Small Business Privacy Policy Template: How To Create A Compliant Policy In Australia

Alex Solo
byAlex Solo11 min read
Data & Privacy
Contents

When you’re running a small business, it can feel like you’re collecting customer information everywhere - through your website contact form, online bookings, email marketing sign-ups, invoices, payment platforms, or even CCTV in your premises.

But here’s the tricky part: the moment you collect personal information, you’re stepping into privacy compliance territory. And that’s where a clear, accurate privacy policy becomes more than just “website fluff” - it’s a practical risk-management tool that helps you build trust and meet your legal obligations.

This guide breaks down what a small business privacy policy template should include, how to tailor it to your business, and what “compliant” really means in Australia (without drowning you in legal jargon).

If you’re looking for a starting point you can adapt, we’ve also included a template-style structure you can use right away - just make sure you tailor it to your actual practices (because accuracy matters in privacy law).

Do Australian Small Businesses Need A Privacy Policy?

In many cases, yes - and even when it’s not strictly mandatory, having one is usually still a smart move.

A privacy policy is a public statement explaining:

  • what personal information you collect,
  • how you collect it,
  • why you collect it,
  • how you store and use it, and
  • who you share it with (if anyone).

When It’s Legally Required

Under the Privacy Act 1988 (Cth), some businesses must comply with the Australian Privacy Principles (APPs). Generally speaking, the Privacy Act applies to “APP entities” - which includes most private sector organisations with an annual turnover of more than $3 million, as well as many Australian Government agencies.

However, even if your turnover is under $3 million (and you’d otherwise fall under the “small business exemption”), you may still be covered by the Privacy Act in certain situations - including if you:

  • provide a health service and handle health information (which can include some allied health, wellness, and similar businesses where a service is provided to assess, maintain or improve a person’s health),
  • trade in personal information (for example, buying or selling personal information),
  • are related to a business that is an APP entity (for example, certain related bodies corporate), or
  • are required to comply under particular arrangements (including some government contracts that require Privacy Act compliance by contract, even if the Act wouldn’t automatically apply).

If you are covered by the Privacy Act, you generally need a privacy policy that meets the APP requirements.

When It’s Still A Good Idea (Even If You’re Not Covered)

Even if you’re not legally required to have a privacy policy, you may still want one because:

  • customers expect it (especially online),
  • platforms and payment providers often require it (think online stores and apps), and
  • privacy missteps can still expose you to complaints and reputational damage.

If your business collects personal information through a website or app, it’s also common to pair your privacy policy with Privacy Collection Notice wording at the point of collection (for example, under your contact form).

What Laws Affect Your Privacy Policy In Australia?

A good small business privacy policy template needs to reflect the legal rules that apply to your business and the way you actually handle personal information in practice.

The Privacy Act 1988 (Cth) And Australian Privacy Principles (APPs)

If you’re an APP entity, your privacy policy must address certain matters - such as the kinds of personal information you collect, why you collect it, how people can access or correct it, and how to make a complaint.

Even if you’re not technically an APP entity, the APPs are still a useful benchmark for what a “proper” privacy policy looks like.

Notifiable Data Breaches (NDB) Scheme

If you’re covered by the Privacy Act, you should also be aware of the Notifiable Data Breaches scheme. In broad terms, this can require you to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) if there’s an “eligible data breach” (for example, certain unauthorised access to, disclosure of, or loss of personal information that is likely to result in serious harm).

Your privacy policy doesn’t replace an incident response plan, but it should align with your actual approach to handling and securing personal information.

Australian Consumer Law (ACL) And Misleading Conduct Risks

Your privacy policy is a public-facing statement. If it says you do one thing but you actually do another, that can create legal risk - including potential issues under the Australian Consumer Law for misleading or deceptive conduct.

In plain terms: don’t copy-paste a generic policy that doesn’t match your business.

Direct Marketing And Spam Compliance

If you send marketing emails or SMS messages, your privacy policy should align with what you do for marketing, analytics, and customer communications.

It’s also worth checking your processes against email marketing laws, especially around consent and unsubscribes.

Payment Data And Security Expectations

If your customers pay online (or you store any payment details), you’ll want to be particularly careful about what you collect and how you secure it.

Even if you never store full card details, customers often assume you might. Your privacy policy should clearly explain what happens with payment data and which providers process it. If you do store any payment information, review your obligations around storing credit card details.

CCTV, Recording And Surveillance Laws

If you use CCTV (or other recording tools) in your premises, your privacy obligations may not be limited to the Privacy Act. State and territory surveillance and workplace monitoring laws can also apply, and rules can differ depending on where your business operates and whether you’re recording video, audio, or both.

As a practical step, make sure you use clear signage and that what you do in practice matches what you say in your privacy policy (and any other notices you display).

Small Business Privacy Policy Template: The Clauses You Should Include

Every business is different, but most privacy policies for small businesses in Australia cover a common set of building blocks.

Below is a practical checklist of what your privacy policy template should include, plus why each section matters.

1. Who You Are And How To Contact You

Start with the basics:

  • your business name (and ABN if relevant),
  • your contact email address,
  • how customers can contact you for privacy requests or complaints.

This is important because privacy law is all about transparency and accountability.

2. The Personal Information You Collect

Your privacy policy should describe the types of personal information you collect. This will depend on your business, but could include:

  • name, email address, phone number,
  • billing and delivery address,
  • purchase history,
  • IP address and device information (through analytics tools),
  • photos or videos (for example, events or CCTV),
  • health information (if you are a health service provider).

If you collect photos or video content of customers (even incidentally), it’s also worth thinking about your broader approach to consent and notices - the rules can vary depending on the context. For businesses handling images more actively, photography consent laws are often part of the compliance picture.

3. How You Collect Personal Information

Spell out how you collect personal information, such as:

  • when customers fill in a form on your website,
  • when customers make an enquiry, booking, or purchase,
  • when someone subscribes to marketing updates,
  • through cookies and analytics tools,
  • when you communicate by email, phone, or social media.

4. Why You Collect And Use Personal Information

This section is often the heart of the policy. Be specific and commercial (because that’s how your business actually works), while still being clear and fair.

Common purposes include:

  • providing your products or services,
  • processing payments and delivering orders,
  • customer support and handling refunds,
  • marketing (where permitted),
  • improving your website, services, and user experience,
  • legal compliance and fraud prevention.

5. When You Disclose Personal Information To Others

Most small businesses share some data with third parties (often software providers). Your privacy policy should list the types of third parties you may disclose information to, such as:

  • payment processors,
  • delivery and logistics providers,
  • website hosting and IT providers,
  • email marketing platforms,
  • accountants, insurers, or professional advisers,
  • regulators or law enforcement where required.

If any of these providers are located overseas (or store data overseas), you should address that too (more on this below).

6. Overseas Disclosure

Many online tools store data in the cloud, and that cloud may be outside Australia.

A compliant privacy policy should explain whether you disclose personal information overseas, and if so, where (or at least the types of countries/regions) and why.

If you’re not sure where your providers store data, this is a good reminder to check your software stack. It’s much easier to get it right now than to deal with a complaint later.

7. Data Security And Storage

This part doesn’t need to give away your security blueprint, but it should reassure customers that you take reasonable steps to protect their personal information.

You can include (where accurate):

  • access controls (who can access customer data),
  • password protection and multi-factor authentication,
  • secure storage and encryption where appropriate,
  • processes for deleting or de-identifying data when no longer needed.

8. Access, Correction, And Opting Out

Your privacy policy should explain how someone can:

  • request access to personal information you hold about them,
  • ask you to correct inaccurate information,
  • opt out of marketing communications.

If you send marketing emails, make sure your unsubscribe process matches what your privacy policy says.

9. Cookies And Analytics (If You Have A Website)

If your website uses cookies (which is very common), your privacy policy should cover:

  • that cookies are used,
  • the purpose (analytics, site functionality, advertising),
  • how users can manage cookies in their browser settings.

Some businesses also use a cookie banner and a separate cookie policy, but at the small business level, it’s often enough to clearly address cookies in your privacy policy, as long as it’s accurate.

10. Complaints Handling

This is a must-have section for any strong small business privacy policy template.

Include:

  • how someone can make a privacy complaint to you,
  • how you will respond and within what timeframe (if you can commit to one),
  • what happens if they are not satisfied (for example, escalating externally).

A Practical Small Business Privacy Policy Template (Editable Structure)

Below is a template-style structure you can adapt. This isn’t a “copy and paste and forget” solution - you should update the wording so it reflects your actual business processes, tools, and data handling.

Privacy Policy Template Structure

1. About This Privacy Policy
Explain that this policy sets out how you collect, use, store and disclose personal information in your business.

2. Who We Are
Insert your legal/business name, ABN (if relevant), and best contact details for privacy enquiries.

3. The Personal Information We Collect
List the categories of personal information relevant to your business (contact details, payment info, bookings, analytics data, etc.).

4. How We Collect Personal Information
Explain when and how personal information is collected (website forms, bookings, purchases, customer support, cookies).

5. How We Use Personal Information
Describe your purposes clearly (providing services, processing payments, customer support, marketing, analytics, legal compliance).

6. Disclosure Of Personal Information
List categories of third parties you may disclose information to (IT providers, payment processors, delivery partners, professional advisers).

7. Overseas Disclosures
State whether you disclose data overseas, and if yes, provide details about the likely locations or types of service providers involved.

8. Data Security
Explain the reasonable steps you take to protect personal information and limit access.

9. Access And Correction
Explain how customers can request access to or correction of their personal information.

10. Marketing Communications
Explain how marketing is handled (consent, opt out, unsubscribe).

11. Cookies And Website Analytics
Explain cookie usage and how users can manage cookies.

12. Complaints
Set out your internal process for dealing with privacy complaints, and next steps if someone isn’t satisfied.

13. Updates To This Policy
Explain that you may update the policy from time to time and how you’ll publish changes (for example, on your website).

Once you’ve drafted this, it’s worth checking that it aligns with other legal documents customers see on your site - for example, your Website Terms and Conditions and any customer-facing booking or service terms.

How To Make Your Privacy Policy “Compliant” (Not Just Published)

A common mistake we see is treating privacy compliance as a one-off document task. In reality, compliance is also about what your business does day-to-day.

Step 1: Map Your Personal Information

Before you finalise any small business privacy policy template, get clear on:

  • what data you collect (and where),
  • why you collect it,
  • who has access to it internally,
  • which software providers receive it,
  • where it’s stored (including overseas storage).

This helps you write a privacy policy that is accurate - and accuracy is one of the biggest “compliance” factors.

Step 2: Match Your Policy To Your Actual Tools

If you use:

  • online booking platforms,
  • email marketing tools,
  • payment gateways,
  • cloud storage,
  • CRM systems,
  • analytics tools,

…your privacy policy should reflect that (at least at a category level).

Step 3: Put A Collection Notice Where You Collect Data

Your privacy policy lives on a dedicated page, but customers often provide information elsewhere (like a form or checkout page). A simple privacy statement at the point of collection can help set expectations and reduce risk.

For many businesses, using a Privacy Collection Notice on forms is part of a clean and practical setup.

Step 4: Train Your Team (Even If It’s Just One Or Two People)

If you have staff or contractors handling customer information, make sure they understand the basics:

  • don’t share customer information unnecessarily,
  • verify identity before making changes to customer details,
  • keep logins secure and don’t reuse passwords,
  • know where privacy enquiries should go.

This is especially important if you handle sensitive information or high volumes of customer data.

Step 5: Review Your Privacy Policy Regularly

Your policy should be a living document. You should revisit it when you:

  • change your software providers,
  • launch a new product or service,
  • start running targeted advertising or new marketing campaigns,
  • expand overseas,
  • start collecting additional information.

If you want your policy properly tailored to your operations and risk profile, a lawyer-drafted Privacy Policy can take the guesswork out of the process.

Key Takeaways

  • A small business privacy policy template is a starting point, but it must be tailored to what your business actually does with personal information.
  • Even if your turnover is under $3 million, you may still be covered by the Privacy Act (including where you provide a health service, trade in personal information, are related to an APP entity, or are otherwise required to comply in a particular context).
  • A compliant privacy policy typically covers what you collect, how you use it, who you share it with, overseas disclosures, data security, access/correction rights, and complaints handling.
  • Your privacy policy should align with your website practices, marketing processes, payment handling, and third-party software providers.
  • Privacy compliance is not just “publishing a page” - it also includes collection notices, internal processes, and regular updates when your business changes (and for some businesses, preparing for data breach response and notification obligations).

If you’d like help putting together a privacy policy that fits how your small business actually operates, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.

Alex Solo
Alex Solo

Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Keep reading

Related Articles

Data Processing Schedules in Australia: What to Check in Your Contracts

Data Processing Schedules in Australia: What to Check in Your Contracts

A data processing schedule can shift major privacy risk onto your business. Here’s what Australian startups and SMEs should check before signing supplier

1 June 2026
Read more
What Is a Privacy Statement? A Guide for Australian Businesses

What Is a Privacy Statement? A Guide for Australian Businesses

If you run a business in Australia, chances are you collect personal information at some point - even if it’s just customer names, email addresses, delivery details, or payment confirmations. That’s where...

29 May 2026
Read more
How To Create A Compliant Credit Card Form Template In Australia

How To Create A Compliant Credit Card Form Template In Australia

If you run a small business, getting paid quickly and reliably is everything. But sometimes you’ll need more than an online checkout - you might take payments over the phone, by email,...

28 May 2026
Read more
Before You Invest in More Marketing, Check This on Your Website First

Before You Invest in More Marketing, Check This on Your Website First

More traffic will not fix a legally weak website. Is your site ready to handle customers, data and disputes before you spend more on marketing?

28 May 2026
Read more
What To Include In A Standard Privacy Policy In Australia

What To Include In A Standard Privacy Policy In Australia

If you run a small business in Australia, chances are you collect personal information more often than you think. It could be as simple as taking online orders, sending invoices, running a...

27 May 2026
Read more
BYOD Policy Template: How To Create A Compliant Bring Your Own Device Policy

BYOD Policy Template: How To Create A Compliant Bring Your Own Device Policy

Bring Your Own Device (BYOD) arrangements can be a win-win for small businesses. Your team gets flexibility and convenience, and you can reduce the cost and admin of issuing and maintaining company-owned...

26 May 2026
Read more
Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get StartedBook A Call