Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you run a business in Australia, chances are you collect personal information at some point - even if it’s just customer names, email addresses, delivery details, or payment confirmations.
That’s where the question comes in: what is a privacy statement, and do you actually need one?
A privacy statement is one of those things that can feel “nice to have” when you’re busy building your business. But in practice, it’s often a key trust-builder for customers. It can also help you communicate - and meet - your privacy obligations, particularly if your business is covered by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
Below, we’ll break down what a privacy statement is, how it differs from a Privacy Policy, when you need one, and what you should include so it actually helps your business (instead of just being generic legal filler).
What Is A Privacy Statement (And Why Does It Matter)?
In plain terms, a privacy statement is a short, clear notice that explains how your business handles personal information.
It usually tells people:
- what personal information you collect
- why you collect it
- how you use it
- who you share it with (if anyone)
- how they can contact you about privacy concerns
For small businesses, a privacy statement often shows up:
- on a website page or footer link
- on checkout pages (especially for eCommerce)
- on sign-up forms and lead capture forms
- inside apps or platform onboarding screens
- in customer-facing documents (like onboarding packs or account sign-up terms)
Why does it matter? Because privacy expectations have changed. Customers and clients increasingly want transparency about what happens to their data - and regulators do too.
And if you’re an APP entity, these disclosures aren’t just a “nice to have”: you generally need a compliant Privacy Policy (APP 1) and you also need to give a privacy collection notice (APP 5) when you collect personal information (with some exceptions). A privacy statement is often the practical way businesses deliver that “collection notice” at the point of collection.
Privacy Statement Vs Privacy Policy: What’s The Difference?
This is one of the most common points of confusion for business owners.
A privacy statement is usually a shorter, simpler explanation of your personal information practices. A Privacy Policy is generally more detailed and formal.
In many small businesses, the terms are used interchangeably. However, it’s useful to think about them like this:
A Privacy Statement Is Often “Just-In-Time”
A privacy statement is often presented at the point where you collect personal information, or where customers need quick clarity.
For example, on a form where someone enters their email address to receive a newsletter, you might include a short statement explaining what you’ll do with that email address - and link to your Privacy Policy for full details.
A Privacy Policy Is Your Broader, Ongoing Document
A Privacy Policy typically sits on your website and covers your business’s overall approach to handling personal information across different situations.
It often includes more detail about:
- how you collect, store and protect personal information
- how people can access and correct their information
- how you manage privacy complaints
- whether you disclose personal information overseas (and how)
- how your practices apply across your systems, platforms and vendors
For many businesses, it makes sense to have a proper Privacy Policy and then use shorter privacy statements in specific places (like forms, bookings, and checkout pages) that point back to it.
If you also use personal information for marketing (email, SMS, remarketing audiences, and so on), your privacy wording should align with your broader marketing compliance too - for example, your email marketing laws obligations.
Do Australian Businesses Need A Privacy Statement?
There isn’t one single rule that says: “Every business must have a privacy statement.” Instead, the real question is whether your business has legal obligations under Australian privacy law - and how you’re going to communicate them clearly at the point you collect personal information.
If you’re an APP entity, you’ll generally need:
- a compliant Privacy Policy (APP 1), and
- a privacy collection notice when you collect personal information (APP 5).
Many businesses use a “privacy statement” as that practical, customer-friendly collection notice (often with a link to the full Privacy Policy).
When You’re Likely To Need Privacy Disclosures
You’re more likely to need a privacy statement (and usually a Privacy Policy) if you:
- collect personal information through your website (enquiry forms, online bookings, online store checkouts)
- use analytics, tracking tools, or advertising pixels that collect data about website users
- run a membership program, subscription, or online account system
- collect sensitive information (such as health information)
- provide services to government clients or larger organisations (they may require it contractually)
- have an app or platform where users create profiles
What About The Privacy Act And “Small Business Exemptions”?
In Australia, the Privacy Act 1988 (Cth) applies to many organisations, including most businesses with an annual turnover of more than $3 million. Some smaller businesses can still be covered in certain situations (for example, depending on what data you handle and how you operate - including if you’re a health service provider or otherwise fall within specific categories under the Act).
Even where an exemption may apply, it’s still common for small businesses to adopt privacy documents because:
- customers expect transparency
- partners and platforms may require it
- it reduces reputational and operational risk
- it creates consistency in how staff and contractors handle data
Also, privacy doesn’t exist in a vacuum. Your privacy approach should match your operational reality - including how you manage customer accounts, handle complaints, and store data. If you’re collecting personal information as part of providing goods or services, your privacy wording should sit comfortably alongside your other customer-facing terms, like your Business Terms.
What Should A Privacy Statement Include? (A Practical Checklist)
A good privacy statement is one your customers can actually understand - and one your business can actually follow.
At a practical level, we usually recommend that your privacy statement covers the points below.
1. What Personal Information You Collect
Spell out the categories of information you collect. This might include:
- name, email address, phone number
- billing and delivery address
- account login details (if relevant)
- customer support communications
- device information and website usage data (where relevant)
This helps avoid surprises - and it also forces you to be honest about your actual data practices.
2. How You Collect It
For example, do you collect information when someone:
- fills out an online form
- makes a purchase
- subscribes to a newsletter
- contacts you via email or phone
- uses your website (via cookies/analytics)
If your website uses cookies, pixels, SDKs or similar technologies, consider whether you also need a separate cookie notice or cookie policy (particularly if you use them for advertising or cross-site tracking). Many businesses choose to keep a short statement on key pages and link it to more detailed website terms.
3. Why You Collect It (Your Purposes)
Be specific. Common purposes include:
- providing products or services
- processing payments and deliveries
- managing customer accounts
- responding to enquiries and support requests
- sending marketing communications (where permitted)
- analytics and service improvement
This is important because customers want to know whether you’re collecting data just to fulfil an order - or whether you’re using it for marketing, profiling, or third-party advertising.
4. Who You Share It With
Most small businesses share personal information with third parties in some form, even if they don’t think of it as “sharing”.
Examples include:
- payment processors
- delivery and logistics providers
- booking software providers
- cloud storage and email hosting providers
- accounting and admin tools
- marketing platforms (email/SMS tools)
You don’t necessarily need to list every vendor by name in a short privacy statement, but you should clearly describe the types of third parties involved.
5. Overseas Disclosure (If Relevant)
If your systems store data overseas (for example, if your CRM or email provider hosts data outside Australia), it’s a good idea to state that personal information may be disclosed to, or stored with, overseas recipients.
This is one area where getting the wording right matters, because overseas disclosures can trigger additional compliance steps for APP entities.
6. How You Store And Protect Personal Information
A privacy statement doesn’t need to be a cybersecurity manual. But it should reassure customers that you take reasonable steps to protect information from misuse, interference, loss, and unauthorised access, modification, or disclosure.
If you have specific processes (access controls, limited staff access, secure systems), you can describe them at a high level.
7. How People Can Access, Correct Or Complain
Include a simple contact pathway, such as an email address, and explain (briefly) that people can contact you to:
- request access to their personal information
- request corrections
- make a privacy complaint
This is one of those small details that can prevent a minor issue from becoming a bigger dispute.
Where Should You Display Your Privacy Statement?
It’s not enough to have privacy wording hidden in a footer that nobody reads. Ideally, your privacy statement should show up where it’s most useful - at the point your customers are handing over their personal information.
Here are common places Australian businesses use privacy statements effectively:
Website Footer
This is still the standard “home” for a full Privacy Policy. Many businesses include a short privacy statement in key places and link back to the full policy here.
Enquiry Forms And Lead Forms
If you’re collecting email addresses and phone numbers, include a short statement like: “We’ll use your details to respond to your enquiry. Our Privacy Policy explains how we handle personal information.”
Checkout Pages
In eCommerce, privacy concerns often show up at checkout. A simple privacy statement can reduce cart abandonment by answering “what are you doing with my details?” upfront.
Bookings And Onboarding
If you run a service business (appointments, consulting, trades, allied health, education), consider privacy wording in your onboarding workflow - including any customer contract or service terms.
If you operate online, your privacy statement should also align with your broader website legal framework, including Website Terms and Conditions.
Common Privacy Statement Mistakes (And How To Avoid Them)
Privacy wording often goes wrong in predictable ways - usually because it’s copied from a template that doesn’t match the business, or because it’s written too vaguely to be meaningful.
Using Generic, “Copy-Paste” Clauses That Don’t Match Your Business
If your privacy statement says you collect information you don’t actually collect (or fails to mention information you do collect), you create risk.
It can also damage trust quickly, especially if a customer feels misled about where their data is going.
Not Matching Your Actual Customer Journey
Let’s say your privacy statement says customers can contact you about privacy issues via email, but your support system is actually a third-party helpdesk platform where messages are visible to contractors.
That mismatch can become a problem if a complaint arises. Your privacy statement should reflect how your business really operates.
Forgetting About Marketing And Consent
If you collect emails for a “download” or enquiry, and then automatically add those emails to a marketing list, you need to be careful about how you describe that.
As a general rule, be clear about whether you’ll send marketing, and how people can opt out.
Not Coordinating With Other Legal Documents
Your privacy statement should be consistent with your other legal documents and operational policies.
For example:
- If you have staff handling customer data, your internal privacy practices should align with employment documentation like an Employment Contract.
- If you operate a platform or subscription business, your privacy approach should align with the way your subscription terms work (especially around user accounts and communications).
Consistency is what makes your documents practical - and defensible - if questions come up later.
Key Takeaways
- A privacy statement is a clear, customer-friendly explanation of how your business collects, uses, and shares personal information (often used as a “just-in-time” notice at the point of collection).
- Many businesses use privacy statements as short notices, supported by a more detailed Privacy Policy.
- If you’re an APP entity, you generally need a Privacy Policy (APP 1) and you generally need to provide a collection notice (APP 5) - a privacy statement is often how businesses do this in practice.
- A practical privacy statement should cover what you collect, why you collect it, who you share it with, how you store it, and how customers can contact you.
- Privacy wording should match your real-world processes, your marketing practices, and your other legal documents.
If you’d like help putting the right privacy wording in place for your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
