Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- What Is A Privacy Policy, In Simple Terms?
- Do Small Businesses In Australia Need A Privacy Policy?
What Should A Privacy Policy Include?
- 1) The Types Of Personal Information You Collect
- 2) How You Collect It
- 3) Why You Collect It (Your “Purposes”)
- 4) Who You Share It With
- 5) Cookies, Analytics And Tracking
- 6) Direct Marketing And Opt-Outs
- 7) Data Storage, Security And Retention
- 8) Access, Correction And Complaints
- 9) Data Breach Notifications
- 10) Contact Details And Policy Updates
- Where And How Should You Display Your Privacy Policy?
- Key Takeaways
If your business collects names, emails, phone numbers, payment details, CCTV footage or even website analytics, you’re handling “personal information”. That means you need to think seriously about privacy.
A Privacy Policy is the starting point. It tells your customers what data you collect, why you collect it, how you use and store it, who you share it with and how they can access or correct it.
Done well, a Privacy Policy builds trust and helps you comply with Australian privacy law. Done poorly (or not at all), it can expose your business to complaints, investigations and reputational damage.
In this guide, we’ll explain what a Privacy Policy is, when you need one in Australia, what to include, how to publish it, and the related documents and processes that round out your privacy compliance-so you can get this right from day one.
What Is A Privacy Policy, In Simple Terms?
A Privacy Policy is a public statement that explains your business’ approach to collecting, using and protecting personal information. It’s typically published on your website and provided when you collect data in other ways (for example, in-store forms or app sign-up flows). Think of it as your “data transparency notice”: it tells customers what happens to their information behind the scenes, in plain English. The policy should be accurate, easy to find and easy to understand. Under Australia’s Privacy Act 1988 and the Australian Privacy Principles (APPs), many businesses are legally required to have a clearly expressed, up-to-date Privacy Policy. Even if you’re not strictly caught by the Act, having a clear Privacy Policy is now a customer expectation-and best practice for managing risk. If you’re starting from scratch or updating an old policy, it’s worth getting a tailored Privacy Policy drafted so it reflects your actual practices rather than a generic template.Do Small Businesses In Australia Need A Privacy Policy?
In Australia, most businesses with annual turnover of more than $3 million must comply with the Privacy Act and the APPs, which includes having a compliant Privacy Policy. However, many small businesses under $3 million also need a Privacy Policy because they fall into special categories. You’ll generally need to comply if you:- Operate in a regulated sector (for example, health service providers who collect health information);
- Trade in personal information (including selling or renting customer lists);
- Provide services to larger organisations under contract where privacy compliance is required;
- Run certain businesses like credit reporting bodies or have specific legal obligations (for example, under state health privacy laws).
What Should A Privacy Policy Include?
Your Privacy Policy should mirror how your business actually handles data. If your practices change, your policy should change too. As a starting point, make sure it covers the essentials below.1) The Types Of Personal Information You Collect
List the kinds of personal information you handle. This often includes names, contact details, account logins, purchase history, payment information, support queries, and marketing preferences. If you collect sensitive information (for example, health or biometric data) or unique identifiers, call that out clearly.2) How You Collect It
Explain whether you collect information directly (e.g. checkout forms, sign-ups, customer service) or indirectly (e.g. website analytics, cookies, third-party partners). If you use CCTV in your store or workplace, mention it, and ensure you also consider your obligations under security camera laws in Australia.3) Why You Collect It (Your “Purposes”)
Be specific about your purposes: to deliver products or services, manage accounts, process payments, provide support, personalise marketing, improve the website or app, or comply with legal obligations. Avoid catch-all statements without context.4) Who You Share It With
List the categories of third parties you share data with, such as payment processors, delivery partners, IT providers, marketing platforms, analytics tools and professional advisers. If any recipients are overseas, say where (by country or region) and how you protect that transfer.5) Cookies, Analytics And Tracking
Explain what cookies and similar technologies you use, and what they do (for example, remembering preferences or measuring traffic). Many businesses also publish a separate Cookie Policy for added clarity.6) Direct Marketing And Opt-Outs
If you send marketing, state how you’ll do this and how customers can opt out. This includes email, SMS, retargeting and in-app messaging.7) Data Storage, Security And Retention
Outline how you protect personal information (for example, access controls, encryption and staff training), where data is stored, and how long you keep it. Your approach should align with Australian expectations around data retention and secure disposal.8) Access, Correction And Complaints
Explain how people can access and correct their personal information, and how to lodge a complaint. It helps to reference your internal Privacy Complaint Handling Procedure and timelines for responses.9) Data Breach Notifications
Briefly outline how you’ll respond to privacy incidents. Under the Notifiable Data Breaches scheme, eligible breaches must be assessed and may require notifying affected individuals and the regulator. It’s smart to have a Data Breach Response Plan in place and to mention that your team will act promptly if a breach occurs.10) Contact Details And Policy Updates
Provide a privacy contact email and note how you’ll communicate updates to the policy (for example, posting the new version on your website with an updated “last revised” date).Where And How Should You Display Your Privacy Policy?
Make it easy to find and hard to miss. Practical tips include:- Put a “Privacy” link in your website footer and in your app’s settings or account screens;
- Provide a just-in-time notice or link where data is collected (for example, next to the email field on a sign-up form);
- Reference the policy in your Website Terms and Conditions and any account creation pages;
- If you collect personal information offline, include a link or QR code on paper forms, or provide a copy on request;
- Use a concise summary at the point of collection and link to the full policy for details.
Related Documents To Pair With Your Privacy Policy
A Privacy Policy is only one part of your privacy framework. To manage risk and meet modern customer and partner expectations, most businesses also need the documents below.Privacy Collection Notice
This is the short notice you provide at the point of collection that summarises key details (what you’re collecting, why, and how to contact you) and links to your full policy. It’s simple, user-friendly and consistent with your Privacy Collection Notice template.Data Processing Agreement (For Vendors And Partners)
If you share personal information with service providers (for example, cloud platforms, CRM tools, fulfilment partners), your contracts should include privacy and security clauses. Many businesses use a Data Processing Agreement to set clear rules on handling personal information, subcontracting, security controls and breach notification.Data Breach Response Plan
This internal playbook sets out how you identify, assess and respond to suspected breaches, including roles, timelines and decision-making criteria for notifications. As noted above, a documented Data Breach Response Plan helps your team act fast and consistently.Website And App Terms
Your Privacy Policy explains data handling, while your site rules handle use of the platform itself. Make sure your site or app has up-to-date Website Terms and Conditions so users understand acceptable use, IP ownership, disclaimers and liability limits.Cookie Policy
While you can include cookies information in your privacy statement, many businesses also publish a separate, scannable Cookie Policy with details about categories of cookies and options to manage preferences.Email Disclaimer
When sending sensitive communications, an Email Disclaimer can support your confidentiality practices and set expectations for recipients. It’s not a substitute for lawful handling, but it helps signal your intentions and process.How To Create And Maintain A Compliant Privacy Policy
Privacy isn’t a one-time document-it’s an ongoing process. Here’s a practical way to set up and stay compliant without drowning in paperwork.Step 1: Map Your Data Flows
List the personal information you collect, where it comes from, where it goes, who can access it, and how long you keep it. Include all channels: web forms, payment systems, support emails, marketing platforms, CCTV, in-store sign-ups and any third-party integrations. This “reality check” ensures your policy reflects what actually happens, and it often reveals quick wins-like deleting data you no longer need.Step 2: Draft (Or Refresh) Your Privacy Policy
Use your data map to write a clear, accurate policy that covers the essentials listed above. Avoid copying a competitor’s policy-if your practices differ, a misaligned statement can create legal risk. A tailored Privacy Policy drafted for your business and industry will be easier to maintain over time.Step 3: Integrate A Collection Notice
Add a brief notice wherever you collect data (for example, sign-up pages, checkout flows, contact forms) that summarises the key points and links to the full policy, using your Privacy Collection Notice wording.Step 4: Update Your Contracts With Service Providers
Review the agreements you have with suppliers who process data for you. Ensure they include privacy, security and breach terms, or put a Data Processing Agreement in place. This is especially important if vendors are overseas.Step 5: Train Your Team And Set Internal Processes
Privacy compliance is a team sport. Train staff on handling customer data, recognising phishing and escalation steps if something goes wrong. Document processes for access requests, corrections and complaints.Step 6: Prepare For Incidents
Even with good controls, incidents happen. Put your Data Breach Response Plan on the shelf, run a short tabletop exercise, and keep your contact lists current. This reduces response time when it matters most.Step 7: Review Regularly
Set a cadence (for example, every 6-12 months) to review your policy, cookie practices, vendor list and security settings. If you launch new products or start collecting new data types, update the policy before or at the time of change.Common Questions From Small Business Owners
Is Privacy The Same As Confidentiality?
Not quite. Privacy laws focus on personal information about individuals, while confidentiality covers any information you’ve promised to keep secret (such as business strategies or trade secrets). Both matter-see our overview of the difference between privacy and confidentiality-but your Privacy Policy specifically addresses personal information handling.Do I Need Consent To Collect Personal Information?
It depends. Consent is one legal basis, but often your legitimate business activities (for example, providing the service a customer requested) will be the basis for collection. That said, consent is usually needed for direct marketing in some channels, certain sensitive information and particular uses like biometric processing. Your policy and notices should reflect your approach.What If I Use CCTV In My Shop Or Office?
CCTV footage of identifiable people is personal information. Make sure signage is clear, the purpose is legitimate (for example, security), footage is kept secure and only retained as long as necessary. Your policy should mention camera use, and you’ll also want to comply with relevant CCTV laws in Australia.Does Having A Privacy Policy Protect Me From All Risk?
No. A policy helps with transparency and compliance, but you still need the right contracts, security controls and internal processes. That’s why pairing your policy with strong vendor terms, a breach plan and staff training is essential.Where Does My Website Fit In?
Most businesses collect data online, so make sure your Privacy link is prominent and your Website Terms and Conditions and cookies approach match what your policy says. If you send newsletters or promos, ensure opt-out tools work properly and that your communications are consistent with your privacy wording.Key Takeaways
- A Privacy Policy is your public promise about how your business handles personal information-be clear, accurate and easy to find.
- Many Australian small businesses are required to comply with the Privacy Act, and even if you’re not strictly caught, customers and partners expect a proper policy.
- Cover the essentials: what you collect, how and why you use it, who you share it with, cookies, marketing, security, retention, access/correction, complaints and breach response.
- Publish your policy visibly on your website and at any point of data collection, and keep it aligned with your real-world practices.
- Round out your privacy framework with a Privacy Collection Notice, Data Processing Agreement, Data Breach Response Plan and solid Website Terms and Conditions.
- Privacy is ongoing: map your data, train your team, review vendors and update your policy whenever your practices change.
