Kayleigh is a graduate in Arts and Law from the University of New South Wales. With an interest in human rights and intellectual property law, she has experience working in communications and marketing for small businesses and not-for-profits.
Contents
- What Counts As “Personal Information” In Australia?
Step-By-Step: How To Assess A Data Sale Or Sharing Proposal
- Step 1: Map The Data And The Purpose
- Step 2: Check Your Legal Basis
- Step 3: Review Transparency And Consents
- Step 4: Consider Alternatives (De-Identify Or Aggregate)
- Step 5: Implement Contractual Controls
- Step 6: Check Marketing Compliance
- Step 7: Finalise Governance And Retention
- Step 8: Prepare For Incidents
- Key Takeaways
Data is valuable. Whether you run an online store, a mobile app or a membership program, you may be wondering if you can sell personal information you’ve collected - or partner with a third party who wants to buy or “share” it for marketing or analytics.
In Australia, you can monetise data, but there are strict rules under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Getting this wrong can lead to serious penalties and reputational damage, so it’s important to understand what’s actually allowed and set up the right safeguards from day one.
In this guide, we’ll break down what counts as personal information, when a “sale” or disclosure is permitted, the extra risks with sensitive data and children, and the practical steps to take if you’re considering a data-sharing deal.
What Counts As “Personal Information” In Australia?
Personal information is any information or opinion about an identified individual, or an individual who is reasonably identifiable - whether the information is true or not, and whether it’s recorded in a material form or not.
This is broader than many people expect. It includes obvious identifiers like names and email addresses, but can also include device IDs, IP addresses, cookies or location data if those details can reasonably be linked back to a person.
There are special categories to be aware of:
- Sensitive information: This includes health information, biometric data, racial or ethnic origin, political opinions, religious beliefs, sexual orientation and more. Handling and disclosing sensitive information requires a higher standard of consent (express, informed and specific).
- Credit information: If you handle consumer credit data, extra rules apply under the credit reporting framework.
- Children’s information: Consent must come from someone who has capacity to give it. For children, this often means parental or guardian consent, depending on age and context.
By contrast, de-identified data is information that no longer relates to an identifiable person. If there’s a reasonable risk of re-identification (for example, by combining datasets), it may still be treated as personal information under the APPs.
Can You Legally Sell Personal Information?
There’s no single clause in Australian law that says “you can” or “you can’t” sell personal information. Instead, the Privacy Act regulates collection, use and disclosure. Selling data is generally treated as a “disclosure” to a third party, which is only allowed in certain circumstances.
The Core Rule: Use And Disclosure Must Be Lawful
Under APP 6, you must only use or disclose personal information for:
- The primary purpose you collected it for; or
- A secondary purpose if the individual would reasonably expect it, and it’s related (or for sensitive information, directly related) to the primary purpose; or
- With valid consent for that specific use or disclosure; or
- Another permitted situation (for example, required by law).
If you collected emails to deliver your product, selling that list to an unrelated advertiser is unlikely to be a “related” purpose. You’d need clear, informed consent that specifically covers selling or disclosing to third parties for marketing.
Direct Marketing And Selling Lists
APP 7 sets extra limits on direct marketing. If you propose to sell customer data so a third party can market to those individuals, you must ensure the individuals:
- Were clearly informed their data could be used or disclosed for direct marketing; and
- Can opt out easily at any time; and
- Have not opted out already.
If you email or SMS people, you’ll also need to comply with the Spam Act 2003 and the Do Not Call Register Act. Make sure your practices align with Australian email marketing laws and any telemarketing rules if phone calls are involved.
Sensitive Information Needs Express Consent
For sensitive information, disclosures for direct marketing generally require express consent. “Bundled” or vague consents are risky - consent needs to be specific, informed, voluntary and current. If in doubt, treat sensitive categories with heightened care and avoid selling unless you can demonstrate robust, opt-in consent.
Cross-Border Disclosures
If the buyer or recipient is overseas (including cloud providers storing data offshore), APP 8 imposes obligations before you disclose. You’ll need to ensure the overseas recipient will handle the information in a way that’s substantially similar to the APPs, or rely on a narrow exception. Contractual controls are essential here (more on that below).
Small Business And “Exemptions” - Proceed With Caution
Some small businesses with an annual turnover under $3 million are exempt from the Privacy Act - but there are several important exceptions. For example, health service providers are covered regardless of turnover. Businesses that trade in personal information can also lose the benefit of the small business exemption. Don’t assume you’re exempt: if you plan to sell lists or otherwise commercialise personal information, you should behave as if the APPs apply and set up appropriate compliance.
What About Selling “De-Identified” Data?
De-identified data that cannot reasonably be re-linked to an individual generally falls outside the Privacy Act. However, de-identification is not just removing names. You should consider whether combination with other data could re-identify people, and put legal and technical controls around re-identification.
Be careful not to overstate that data is “anonymous” if it isn’t - claims that could mislead customers or regulators can raise issues under the Australian Consumer Law. Your marketing statements should avoid exaggeration to reduce the risk of misleading or deceptive conduct.
Common Ways Businesses Monetise Data (And The Legal Traps)
There are many models for data monetisation. Here are common approaches and the legal risks to watch.
Selling Marketing Lists To Third Parties
This is high risk without clear, opt-in consent that explicitly covers selling to third parties for direct marketing. Even with consent, ensure robust opt-out systems and maintain suppression lists so you don’t re-add opted-out individuals in future batches. You should also validate the buyer’s compliance commitments and review their unsubscribe processes.
“Data Partnerships” Or “Data Sharing”
Some arrangements aren’t described as “selling” but still involve disclosing data to partners for advertising measurement, enrichment or modelling. These disclosures are still regulated. You must have a lawful basis for the disclosure, limit the scope to what’s necessary, and reflect obligations in a tailored Data Processing Agreement (DPA) or data sharing contract.
Advertising Technology And Cookies
Adtech vendors often collect identifiers via web or app tracking. Individuals should be informed via your cookie banner and a clear Cookie Policy, which explains the types of cookies used and how users can manage them. Where cookies or SDKs track users across services, ensure your consent and disclosure language is specific about third-party tracking and profiling.
Loyalty Programs And Data Enrichment
Loyalty programs may share data with partners for rewards and co-branded offers. Disclosures must be transparent - your collection notices and program terms should explain who receives data and why. Be careful with combining datasets from different sources, which can increase re-identification risk.
Aggregated Analytics And “Insights” Products
Monetising insights derived from customer behaviour can be lawful if the outputs are truly aggregated and de-identified. Use technical safeguards, apply thresholds (e.g. no reporting where sample sizes are tiny), and include contractual restrictions against re-identification and onward disclosure.
What You Must Have In Place If You Share Or Sell Data
If you’re contemplating any data disclosure that could be viewed as a sale or monetisation, put these safeguards in place before you proceed.
1) A Clear Privacy Policy And Collection Notices
Your Privacy Policy should be easy to find and explain what personal information you collect, why you collect it, and to whom you disclose it (including third-party marketing partners and overseas recipients, if any). In addition, provide upfront collection notices at or before the point of collection that set expectations about disclosures for marketing or data-sharing. Vague catch-all wording isn’t enough - be as specific as reasonably possible.
2) Consent Design And Preference Management
If you rely on consent, make sure it’s informed, specific and easy to withdraw. Use clear, separate opt-in boxes for third-party marketing and data sharing. Maintain preference centres so individuals can manage consents, and build processes to respect opt-outs across all downstream disclosures.
3) Contracts With Buyers And Processors
If a third party processes or receives your data, document the rules in a tailored Data Processing Agreement or data-sharing contract. This should address purpose limitation, security standards, sub-processors, cross-border transfers, deletion/return on termination, audit rights and limits on onward sale or re-identification.
4) Security And Access Controls
APP 11 requires you to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Apply “need-to-know” access, encryption in transit and at rest, and robust vendor security due diligence. If you store payment data, follow PCI-DSS and the principles in storing card details guidance similar to this overview on storing credit card details.
5) Data Minimisation And Retention
Only collect and disclose what you genuinely need. Set (and follow) sensible retention periods that match your business purpose and legal obligations. For a deeper look at why this matters, see this guide to data retention laws in Australia.
6) Incident Response And Breach Readiness
If a buyer or partner mishandles data, you may still be implicated. Prepare a practical Data Breach Response Plan so you can triage incidents quickly, assess whether they’re notifiable under the Notifiable Data Breaches scheme, and meet your legal and contractual obligations.
7) Marketing Compliance
If data will be used for advertising, make sure your lists and processes comply with the Spam Act and Do Not Call rules. Build unsubscribe mechanisms and keep suppression lists up to date. Review your email flows against Australia’s email marketing laws to avoid penalties.
Step-By-Step: How To Assess A Data Sale Or Sharing Proposal
Thinking about selling or sharing customer data? Use this practical framework to decide whether and how to proceed.
Step 1: Map The Data And The Purpose
List exactly what categories of personal information will be disclosed (e.g., emails, phone numbers, device IDs, purchase history) and why the recipient wants it. Clarify whether it’s for direct marketing, analytics, modelling, or something else. If you can’t articulate a legitimate, specific purpose, pause here.
Step 2: Check Your Legal Basis
Ask: Is the disclosure for the primary purpose it was collected, or a reasonably expected, related secondary purpose? If not, you’ll need valid consent. For sensitive information, plan on obtaining express, opt-in consent. If you can’t get the required legal basis, the deal shouldn’t proceed.
Step 3: Review Transparency And Consents
Compare the proposed disclosure with your collection notices and Privacy Policy. Do they clearly cover this type of third-party disclosure and purpose? If you need to update your disclosures, do that first. Where the proposal relies on consent, verify how consent was captured (opt-in box, timestamp, scope), and put a plan in place to manage withdrawals.
Step 4: Consider Alternatives (De-Identify Or Aggregate)
If you can achieve the business outcome with de-identified or aggregated data, redesign the arrangement to avoid disclosing personal information at all. Implement technical controls to reduce re-identification risk and ban it in the contract.
Step 5: Implement Contractual Controls
Paper the arrangement with a robust Data Processing Agreement or data-sharing contract, including purpose limitation, security, sub-processor approvals, cross-border safeguards, audit cooperation, deletion timelines, breach notification and flow-down obligations to any downstream recipients.
Step 6: Check Marketing Compliance
If the disclosure enables direct marketing, ensure compliance with the Spam Act and Do Not Call rules. Confirm the recipient will honour opt-outs and maintain suppression lists. Align your cookie banner and Cookie Policy if adtech is involved.
Step 7: Finalise Governance And Retention
Decide how long the recipient may keep the data, and require secure deletion on expiry. Update your internal data inventory and retention schedules to reflect the new flow.
Step 8: Prepare For Incidents
Update your Data Breach Response Plan with the new vendor or partner’s contacts and breach obligations. Test escalation pathways so you can move quickly if something goes wrong.
Practical FAQs About Selling Personal Information
Can I sell a customer email list I collected over the years?
Only if your collection notices and consents clearly allowed disclosures to third parties for marketing, and you provide robust opt-out options. Without that, selling the list would likely breach the APPs and the Spam Act.
Is sharing data with an “analytics partner” different from selling?
Legally, any disclosure to a third party is regulated. Whether you receive money or “value in kind” (e.g., analytics services) doesn’t change your obligations. You still need a lawful basis, transparency, and appropriate contracts and safeguards.
What if I’m a small business - do the APPs still apply?
Possibly. Some small businesses are exempt, but those that trade in personal information can lose that exemption. If you plan to monetise data, it’s best to comply with the APPs as a baseline.
Can I rely on a partner’s consent language instead of my own?
Be careful. If you collected the data, your notices and consents need to cover the disclosure. You should also review the partner’s consent mechanisms if they will be contacting your customers directly.
Key Takeaways
- Selling or sharing personal information is regulated as a “disclosure” under the Privacy Act and the APPs - you need a lawful basis, usually a clearly covered purpose or valid consent.
- Sensitive information and children’s data require extra care. For direct marketing, express consent is generally needed and opt-outs must be easy.
- Be transparent: update your Privacy Policy and collection notices to plainly explain who you disclose data to and why.
- Use strong contracts: a tailored Data Processing Agreement should lock in purpose limits, security, deletion and breach notification duties.
- Minimise risk: consider de-identification or aggregation, keep data only as long as needed, and align with Australia’s email marketing and telemarketing rules.
- Prepare for issues: keep a practical Data Breach Response Plan ready and document retention policies that match your data flows.
If you’d like a consultation on data sharing and selling personal information in Australia, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
