Website Privacy Policy In Australia: What To Include

Launching or growing a business online is exciting - but if your website collects any personal information, you’ll also need to think seriously about privacy.

A clear, compliant Website Privacy Policy does more than tick a legal box. It sets expectations, builds trust with customers, and helps you avoid penalties if something goes wrong.

In this guide, we’ll explain when you need a Website Privacy Policy in Australia, what it must cover under the Privacy Act, how it fits with your broader data practices (cookies, email marketing and data breaches), and the practical steps to get your website policy in place.

Do Australian Small Businesses Need A Website Privacy Policy?

In Australia, privacy obligations are primarily set out in the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Whether you’re legally required to have a Privacy Policy depends on if you’re an “APP entity”. Generally, this includes businesses with more than $3 million annual turnover, but there are important exceptions where smaller businesses still need to comply.

You’ll likely need a Website Privacy Policy if you:

• Have annual turnover above $3 million; or
• Collect, use or disclose health information (e.g. fitness, allied health, telehealth); or
• Trade in personal information (sell, rent, exchange data); or
• Provide services under contract to the Commonwealth; or
• Operate an accredited consumer data scheme (specialist cases); or
• Are otherwise captured by the Privacy Act due to your activities.

Even if you’re not strictly an APP entity today, most websites collect personal information (think contact forms, checkout, analytics and remarketing). Having a transparent, tailored Privacy Policy is now standard practice and strongly recommended. It reduces risk, supports customer trust and prepares you for growth - including potential law reforms that may expand the Act’s coverage.

What Must An Australian Website Privacy Policy Include?

Your Privacy Policy must be easy to find, written in plain English and reflect what you actually do. Under APP 1.4, your policy should cover - at a minimum - the following areas.

1) What You Collect

• Types of personal information (e.g. name, contact details, payment info, device data, user-generated content).
• Sensitive information (e.g. health data) if applicable - and how you obtain consent.

2) How You Collect It

• Direct collection (forms, checkout, support chats).
• Indirect collection (referrals, third-party integrations).
• Automatic collection (cookies, pixels, analytics SDKs).

3) Purposes Of Collection And Use

• Core business operations (fulfil orders, provide services, support).
• Marketing and communications (including opt-out mechanisms).
• Analytics and website performance.

4) Disclosure To Third Parties

• Service providers (hosting, email, cloud storage, payment gateways, CRMs).
• Cross-border disclosure (where data is stored or accessed overseas, and how you safeguard it).

5) Access, Correction And Control

• How users can access and correct their personal information.
• Choices around marketing, cookies and account settings.

6) Security Measures

• Administrative, technical and physical safeguards appropriate to your business.
• Staff training and vendor management.

7) Data Retention And Deletion

• How long you retain different categories of data and how you securely destroy or de-identify it.
• Reference your approach to data retention laws where relevant.

8) Complaints And Contact Details

• How individuals can lodge privacy complaints with you (and how you’ll handle them).
• How to escalate unresolved complaints to the OAIC (you can name it without linking out).

9) Cookies And Online Tracking

• Explain the types of cookies and similar technologies you use, why you use them and how users can manage preferences.
• If you offer granular choices or use a separate Cookie Policy, make sure your Privacy Policy references it.

Important: Your policy must match your practices. If you change your tech stack (e.g. add a new analytics tool, enable remarketing or start selling subscriptions), update your Privacy Policy and your internal processes accordingly.

Privacy Policy Vs Collection Notice: What’s The Difference?

They work together, but they’re not the same.

• A Privacy Policy is your high-level, always-on statement about your overall data handling practices. It sits on your website and applies across your business.
• A Collection Notice is a short, context-specific notice you present at the point of collection (e.g. near a form or checkout). It explains what information you’re asking for right now, the purpose and key disclosures. Many businesses use a tailored Privacy Collection Notice alongside their policy.

Together, these ensure people understand what’s happening with their data before they hand it over, and they help you meet APP 5 obligations.

How Cookie Banners, Email Marketing And Overseas Tools Fit In

Privacy on a modern website goes beyond a document - it’s about the ecosystem of tools you use and how you communicate with customers.

Cookies And Consent

Australia doesn’t currently require EU-style cookie consent banners in all cases. However, you still need to be transparent about tracking and give users meaningful choices where appropriate. If you target EU/UK visitors, you’ll need to consider GDPR/UK GDPR as well, which have stricter consent requirements. Many Australian businesses pair a Privacy Policy with a clear Cookie Policy and consent controls.

Email And SMS Marketing

To promote your business lawfully, you must comply with the Spam Act 2003 (consent, identification and unsubscribe rules), and make sure your privacy statements align with your marketing practices. Our guide to email marketing laws explains the essentials and common pitfalls for small businesses.

International Data Transfers And Vendors

If you use overseas service providers (common with cloud software and plugins), you’ll need to disclose this and ensure appropriate protections are in place. Many businesses put a Data Processing Agreement (DPA) in place with key vendors to set security, confidentiality and breach obligations.

Step-By-Step: How To Create (And Maintain) Your Website Privacy Policy

Step 1: Map Your Data Flows

List each touchpoint where you collect personal information (newsletter signup, checkout, booking request, support, events, lead magnets) and any tools involved (payment gateways, analytics, chat widgets, CRMs). Note what you collect, why, where it’s stored and who has access.

Step 2: Decide What’s Necessary

Only collect what you actually need. If you collect less, you reduce risk and make compliance easier. Consider minimising the collection of sensitive information unless essential and lawful.

Step 3: Draft A Tailored Privacy Policy

Use your data map to inform a policy that’s accurate, plain-English and aligned with the APPs. Avoid copy-paste templates that don’t reflect your operations - inconsistencies can create liability. If you’re short on time, a lawyer can prepare a business-specific Privacy Policy that covers your website, app and offline channels.

Step 4: Add Collection Notices To Key Forms

Place a clear, concise Privacy Collection Notice near forms and checkouts (and inside your app). Link to your full Privacy Policy. If you’re relying on consent for certain processing, make sure you’re actually capturing it (e.g. unticked checkboxes for marketing).

Step 5: Align Your Other Documents

Update your Website Terms and Conditions, refunds/returns information and customer communications so they’re consistent with your privacy statements. If you use cookies or remarketing, publish (and maintain) an accurate Cookie Policy.

Step 6: Put Internal Processes In Place

• Security and access controls proportionate to your risk profile.
• Vendor due diligence and DPAs with critical suppliers.
• Retention and deletion schedules (see our note on data retention laws).
• A documented Data Breach Response Plan for Notifiable Data Breaches (NDB) events.

Step 7: Publish And Keep It Up To Date

Display your Privacy Policy prominently in your website footer and during account creation/checkout. Review it at least annually, or whenever you change your tech stack, start new marketing programs or expand internationally.

Common Mistakes To Avoid

• Copying a generic policy: If it doesn’t match your practices, you risk misleading users and breaching the APPs.
• Forgetting third-party tools: Analytics, chat widgets, A/B testing and embedded media often collect data - disclose these appropriately.
• “Set and forget” policies: Your data ecosystem evolves. Review regularly and align your policy, notices and backend processes.
• No process for rights requests: Make sure you can action access/correction requests efficiently and securely.
• Missing breach playbook: Without a tested plan, you’ll lose precious time if a breach occurs. A clear Data Breach Response Plan is essential.

Which Other Legal Documents Support Your Privacy Compliance?

Your Privacy Policy sits within a broader compliance framework. Depending on your model, consider the following:

• Privacy Policy: Your overarching statement covering collection, use, disclosure, security, retention, access/correction and complaints.
• Privacy Collection Notice: Short, context-specific notices at forms and checkouts, meeting APP 5 requirements.
• Cookie Policy: Details your use of cookies, pixels and similar tech, including preferences and opt-outs.
• Data Processing Agreement: Contract terms with processors and key vendors to set security and privacy obligations.
• Data Breach Response Plan: Your step-by-step process for identifying, containing, assessing and notifying eligible data breaches.
• Website Terms and Conditions: Governs use of your site, IP ownership, liability and acceptable use.

You might also consider internal policies like an Information Security Policy and procedures for handling privacy complaints and support tickets, so your team knows exactly what to do.

Practical FAQs For Small Businesses

Where should I place my Privacy Policy on my website?

Put a persistent link in your website footer. Also reference it during account creation, checkout, newsletter sign-up and within your mobile app or portal.

Do I need consent for all data collection?

Not always. Consent is one lawful basis to collect and use personal information, but the APPs also allow certain handling that is reasonably necessary for your functions or activities. If you’re relying on consent (e.g. for direct marketing via email/SMS), make sure it’s valid and easy to withdraw. See our guide on email marketing laws for Spam Act requirements.

What about GDPR if I sell to EU/UK customers?

If you actively target EU/UK users or monitor their behaviour, GDPR/UK GDPR may apply. You’ll likely need stronger consent mechanisms, additional disclosures and specific contractual terms with processors. Build this into your planning if you’re expanding internationally.

How often should I review my Privacy Policy?

At least annually, and whenever your data practices change (e.g. new tools, markets or products). Treat privacy as a living system, not a static document.

Key Takeaways

• If your website collects personal information, a clear, accurate Website Privacy Policy is essential - and often legally required under the Privacy Act.
• Your policy must reflect reality: what you collect, why, who you share it with (including overseas vendors), how you secure it, and how users can access, correct and complain.
• Pair your Privacy Policy with a short, context-specific Privacy Collection Notice at key touchpoints, and publish a Cookie Policy if you use tracking technologies.
• Back up your policy with processes: vendor contracts (DPAs), security controls, retention/deletion practices and a tested Data Breach Response Plan.
• Keep everything consistent with your Website Terms and Conditions and your marketing practices (including Spam Act compliance and unsubscribe options).
• Review and update your privacy framework as your business and tech stack evolve - privacy is an ongoing commitment, not a one-off task.

If you’d like a consultation about creating or updating your website Privacy Policy in Australia, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.