Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- What Is A Privacy Policy (And Why Does Your Business Need One)?
What To Include In A Simple, Compliant Privacy Policy Page
- 1. Your Business Details
- 2. What Personal Information You Collect
- 3. How You Collect Information
- 4. Why You Collect It (Your Purposes)
- 5. Disclosure: Who You Share Personal Information With
- 6. How You Store And Protect Personal Information
- 7. Access, Correction And Complaints
- 8. Cookies And Tracking (If You Have A Website)
- How To Publish A Privacy Policy Page On Your Website (Practical Checklist)
- Key Takeaways
If you run a small business in Australia, chances are you collect some kind of personal information - even if it’s just names and email addresses through a contact form or online booking system.
That’s where a clear, compliant privacy policy page becomes essential. It helps you meet your legal obligations, build customer trust, and avoid misunderstandings about how you use and protect data.
In this guide, we’ll walk you through what a privacy policy should include, when you need one, and we’ll give you a practical privacy policy example structure you can adapt for your business (without drowning you in legal jargon).
What Is A Privacy Policy (And Why Does Your Business Need One)?
A privacy policy is a document (usually published on your website) that explains how your business collects, uses, stores and discloses personal information.
For small businesses, a privacy policy page often comes up when you:
- have a website with a contact form
- sell online (including taking payments or creating customer accounts)
- collect email addresses for newsletters or marketing
- use analytics tools or tracking technologies like cookies
- collect customer details for bookings, delivery, invoicing or customer support
Even where the law doesn’t strictly require a privacy policy in every scenario, having a basic privacy policy is a practical way to set expectations and show you take data seriously.
If you want the document drafted and tailored to your business model (instead of relying on a generic template), a Privacy Policy is one of the key legal building blocks we regularly help businesses put in place.
Do Small Businesses Have To Comply With Privacy Laws In Australia?
This is one of the most common questions we hear: “I’m a small business - do I still need a privacy policy page?”
In Australia, privacy obligations often come from the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Whether the Act applies to your business depends on factors like your turnover, what you do, and what information you handle.
When The Privacy Act Is More Likely To Apply
Many people have heard the “$3 million turnover” threshold. While it’s a useful starting point, it’s not the whole story.
Even if your business has turnover under $3 million, you may still be covered by the Privacy Act in certain situations - for example, where your business:
- provides a health service (and handles health information)
- trades in personal information (for example, buying/selling personal information)
- is a contracted service provider for a Commonwealth government contract
- is involved in credit reporting (in limited scenarios)
Also, even if the Privacy Act doesn’t apply to you, you can still have contractual or platform-based obligations. For example, payment providers, online marketplaces, and advertising partners often expect you to have a privacy policy page.
Privacy Compliance Isn’t Just A Legal Box-Tick
From a business perspective, your privacy policy page is also part of your customer experience. When people feel confident you’re handling their data properly, they’re more likely to purchase, subscribe or make enquiries.
If your website collects personal information (especially through forms), it’s also worth thinking about a privacy collection notice - this is the short, just-in-time message people see at the point you collect their information (for example, under your contact form).
What To Include In A Simple, Compliant Privacy Policy Page
A privacy policy doesn’t need to be long to be effective - but it does need to be accurate, clear, and aligned with how your business actually operates.
At a high level, the APPs (in particular APP 1) set expectations about what an Australian privacy policy should cover, including the kinds of personal information you collect, how you use and disclose it, and how people can access, correct, or complain about your handling of their information.
Here are the key sections we usually recommend including in a basic privacy policy for Australian small businesses.
1. Your Business Details
Your privacy policy should clearly identify who is collecting the information. This usually includes:
- your business name (and company name, if different)
- ABN/ACN (optional but common)
- contact details (email address at minimum)
2. What Personal Information You Collect
Be specific and practical. List common examples relevant to your business, such as:
- name, email address, phone number
- billing and delivery address
- payment-related information (note: you should be careful here - many businesses do not store full card details)
- IP address and device/browser information (through analytics)
- enquiry details submitted via forms
If you collect sensitive information (for example, health information), your policy needs extra care - sensitive data generally triggers higher compliance expectations.
3. How You Collect Information
Explain the methods you use, which might include:
- directly from customers (forms, checkout, phone, email)
- automatically (cookies, analytics, log files)
- from third parties (booking platforms, payment providers, social media tools)
4. Why You Collect It (Your Purposes)
This section is the “why” behind your data handling. Common purposes include:
- providing your products or services
- processing payments and fulfilling orders
- customer support and managing enquiries
- marketing and promotions (where permitted)
- improving your website and services
- meeting legal and accounting requirements
Tip: If you send marketing emails, make sure your approach lines up with the email marketing laws that apply to Australian businesses, including how you handle consent and unsubscribes.
5. Disclosure: Who You Share Personal Information With
Most small businesses share personal information with third parties in some way - even if it’s just your website host or email marketing provider.
Common categories include:
- payment processors and banking providers
- delivery and logistics partners
- IT providers (hosting, CRM systems, cloud storage)
- professional advisers (accountants, lawyers)
- marketing providers (email platforms, ad platforms)
If you use third-party services that store data overseas, it’s best practice to mention that cross-border disclosure may occur, and (where applicable) the countries where the recipients are likely to be located.
6. How You Store And Protect Personal Information
Customers want to know you’re not treating their data casually.
You don’t need to publish a detailed security blueprint, but you should describe your general approach - for example:
- secure systems and access controls
- limiting access to staff who need it
- secure payment handling practices
- reasonable steps to protect against misuse, interference and loss
If you run an online store (or store payment information for any reason), be cautious about how you describe card data handling. It’s also worth understanding the risks and compliance issues around storing credit card details.
7. Access, Correction And Complaints
Your privacy policy should explain how people can:
- request access to their personal information
- ask you to correct inaccurate information
- make a privacy complaint (and how you’ll respond)
This is an important trust-builder - it shows you have a process, not just a document.
8. Cookies And Tracking (If You Have A Website)
If your website uses cookies or tracking tools (including analytics and advertising pixels), it’s a good idea to disclose this clearly.
In Australia, a standalone cookie notice or cookie banner isn’t always legally required in the same way it may be in some overseas jurisdictions. However, you still need to be transparent about what you collect and why, and you may need consent in some situations (for example, depending on how you use tracking for marketing and how it interacts with other laws and platform rules).
At minimum, your privacy policy page should explain:
- what cookies are used for (analytics, performance, marketing)
- how users can manage cookies (browser settings, opt-out tools)
Privacy Policy Example: A Simple Structure You Can Adapt
Below is a privacy policy example framework. You can use it as a starting point - but make sure you tailor it so it matches what your business actually does (this is where many templates go wrong).
Privacy Policy Example (Template-Style Framework)
1. Introduction
We are committed to protecting your privacy and handling your personal information in an open and transparent way.
2. Who We Are
(ABN/ACN ) is responsible for the personal information we collect and hold.
Contact: , .
3. What Personal Information We Collect
We may collect personal information including your name, email address, phone number, billing and delivery details, and information you provide when you contact us or purchase our products/services.
4. How We Collect Personal Information
We collect personal information directly from you when you use our website, place an order, make an enquiry, subscribe to updates, or otherwise interact with us. We may also collect information automatically through cookies and analytics tools.
5. Why We Collect, Hold And Use Personal Information
We may use your personal information to:
- provide and deliver our products/services
- process payments and manage orders
- respond to enquiries and provide customer support
- send updates and marketing communications (where permitted)
- improve our website and services
- comply with legal obligations
6. Who We Disclose Personal Information To
We may disclose personal information to third parties who help us operate our business, such as payment processors, delivery providers, IT service providers, and professional advisers. Some of these providers may be located overseas or may store data overseas.
7. Storage And Security
We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure.
8. Access And Correction
You may request access to the personal information we hold about you and request corrections by contacting us at .
9. Complaints
If you have a complaint about how we handle personal information, please contact us at . We will respond within a reasonable timeframe and work with you to resolve your complaint. If you are not satisfied with our response, you may be able to lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
10. Updates To This Policy
We may update this policy from time to time. The latest version will always be available on our website.
How To Make This Example “Compliant” (Not Just “Published”)
A privacy policy page becomes risky when it says one thing, but your business does another.
Before you publish, do a quick reality-check:
- List your actual tools (e.g. Shopify-style eCommerce platform, booking software, email marketing platform, analytics).
- Check where data is stored (Australia vs overseas) and whether overseas disclosure is likely.
- Confirm what you collect (and what you don’t collect).
- Confirm your marketing process (how you get consent, how people unsubscribe).
If your business uses a website, your privacy policy also works best when it fits neatly with your other website legal documents, like Website Terms and Conditions.
How To Publish A Privacy Policy Page On Your Website (Practical Checklist)
Once your privacy policy is ready, the next step is to make sure customers can actually find it.
Here’s a practical checklist most small businesses can follow:
- Add a “Privacy Policy” link in your website footer (this is where people expect it).
- Link to it at key collection points such as contact forms, checkout pages, newsletter sign-ups and account creation.
- Keep it readable - short paragraphs, clear headings, and plain English.
- Make sure it matches your customer journey (especially if you sell online, use cookies, or share data with service providers).
- Review it when you change systems (new CRM, new email platform, new booking software, new payment provider).
If you run an online store or subscription service, your privacy policy page should also align with the promises you make in your checkout flow and terms. In many cases, businesses bundle this planning with their e-commerce terms and conditions so everything is consistent.
Key Takeaways
- A privacy policy page explains how your small business collects, uses, stores and shares personal information - and it helps build customer trust.
- Even if you think the Privacy Act may not apply to your business, you can still have practical and commercial reasons to publish a clear, basic privacy policy.
- A simple, compliant privacy policy should cover what you collect, how you collect it, why you collect it, who you disclose it to, security, access/correction, and complaints (including how complaints can be escalated if needed).
- A privacy policy example template is only useful if you tailor it to your actual business practices - mismatches are where businesses get into trouble.
- Publishing matters: link your privacy policy in your footer and at key collection points like forms and checkout.
- If your business changes tools or processes (new website, new marketing platform, new overseas providers), your privacy policy should be updated too.
If you’d like help putting together a privacy policy page that fits your small business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
