Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- What Is A Standard Privacy Policy In Australia?
What Should A Standard Privacy Policy Australia Businesses Use Include?
- 1) What Personal Information You Collect
- 2) How You Collect Personal Information
- 3) Why You Collect It (Your Purposes)
- 4) Disclosure: Who You Share Personal Information With
- 5) Overseas Disclosures
- 6) How You Store And Secure Personal Information
- 7) Direct Marketing And Opt-Out Rights
- 8) Access, Correction And Complaints Process
- Privacy Policy vs Collection Notice (APP 5): What’s The Difference?
- Key Takeaways
If you run a small business in Australia, chances are you collect personal information more often than you think.
It could be as simple as taking online orders, sending invoices, running a mailing list, using an enquiry form on your website, or even collecting staff details for payroll. The moment you collect information that can identify a person (like a name, email address, phone number, address, or even an IP address in some contexts), privacy law becomes part of your compliance checklist.
That’s where having a standard privacy policy in Australia that your business can rely on becomes crucial. A Privacy Policy is not just “website filler” - it’s a practical document that helps you explain what you collect, why you collect it, how you store it, and when you share it.
Below, we’ll walk you through what a standard Privacy Policy should include for Australian small businesses, why it matters, and how to make sure yours is actually usable (and not just copied from somewhere else).
What Is A Standard Privacy Policy In Australia?
A Privacy Policy is a written statement that explains how your business handles personal information. In Australia, it usually covers:
- what personal information you collect
- how you collect it
- why you collect it (the purposes)
- how you store and secure it
- who you disclose it to (if anyone)
- how people can access or correct their information
- how people can complain if they think something has gone wrong
When people search for a “standard privacy policy Australia” template, they’re usually looking for something that covers these basics. The catch is: what’s “standard” depends heavily on your business model.
For example, a cafe that takes bookings through an online form will have different privacy risks (and different data flows) compared to an eCommerce store using email marketing, payment gateways and customer accounts.
That’s why your Privacy Policy should be tailored to how your business actually operates, even if you start with a “standard” structure.
Do Small Businesses Need A Privacy Policy In Australia?
Many small business owners have heard about the “small business exemption” under the Privacy Act 1988 (Cth) and assume privacy compliance doesn’t apply to them.
In practice, it’s not that simple.
1) The Privacy Act May Still Apply To You
Even if your turnover is under $3 million, the Privacy Act can still apply in some common situations. For example, you may be covered if your business:
- provides a health service and holds health information (including many allied health and wellness providers)
- buys or sells personal information
- is a credit reporting body or otherwise handles credit reporting information
- is a contractor to an Australian Government agency (and needs to comply with privacy terms in that contract)
Also, you may have privacy-like obligations arising from other sources, such as:
- your contracts with platforms, suppliers or clients (especially enterprise clients)
- industry requirements
- consumer expectations (trust is a commercial issue, not just a legal one)
Even where you’re not strictly required to have one, having a Privacy Policy is often a sensible baseline for risk management - and it can be essential if you want to scale, partner with larger organisations, or run online advertising and email campaigns.
2) If You Collect Personal Information Online, People Expect One
If you have a website that collects enquiries, lets customers place orders, or uses tools like cookies and analytics, customers will usually look for a Privacy Policy before they buy.
Not having one can create friction (and suspicion) at the point of sale.
3) It Helps You Prove What “Normal” Looks Like In Your Business
If there’s ever a dispute or complaint, your Privacy Policy is one of the first documents someone will check. It acts like your public-facing “rulebook” for personal information handling - and it can help you show that you have a consistent process.
For many businesses, it sits alongside other key website documents like Website Terms and Conditions.
What Should A Standard Privacy Policy Australia Businesses Use Include?
Below are the core clauses we typically expect to see in a solid Australian Privacy Policy for a small business. Think of these as the “non-negotiables” for a standard privacy policy Australia readers are usually searching for - then adjust them to match your specific data practices.
1) What Personal Information You Collect
Your Privacy Policy should clearly describe the types of personal information you collect.
This often includes:
- names
- email addresses
- phone numbers
- billing and delivery addresses
- payment-related details (usually handled by payment processors, but you should still explain the flow)
- customer account information
- support requests and correspondence
- website usage data (e.g. IP address, device type, analytics events)
If you collect sensitive information (like health information), you need to be even more careful about consent and handling. Many small businesses don’t collect sensitive information intentionally - but you can still receive it via a “contact us” form or email attachments.
2) How You Collect Personal Information
It’s not enough to list what you collect - you should also explain how you collect it. For example:
- when someone fills in an enquiry form
- when someone signs up to a newsletter
- when someone creates an account
- when someone purchases goods or services
- through cookies and similar tracking technologies
- from third parties (e.g. social media platforms, payment providers, shipping providers)
This is especially important if you use third-party tools for marketing, customer support, booking systems, analytics, or cloud storage.
3) Why You Collect It (Your Purposes)
A standard Privacy Policy should clearly state why you’re collecting personal information. Common purposes include:
- providing your products or services
- processing payments and delivering orders
- creating and managing customer accounts
- sending order updates and service notices
- responding to enquiries and support requests
- marketing and promotional communications
- improving your website and customer experience
- complying with legal obligations
This part matters because it sets boundaries. If you later use customer data for something outside those purposes, you could create legal and reputational risk.
4) Disclosure: Who You Share Personal Information With
Most small businesses share personal information with third parties in some way - even if it’s just a delivery driver or a software provider.
Your Privacy Policy should explain the categories of third parties you disclose personal information to, such as:
- payment processors
- shipping and logistics providers
- IT service providers and cloud hosting providers
- booking platforms or CRM providers
- marketing platforms (email, ads, analytics)
- professional advisers (accountants, lawyers)
Being transparent doesn’t mean giving away your “secret sauce”. It’s simply telling customers what usually happens behind the scenes in a modern business.
5) Overseas Disclosures
If you use cloud software or service providers that store data overseas, you may be disclosing personal information outside Australia (even if you never actively send it abroad).
A standard privacy policy in Australia should address whether personal information is likely to be stored or processed overseas, and (where possible) name the countries or regions.
This is commonly relevant when your business uses:
- cloud hosting
- international email marketing tools
- customer support ticketing systems
- cloud accounting and invoicing platforms
6) How You Store And Secure Personal Information
You don’t need to list every security control you use, but you should explain the general steps you take to protect personal information.
For example:
- secure cloud storage
- access controls and staff permissions
- password protection and multi-factor authentication
- limited internal access on a need-to-know basis
- secure disposal or de-identification when information is no longer needed
This section is especially important if you have staff and internal systems. A Privacy Policy works best when it matches your day-to-day practices, supported by internal policies (such as an employee handbook and IT usage rules).
7) Direct Marketing And Opt-Out Rights
If you send marketing emails or SMS messages, your Privacy Policy should explain:
- when you’ll send marketing
- how people can opt out
- that opting out won’t affect receiving “service messages” (like order updates)
This ties into broader marketing compliance too. For many small businesses, it’s also worth reviewing how your campaigns align with email marketing laws in Australia.
8) Access, Correction And Complaints Process
A standard Privacy Policy should explain how individuals can:
- request access to the personal information you hold about them
- ask you to correct inaccurate or outdated information
- make a privacy complaint
You should include a clear contact method (usually an email address) and outline your process for responding. This is one of the most “practical” parts of a Privacy Policy, because it tells people what to do if they have a concern - before it escalates.
Privacy Policy vs Collection Notice (APP 5): What’s The Difference?
A Privacy Policy is your general, ongoing statement about how you handle personal information across the business.
A collection notice (often called an “APP 5 notice”) is the short-form information you give people at or around the time you collect their personal information - for example, under a web form, at checkout, or in onboarding emails. It usually covers key points like what you’re collecting, why, and who you might share it with, plus how to access your full Privacy Policy.
Many small businesses will use both: a full Privacy Policy on the website, and brief collection wording at the point of collection to make things clear in the moment.
Why A “Standard” Privacy Policy Can Still Cause Problems If It’s Not Tailored
It’s tempting to copy a Privacy Policy from another site or use a generic template. But for small businesses, that’s one of the fastest ways to accidentally publish something inaccurate.
Here are some common issues we see when businesses use a “standard privacy policy Australia” template without tailoring it.
1) You Promise Things You Don’t Actually Do (Or Can’t Do)
For example, a template might say:
- you never disclose personal information overseas (but your tools do)
- you delete customer data immediately after purchase (but your accounting records must be kept)
- you don’t use cookies (but your analytics platform sets them automatically)
If your Privacy Policy doesn’t match reality, it can create risk because it misleads customers about how you handle their information.
2) You Miss Key Parts Of Your Business Model
Your Privacy Policy should match how your business actually runs. For example:
- If you sell online, you’ll likely need to cover delivery providers, payment providers, and customer accounts.
- If you’re a service provider, you may handle client project details and ongoing communications.
- If you hire staff, you may collect and store employee information.
A Privacy Policy isn’t just for customers - it’s about personal information generally. If your business collects personal information in multiple contexts, your policy should reflect that.
3) You Accidentally Copy A Competitor’s Approach
Beyond the legal risks, copying policies can be commercially awkward. Your Privacy Policy is part of your brand trust. You want it to sound like it belongs to your business, and you want it to reflect how you operate.
This is also why a Privacy Policy should align with the rest of your legal set-up, including your customer-facing terms and internal practices. Depending on how you sell, you might also need an overarching e-commerce terms and conditions document that works alongside your Privacy Policy.
How To Put A Privacy Policy In Place (Without Overcomplicating It)
Getting your Privacy Policy right doesn’t have to be a huge project. The key is to treat it as part of your business systems, not an afterthought.
Step 1: Map The Personal Information You Collect
Before you write anything, take 15–30 minutes to map out:
- what personal information you collect
- where you collect it (website, email, phone, in-person, platforms)
- where you store it (email inbox, CRM, accounting software, spreadsheets)
- who you share it with (delivery providers, cloud tools, contractors)
- how long you keep it
This step is often where business owners realise they collect more personal information than expected.
Step 2: Decide What Your “Standard” Commitments Will Be
Most Privacy Policies follow a similar structure, but you need to decide what your business’s commitments actually are.
For example:
- Will you send marketing? If yes, how can people opt out?
- Do you use overseas tools? If yes, which ones?
- Who handles privacy enquiries internally?
These decisions are good business hygiene. They reduce confusion for your team and help you build a customer experience that feels trustworthy.
Step 3: Publish It Where People Can Actually Find It
For most small businesses, the Privacy Policy should be easy to access from:
- your website footer
- checkout pages (if you sell online)
- account registration pages
- forms where personal information is collected
If you collect information through a form, you may also need a short-form statement at the point of collection (a collection notice). This is separate to the full Privacy Policy, and it helps make your privacy practices clearer at the time you’re collecting the information.
Step 4: Align Your Privacy Policy With Your Actual Contracts And Processes
A Privacy Policy is a public statement, but it should be backed by internal processes and the right legal documents.
For example:
- If you hire staff who handle customer data, it’s a good idea to cover confidentiality and proper data handling in an Employment Contract.
- If you engage contractors who can access customer information, you may need stronger confidentiality obligations in your contractor agreements.
- If you run a subscription platform or marketplace, your Privacy Policy should be consistent with your platform terms and any payment or refund processes.
Privacy compliance is rarely one document on its own. It’s part of how your business builds trust and reduces operational risk.
Key Takeaways
- A standard privacy policy in Australia should clearly explain what personal information you collect, why you collect it, how you store it, and who you share it with.
- Even if you’re a small business, having a Privacy Policy can be essential for customer trust, platform compliance, and smooth growth.
- Your Privacy Policy should cover core topics like collection methods, purposes, disclosures (including overseas storage), data security, marketing, and complaint handling.
- Using a generic template without tailoring it can create problems if it doesn’t match how your business actually handles personal information.
- Privacy compliance works best when your Privacy Policy aligns with your website terms, customer-facing processes, and employment or contractor arrangements.
If you’d like help putting the right Privacy Policy in place for your small business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
