it out across your website, forms and in-store workflows.

What Is A Privacy Notice?

A privacy notice is the short, plain-English message you give people at the point you collect their personal information. It tells them what you’re collecting, why, how you’ll use it, and who you’ll share it with.

Think of it as the “just‑in‑time” summary your customers see right when they hand you their details - for example, next to a newsletter sign-up box, at online checkout, or on a paper client intake form. It complements (but doesn’t replace) your more detailed, publicly available Privacy Policy.

In Australia, transparency is a core principle of the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Even if your business isn’t currently required by law to comply with every APP (for example, some very small businesses fall below the threshold), being open and upfront with customers is still best practice and often expected by platforms, partners and larger clients.

Do You Need A Privacy Notice Under Australian Law?

Under the Privacy Act, organisations subject to the APPs must take reasonable steps to notify individuals when collecting their personal information. This is sometimes called a “collection notice.”

Even if you’re a small business that might be exempt in some circumstances, you may still have privacy obligations if you handle health information, operate in certain industries, or work with larger enterprise clients who require compliance contractually. Plus, expectations from customers (and regulators) are only moving in one direction - towards more transparency.

As a result, it’s smart to include a concise privacy notice wherever you collect personal information and back it up with a comprehensive Privacy Policy on your website. If you process data for overseas customers or partners, you may also need to consider frameworks like GDPR, which has specific notice requirements.

Privacy Notice vs Privacy Policy vs Collection Notice: What’s The Difference?

These terms can be confusing, so here’s a simple way to separate them:

• Privacy Notice: A short, context-specific message shown at the point of collection (e.g. “We collect your name and email to send you our monthly updates. See our Privacy Policy for details.”).
• Collection Notice: Another name often used for a privacy notice in Australian law. It’s the notification you provide under the APPs when you collect information.
• Privacy Policy: A full, public policy that explains in detail how your business manages personal information across the board - hosted on your site and linked from your notice. You can see what a tailored Privacy Policy typically covers.

In practice, you’ll use a brief notice before or as someone submits their details, and you’ll include a link to your full policy for anyone who wants the complete picture. If you need a more structured template for your notices, a dedicated Privacy Collection Notice can help you standardise language across forms, apps and workflows.

What Should Your Privacy Notice Include?

Your notice should be short and easy to understand. Aim for clear, direct statements that cover the essentials your customer cares about. At minimum, cover the following points.

1) What You’re Collecting

State the types of information you’re asking for in that specific context - for example, “name and email address,” “delivery address and phone number,” or “payment details.” If you’re collecting any sensitive information (like health information), call that out clearly.

2) Why You’re Collecting It (Primary Purpose)

Explain the main reason you need the information. Examples: “to create your account,” “to fulfil your order,” “to respond to your enquiry,” or “to send you updates you’ve requested.” Keep it specific to the form or touchpoint.

3) How You’ll Use It (Including Secondary Uses)

If you may also use the information for related purposes (e.g. internal analytics, service improvements, fraud prevention), say so simply. If marketing is part of your use, make that clear and provide an opt-in where required (and an opt-out in every marketing email, in line with Australia’s email marketing laws).

4) Who You’ll Share It With

Mention any third-party service providers relevant to that collection point (for example, payment processors, logistics providers, or email platforms). If you transfer information overseas through your vendors, your notice and policy should say so in clear terms.

5) Where To Find More Information

Link to your full Privacy Policy for details on storage, security, overseas disclosures, complaints and how to access or correct personal information.

6) How To Contact You

Briefly note how someone can contact your business with privacy questions or to exercise their rights (usually an email address listed in your policy). A simple line like “You can contact us at about your personal information” is enough in the notice.

7) Optional: Retention And Deletion

If it’s relevant to the specific collection (e.g. a limited-time competition entry), you can mention how long you’ll keep the information or that it will be deleted after the promotion. For broader retention rules, keep the detail in your policy and align it with your internal data retention laws obligations and practices.

Where (And How) Should You Present Your Privacy Notice?

Your notice should be visible where the collection happens. That sounds simple, but it’s often missed in live forms and workflows. Here are common places to include it and practical tips for each.

Online Forms And Checkouts

• Place the notice right near the submit button or form fields (not buried elsewhere).
• Include a link to your full policy and, if relevant, a separate opt-in tick box for marketing. Pre-ticked boxes aren’t a good idea.
• For mobile screens, keep copy concise so it fits without crowding.

Account Sign-Ups And Apps

• Present a short notice when a user creates an account or when the app first requests permissions (e.g. location data).
• If your app collects different types of information at different times, use layered notices: a brief message at each point, with links back to your policy.

In-Store Or Paper Forms

• Include a one- or two-sentence notice on the form itself and reference your policy (e.g. via a short URL or QR code).
• Train staff to answer basic questions (“Why do you need my phone number?”) in line with the notice.

Emails And Support Tickets

• If you’re asking customers to provide additional information by email or through a helpdesk portal, include a short reminder notice (or footer line) pointing to your policy.
• Consider adding an email disclaimer to reinforce confidentiality and handling expectations.

Step-By-Step: Implement Privacy Notices In Your Business

Rolling out effective notices across your organisation is easier if you treat it like a small project. Here’s a practical roadmap.

Step 1: Map Your Collection Points

List every place you collect personal information: website forms, app screens, checkout, customer support, trade show sign-ups, phone orders, contractor onboarding, and paper forms. This becomes your “notice coverage” checklist.

Step 2: Decide The Minimum Info You Need

Collect only what you need for the purpose. This “data minimisation” approach is good privacy hygiene and reduces risk. It also makes your notice shorter and simpler to read.

Step 3: Draft Short, Contextual Notices

Create one to two lines for each collection point that cover what, why, how you’ll use or share it, and a link to your policy. If you want a standardised format across forms, prepare a reusable Privacy Collection Notice template and adapt it as needed.

Step 4: Review Your Privacy Policy And Align It

Your notices and your policy should be consistent. If your business has changed (new marketing stack, overseas vendors, or a switch to new analytics tools), update your Privacy Policy so it reflects your current practices.

Step 5: Build Clear Consent And Opt-Out Mechanics

For marketing emails and SMS, ensure people are opting in appropriately and can opt out easily. This aligns with Australia’s email marketing laws and keeps your audience engaged on their terms.

Step 6: Coordinate With Your Vendors

Many small businesses use third-party platforms for payments, marketing and support. Make sure your notices reflect that you use those providers and, where appropriate, put a Data Processing Agreement (or similar data handling terms) in place with key suppliers.

Step 7: Train Your Team

Front-line staff should know how to explain why you’re collecting information and where customers can find your policy. Keep a short script or FAQ handy.

Step 8: Monitor, Test And Improve

Check if notices display correctly on mobile and desktop, make sure links work, and test the user journey end-to-end. Review your notices periodically as tools and processes evolve.

Ongoing Compliance: Beyond The Notice

A great privacy notice is one part of doing privacy well. The rest is how you actually handle data day-to-day. Here are areas to cover so your notice aligns with reality.

Have A Plan For Incidents And Breaches

Mistakes happen - an email sent to the wrong list, a lost device, or a vendor outage. Prepare a clear process for identifying, assessing and responding to incidents. A tailored data breach response plan helps your team act quickly and consistently if something goes wrong.

Set Internal Policies And Security Standards

Your notice should match solid internal practices. Consider policies for access control, encryption, and staff training, supported by an Information Security Policy and records of who has access to what. Good security underpins the promises you make in your notices.

Work With Your Suppliers Properly

If you share personal information with service providers (email platforms, CRMs, cloud storage), make sure they meet your standards and that your contracts address privacy and security. A Data Processing Agreement can set clear rules about how your vendors handle your customers’ data.

Manage Retention And Deletion

Only keep personal information for as long as you need it, and then securely delete or de-identify it. Align your practice with Australian data retention laws and reflect the approach in your Privacy Policy and internal procedures.

Handle Requests And Complaints Promptly

Be ready to respond if a customer asks for access to their information, requests a correction, or lodges a complaint. Having a clear privacy complaint handling procedure helps you respond consistently and on time.

Consider International Frameworks If You Operate Globally

If you target or process data about people in the EU or UK, you’ll likely need to meet additional notice and consent requirements. Planning ahead with a practical GDPR approach can save headaches later.

Common Mistakes To Avoid

Here are pitfalls we see often - and how to steer clear.

• Hiding the notice: If customers can’t see your notice at the point of collection, they can’t make an informed decision. Keep it visible, concise and close to the submit action.
• Using one generic paragraph everywhere: A shipping address form needs different wording to a competition entry or patient intake form. Tailor your message to the context.
• Over-collecting data: Asking for more information than you need increases risk and discourages sign-ups. Trim fields to essentials.
• Mismatch between notice and reality: If you say you don’t share data with third parties but your email platform or payment gateway processes that data, you’re creating a compliance gap. Align your tech stack, contracts and words.
• Forgetting offline touchpoints: Paper forms, phone scripts and pop-up events need notices too. Don’t leave them out.
• No process for changes: As your business evolves, so do your data flows. Review notices and your policy when you change tools, add features, or expand to new regions.

Example: A Simple Privacy Notice (Website Newsletter)

Here’s a plain-English example you could adapt for a newsletter sign-up form:

“We’ll use your name and email to send you our monthly newsletter and occasional updates. You can unsubscribe at any time. For how we manage personal information, see our Privacy Policy.”

This covers what you’re collecting, why, and points to your policy. If you also use a third-party email platform that stores data overseas, you could add: “We use to manage our emails, which may store your information outside Australia.”

How A Privacy Notice Fits With The Rest Of Your Legal Stack

Your privacy notice doesn’t live in isolation. It sits alongside policies and contracts that help you meet your obligations and protect your business overall. In addition to your Privacy Policy and Privacy Collection Notice, consider whether you also need:

• Website Terms: To set the rules for site use and limit liability, often paired with your policy if you collect data online.
• Customer Terms: Clear terms about your products or services (including how you handle refunds under the Australian Consumer Law).
• Supplier Agreements: Contracts that address confidentiality and data handling, supported by a Data Processing Agreement where appropriate.
• Information Security Policy: Internal standards and responsibilities for staff and contractors, including access control and incident response - see Information Security Policy.
• Data Breach Response Plan: A playbook for identifying, containing and notifying incidents in line with Australia’s Notifiable Data Breaches scheme - see data breach response plan.

If your business also relies on data-driven tools, consider the legal implications of automated scraping or enrichment practices and ensure they align with your policy (this includes issues such as web scraping and compliance with platform terms).

Key Takeaways

• A privacy notice is the short, plain-English message you show at the point you collect personal information; it complements your full Privacy Policy.
• Under Australia’s privacy framework, transparency is key - use notices that clearly explain what you collect, why, how you use and share it, and where to find more information.
• Place notices where collection happens: website forms, app screens, checkouts, paper forms and support channels.
• Back your notices with strong internal practices: security standards, vendor terms like a Data Processing Agreement, retention controls aligned with data retention laws, and a data breach response plan.
• Tailor notices to each collection point and keep them consistent with your policy and actual data flows.
• Regularly review and update your notices as your tools, processes and markets change - especially if you start handling overseas data or fall under GDPR.

If you’d like a consultation on drafting a privacy notice, Privacy Policy and the right data protection documents for your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.