Selling Personal Information: What’s Allowed? (2025 Updated)

Contents

It’s become increasingly common for businesses to trade in personal information. Maybe it’s even something that you’re looking to incorporate into your own business model. Or perhaps you’re concerned that your business is inadvertently trading in personal information, and you want to be informed about the consequences of doing so.

When you’re working out whether your business is allowed to trade in personal information, it is important to understand your obligations under privacy law. This area remains complex in 2025, and getting things wrong could see you facing significant penalties. That’s why it’s wise to keep up-to-date by checking resources such as the Office of the Australian Information Commissioner and our own in‐depth guides on privacy compliance.

What’s The Difference Between Personal Information And Sensitive Information?

Before you can determine whether your business will trade or is trading in personal information, it’s first important to understand what ‘personal information’ actually is, and how it differs from ‘sensitive information’.

Personal Information

According to the Privacy Act, personal information is “information or an opinion about an identified individual, or an individual who is reasonably identifiable.”

Simply put, personal information is any data that could identify an individual, and can include things such as:

Name or date of birth
Contact details (e.g. a residential or business address, or a phone number)
Photograph
Internet protocol (IP) address
Location information from a mobile device
Credit information
Voice print or facial recognition biometric data
Sensitive information
Tax file number details
Employee record information

Ultimately, whether information is considered ‘personal information’ depends on whether the individual can be identified or is reasonably identifiable under the circumstances.

Sensitive Information

Sensitive information is a specific category of personal information.

It includes data or opinions relating to an individual’s:

Racial or ethnic origin
Sexual orientation or practices
Religious or philosophical beliefs and affiliations
Political opinions or associations
Trade association or union membership
Criminal record
Health or genetic information
Biometric information or templates

Sensitive information generally receives a higher level of protection compared to other types of personal information. Mishandling such data can have a more severe impact on an individual’s privacy.

Did You Know?

Personal information doesn’t have to be true and can include data that is already publicly available. Remember, the definition of personal information is very broad – it isn’t just confined to what is outlined in the Privacy Act. For further insights, check our privacy policy guide.

Does Your Business Trade In Personal Information?

Now that you understand what constitutes ‘personal information’, the next step is to determine what it means to ‘trade in personal information’.

Trading in personal information involves buying or selling personal data without the explicit consent of the individuals involved. For example, if a business buys or sells a mailing list without obtaining consent from the individuals on that list, it is trading in personal information.

Whether your business is considered to be trading in personal information generally comes down to the matter of consent. If you collect and/or disclose personal information to another party for commercial gain without the consent of the individual(s) concerned, you will likely be trading in personal information. Conversely, if you have the consent of the individual, this does not constitute trading – even if payment is involved. Similarly, sharing the information because you are authorised or legally required to do so does not count as trading.

The Privacy Act & The Australian Privacy Principles

If your business trades in personal information in 2025, you must comply with the Privacy Act and the Australian Privacy Principles (APPs). Staying compliant is crucial, not just to avoid penalty notices but also to maintain consumer trust.

The APPs are a set of 13 principles that outline how personal information should be managed. They cover your obligations to prevent interference with an individual’s privacy and avoid regulatory action.

The APPs govern the standards, rights, and obligations regarding:

How personal information can be collected, used, and disclosed
Your business’ obligations regarding governance and accountability
The rights individuals have in accessing their personal information
The need to maintain the integrity and accuracy of personal information

Your Business’ Obligations Under The APPs

Below is a summary of your business’s obligations under the APPs. Adhering to these principles will help ensure you steer clear of legal issues when trading in personal information:

APP 1. Open and transparent management of personal information

Your business must take reasonable steps to implement practices and procedures that ensure compliance with the APPs (and any binding registered APP codes), and be equipped to handle related inquiries and complaints. For more details on establishing robust privacy practices, see our Privacy Policy resource.
You must maintain an up-to-date APP Privacy Policy that outlines how personal information is managed, and make it freely available and accessible.

APP 2. Anonymity and pseudonymity

Individuals should have the option to deal anonymously or under a pseudonym. There are two exceptions:

When your business is required or authorised by law (or by a court or tribunal order) to identify individuals; or
When it is impracticable to deal with individuals who have not identified themselves.

APP 3. Collection of solicited personal information

The rules for collecting personal information depend on whether your business is an agency or an organisation, and whether the information is sensitive. In both cases, the information must be collected fairly and lawfully:

If you operate as an agency, you may only solicit and collect information that is reasonably necessary for your business functions or activities.
If you operate as an organisation, personal information can only be collected if it is reasonably necessary for your business’s functions or activities.
For sensitive information, explicit consent must generally be obtained from the individual concerned.

All personal information, whether sensitive or not, must be collected by fair and lawful means – typically directly from the individual. For a deeper dive into these requirements, take a look at our detailed privacy policy guide.

APP 4. Dealing with unsolicited information

If your business receives personal information inadvertently or without a request, you should ask whether this data could have been collected under APP 3. If not, you must de-identify and destroy the information as soon as is practicable.

APP 5. Notification of the collection of personal information

You must ensure that individuals from whom you collect personal information are made aware of key details. These include:

Your business’s identity and contact details
The purpose, circumstances, and reasons for collection
Whether the collection is required or authorised by law
The implications if personal information is not collected
Information about your APP Privacy Policy
Your business’s usual practices around disclosing personal information
Whether personal information may be disclosed overseas, and if so, where these recipients are located (if practicable)

APP 6. Use or disclosure of personal information

Unless an exception applies, your business can only use and disclose personal information for the purpose for which it was originally collected.

APP 7. Direct marketing

Your business must not use or disclose personal information for direct marketing purposes unless an exception applies. Individuals also have the right to request that their information is not used for direct marketing.

APP 8. Cross-border disclosure of personal information

Before disclosing any personal information to overseas recipients, you must take reasonable steps to ensure that the recipient complies with the APPs. This accountability extends to any improper handling of the information by the overseas party.

APP 9. Adoption, use or disclosure of government related identifiers

Generally, both organisations and certain agencies should not adopt, use or disclose government-related identifiers.

APP 10. Quality of personal information

Your business must take reasonable steps to ensure that personal information is accurate, current, and complete.

APP 11. Security of personal information

You must protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. When the information is no longer needed, it should be de-identified or destroyed (unless an exception applies).

APP 12. Access to personal information

Individuals generally have the right to request access to the personal information your business holds about them.

APP 13. Correction of personal information

You are required to take reasonable steps to correct personal information to ensure it is accurate, complete, current, relevant, and not misleading.

The Office of the Australian Information Commissioner provides a comprehensive explanation of the APPs here.

What Is The GDPR And Why Do You Need To Know About It?

The European Union (EU) introduced the General Data Protection Regulation (GDPR) in May 2018. While originally an EU regulation, its impact is felt worldwide—even in Australia in 2025.

If your website is accessible globally and uses cookies or other tracking tools to monitor user behaviour, it is essential to ensure your business complies with the GDPR. The steps involved are very similar to those required under the APPs, though with a few extra considerations specific to the EU.

The good news is that if your business already complies with the APPs, you’re likely to meet most of the GDPR requirements. However, you may need to implement a few updates, such as adopting a GDPR compliant privacy policy and ensuring your data processing practices are consistently aligned with EU standards.

‘Personal Information’ vs ‘Personal Data’

In the context of the GDPR, you’ll often notice the term “personal data” used instead of “personal information”. While both terms are similar – relating to any data that can identify an individual – the GDPR’s definition encompasses a broader range of identifiers, such as identification numbers, location data, and online identifiers.

For a useful overview of what the GDPR deems as personal data, visit this resource.

Consent & The GDPR

Under the GDPR, your business must be able to demonstrate that an individual has expressly consented to the collection and processing of their personal data. A straightforward method to ensure compliance is by having customers tick a box confirming their consent in line with your privacy policy.

Consumer Rights & The GDPR

The GDPR outlines a comprehensive list of consumer rights that exceed the provisions of the APPs. These rights include:

The right to the erasure of personal data: Customers can request the deletion of their data if it is no longer necessary, if they withdraw consent, or if it was collected unlawfully.
The right to data portability: Customers can require that their personal data be provided in a structured, commonly used, and machine-readable format.
The right to object to the processing of personal data: At any stage, customers may object to the ongoing processing of their personal data.

With advancements in AI and data analytics in 2025, businesses must continually update their data privacy practices. For example, emerging technologies raise new challenges for consent management and data security. Read more about the legal side of ChatGPT and other digital tools to stay ahead.

It’s Best To Get Consent

When in doubt about what you can or can’t do with the personal information you collect, the best strategy is to be transparent and honest with your customers. Not only will this help your business avoid breaching any privacy laws and regulations, but it also builds trust with your audience. Our Privacy Policy resources offer excellent guidance in communicating these practices clearly.

If you have a website, make sure your privacy policy is easy to find and written in plain language. It should detail what information you collect, the reasons for collecting it, and how it will be used. Additionally, asking customers to confirm they have read and agree to your privacy policy can help safeguard your business legally.

While it might be tempting to draft your own privacy policy, we recommend that you seek professional advice. A lawyer can draft a privacy policy tailored to your business, ensuring compliance with both the APPs and the GDPR.

Need Help?

Understanding what you can and can’t do with your customer’s personal information can be complex, especially as privacy laws continue to evolve in 2025. Whether you need help drafting a privacy policy or are unsure about your current compliance status, our team of experienced lawyers at Sprintlaw is here to assist.

Don’t hesitate to get in touch at team@sprintlaw.com.au or call us on 1800 730 617 for a free, no-obligations chat. For more information on managing business risks and ensuring legal compliance, check out our Business Set-Up Guides and Legal Tips.

Kayleigh Yap

Kayleigh is a graduate in Arts and Law from the University of New South Wales. With an interest in human rights and intellectual property law, she has experience working in communications and marketing for small businesses and not-for-profits.

Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.