Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you’re building a startup or small business, you’ll almost certainly handle customer data at some point. It might be as simple as taking online enquiries, collecting email addresses for a newsletter, or processing orders through your website. But the moment you collect information that can identify a person, privacy stops being “just paperwork” and becomes a real legal and trust issue for your business.
A well-written privacy policy does two important jobs at once. First, it helps you meet your legal obligations (including obligations under Australian privacy law, depending on your business). Second, it helps customers feel comfortable buying from you, signing up, or downloading your app.
Below, we’ll walk you through what privacy policies are, when you need one, what to include, and the common mistakes we see Australian businesses make when they copy-and-paste something generic.
What Is A Privacy Policy (And Why Do Small Businesses Need One)?
A privacy policy is a document (usually published on your website or app) that explains:
- what personal information you collect
- how and why you collect it
- how you store and use it
- who you share it with
- how a person can access or correct their information
- how a person can make a complaint if they’re unhappy with how you handle their information
From a practical perspective, a privacy policy is about transparency. You’re telling customers, “Here’s what we do with your information,” in plain terms.
From a legal perspective, your privacy policy can be a key part of your compliance framework. Many small businesses assume privacy obligations only apply to big corporates. In reality, startups and small businesses often collect a lot of data quickly (especially through websites, analytics, CRMs, email marketing tools, and online payments).
If you collect personal information and don’t have a privacy policy (or you have one that doesn’t match what you actually do), you’re creating risk you don’t need. A properly drafted Privacy Policy is one of those foundation documents that can save you headaches later.
Do You Legally Need A Privacy Policy In Australia?
This is the big question, and the honest answer is: it depends on your business and how you handle personal information.
In Australia, privacy obligations mainly come from the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Whether the Privacy Act applies to you will depend on factors like your turnover, your activities, and the type of information you handle.
When The Privacy Act Is More Likely To Apply
Many startups and small businesses will be caught by the Privacy Act if they:
- have an annual turnover of more than $3 million
- provide health services and handle health information (even if turnover is under $3 million)
- trade in personal information
- are related to an entity that is covered by the Privacy Act
- carry on certain regulated activities (for example, operating as a credit reporting body, or otherwise handling particular types of information in a way that brings you within the Privacy Act)
Even if you’re not strictly required to comply with the Privacy Act today, you may still choose to align your practices with the APPs because:
- your customers and business partners may expect it
- investors and acquirers often want to see good privacy governance during due diligence
- your business may grow (and cross key thresholds) faster than you expect
- privacy complaints and reputational damage can be expensive even if you’re a small business
When You Still Need A Privacy Policy (Even If The Privacy Act Doesn’t Apply)
Even if you’re not covered by the Privacy Act, you may still need a privacy policy because:
- third-party platforms you use (for example, app stores, payment gateways, or ad platforms) may require you to publish one
- your contracts with customers, suppliers, or corporate clients may require one
- you’re collecting personal information through your website and it’s best practice to be transparent
Put simply: if your website has a contact form, newsletter signup, ecommerce checkout, user accounts, or tracking tools, you should take privacy seriously early.
What Counts As “Personal Information” For Your Startup?
Personal information is broadly any information about an identified individual, or an individual who is reasonably identifiable.
For startups and small businesses, common examples include:
- name, email address, phone number, delivery address
- date of birth
- government identifiers (in some industries)
- customer support messages (which often contain extra details)
- photos or videos where a person is identifiable
- device identifiers and online identifiers (depending on how they’re used)
- payment-related details (note: many businesses don’t store full card details, but you may still handle transaction information)
If you operate in a space like healthcare, counselling, fitness, or allied health, you may also deal with sensitive information (such as health information). That generally requires a higher level of care and clearer disclosures.
It’s also worth remembering that a privacy policy isn’t only about customer data. It can also cover data you collect from:
- job applicants
- contractors
- business contacts (for example, sales leads and suppliers)
As your business grows, what you collect (and why) will likely expand. Your privacy policy should be written to reflect your real operations, not an idealised version of your business.
What Your Privacy Policy Should Include (A Practical Checklist)
Most privacy policies look similar at a high level, but the details matter. Your policy should match the way you actually collect and use information in your business.
Here’s a practical checklist of clauses we usually expect to see in a privacy policy for Australian startups and small businesses.
1. What Information You Collect
You should list categories of personal information, such as:
- identity and contact details
- order and transaction data
- account login details (if relevant)
- support requests and communications
- technical data and usage information (for example, analytics)
Avoid being so vague that customers can’t understand what you collect, but don’t overshare to the point of creating unnecessary risk. The key is accuracy and clarity.
2. How You Collect It
Common collection methods include:
- when someone fills in a form on your site
- when someone creates an account
- when someone makes a purchase
- when someone contacts support
- through cookies and tracking tools (where applicable)
If your business uses cookies or similar technologies, your privacy policy should clearly explain what’s happening. In Australia, the legal requirements aren’t always framed as “cookie consent” in the same way as some overseas laws, but tracking can still involve personal information and marketing rules may also apply depending on what you’re doing.
3. Why You Collect And Use Personal Information
This is where many privacy policies fall apart, because businesses use broad statements like “to improve our services” without explaining what that really means.
Typical purposes include:
- processing orders and delivering products/services
- providing customer support
- account administration
- sending service-related messages (for example, order updates)
- marketing communications (where permitted)
- analytics and product improvement
- fraud prevention and security
- legal compliance
If you’re using personal information for marketing, make sure your privacy policy lines up with how you actually do marketing (for example, email, SMS, remarketing ads) and how people can opt out.
4. Who You Share Personal Information With
Most startups share data with service providers, even if they don’t realise it. This might include:
- website hosting providers
- CRM and email marketing tools
- payment processors
- delivery and logistics partners
- analytics providers
- professional advisers (lawyers, accountants)
You should be upfront about these categories. If you’re building customer trust, surprises are the enemy.
5. Overseas Disclosures
If any of your suppliers store or process data overseas (which is common with cloud tools), you may need to address overseas disclosures.
Many small businesses use international tools without thinking about where data is stored. You don’t need to list every server location, but you should consider whether personal information is likely to be disclosed or accessed from overseas (for example, where a provider is based offshore or uses offshore hosting/support) and explain this clearly in your policy.
6. How You Store And Protect Personal Information
Your privacy policy should cover, at a high level, how you protect data. For example:
- access controls and staff permissions
- secure storage systems
- reasonable steps to protect information from misuse, interference, loss, and unauthorised access
You don’t need to publish your entire security architecture. But you do want customers to know you take privacy and security seriously.
7. Access, Correction, And Complaints
A good privacy policy tells people:
- how they can request access to personal information you hold about them
- how they can ask you to correct it
- how to contact you with a privacy complaint
If you want a structured way to handle these requests as you scale, an internal process and forms can help (for example, an Access Request Form).
Common Privacy Policy Mistakes We See Startups Make
Privacy policies are often rushed during launch. That’s understandable, but it’s also where risk sneaks in. Here are some common mistakes we see with startups and small businesses.
Copying A Generic Template That Doesn’t Match Your Business
This is the biggest issue. If your privacy policy says you don’t share data overseas, but your email marketing platform stores data overseas, that mismatch can create problems.
Your privacy policy should be written for your business model, not someone else’s.
Forgetting About Third-Party Tools
Startups move fast, and you might add tools as you go: analytics, customer chat widgets, booking platforms, referral programs, and more.
Each tool may involve collecting or sharing personal information. If you don’t update your privacy policy as your tech stack evolves, your policy becomes inaccurate over time.
Using Vague Or Overly Broad Language
“We collect your information to provide our services” is technically true, but it isn’t very helpful. Better privacy policies explain the real purposes in a way customers can understand.
Not Aligning Your Privacy Policy With Your Other Legal Documents
Your privacy policy should align with what you say elsewhere, including your customer terms, website terms, and any refund/warranty statements.
This matters because customers (and regulators) will look at the full picture of what you promised, how you marketed your product, and how you actually handled data and complaints.
As you refine your customer communications, it’s also worth making sure your broader customer-facing practices line up with the Australian Consumer Law (ACL). For example, if you make claims about how you handle customer issues, those statements need to be accurate and not misleading. The ACL comes up often in warranty and returns discussions, including scenarios where businesses assume fixed timeframes apply (they don’t always). If this is relevant to your business model, the way you present warranties and remedies matters, including in your terms and policies: Australian Consumer Law warranty.
Not Having A Plan For Data Breaches
No one launches a business expecting a data incident. But having a plan is part of running a responsible business.
Even a basic data breach response process can help you act quickly and reduce damage if something goes wrong. Many businesses put a data breach response plan in place as part of their privacy compliance setup, especially if they store customer accounts or handle sensitive information. If your business is covered by the Privacy Act, you may also have notification obligations under the Notifiable Data Breaches scheme in some circumstances.
How Privacy Policies Fit Into Your Wider Legal Setup
A privacy policy is important, but it usually isn’t the only legal document you need. Most startups and small businesses will also need to think about the documents below, depending on how you operate.
Website Terms And Customer Terms
If you sell online, run a platform, or offer subscriptions, you’ll usually need clear terms setting out things like payment terms, refunds, acceptable use, disclaimers, and liability settings.
Your privacy policy should work alongside those terms rather than contradict them.
Privacy Collection Notices And Consent
Sometimes, a privacy policy alone isn’t enough. You may also need privacy collection notices (short notices at the point of collection) and consent wording where required (for example, if you’re collecting sensitive information or relying on consent for particular uses or disclosures).
That’s why some businesses implement a Privacy Collection Notice as part of their onboarding forms or checkout process, particularly where they’re collecting more information than just name and email.
Data Processing Arrangements With Suppliers
If you use third-party providers to process personal information on your behalf (for example, cloud hosting, outsourced support, or specialist software providers), it’s worth thinking about the contract terms you’re agreeing to.
For some businesses, having a tailored data processing agreement (or at least reviewing supplier privacy terms carefully) can be an important step, especially if you’re working with enterprise clients.
Employment And Internal Policies
Privacy compliance isn’t only external. If you have staff (or plan to hire), you should also think about how personal information is handled internally.
For example, your team might handle customer support tickets, order details, and marketing lists. Having clear internal rules helps reduce mistakes. This often sits alongside your employment documentation and onboarding processes (including an Employment Contract and relevant workplace policies).
If your business uses workplace monitoring tools, cameras, or recording systems (for example, recording customer calls for quality assurance), you’ll also need to consider surveillance and recording compliance, which can differ between states. For broader context, see business call recording laws.
Key Takeaways
- Privacy policies are a practical and legal tool that explain what personal information you collect, how you use it, and how you protect it.
- Even if you’re a small business, you may still have privacy obligations under Australian law depending on your activities, the type of data you handle, and how your business grows.
- A privacy policy should match what your business actually does (including your tools, overseas data handling, marketing activities, and support processes).
- Common startup mistakes include copying generic policies, forgetting about third-party platforms, and failing to keep policies updated as the business scales.
- Privacy compliance usually sits alongside other key legal documents, including customer terms, collection notices, supplier arrangements, and internal policies.
- Getting your privacy setup right early can help you build customer trust, reduce risk, and make future investment or due diligence much smoother.
If you’d like help putting the right privacy policies and related legal documents in place for your startup or small business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
