Online Business and Privacy

Selling online gives you reach that a shopfront never could - but it also comes with legal obligations that many founders overlook until something goes wrong. Whether you run an eCommerce store, a SaaS platform, or a service-based business that takes bookings through your website, Australian law expects you to be transparent about how you operate and how you handle customer data.

This chapter covers the two areas that trip up online businesses most often: website legal documents (terms and conditions, disclaimers, refund policies) and privacy law (collecting, storing, and protecting personal information). Getting both right early saves you from expensive disputes, regulatory action, and the kind of reputational damage that no marketing budget can fix.

Your website terms and conditions (T&Cs) are a contract between you and every person who uses your site. They set the rules of engagement - what visitors can expect from you and what you expect from them. Without clear T&Cs, you are relying on default consumer law to fill gaps, and those defaults almost always favour the customer.

What Your T&Cs Should Cover

• Acceptable use - how visitors may (and may not) use your website, including content scraping and automated access.
• Intellectual property - who owns the content on your site and what rights users have to reproduce it.
• Limitation of liability - capping your exposure for things like website downtime, incorrect information, or third-party links.
• Governing law - confirming the jurisdiction (typically the state or territory where your business is registered).
• Dispute resolution - how complaints will be handled, including any mediation or arbitration processes.
• User accounts - if applicable, the rules around account creation, suspension, and termination.

Note that Australian Consumer Law (ACL) overrides any T&C clause that attempts to exclude consumer guarantees. You cannot contract out of a customer's statutory right to a refund for a product with a major fault, no matter what your terms say.

If you sell products or subscriptions online, your terms need to go further than a standard website T&C. Online selling triggers specific obligations under the ACL and the Electronic Transactions Act 1999 (Cth).

eCommerce Essentials

• Clear pricing - display the total price including GST before checkout. Hidden fees at the last step breach the ACL prohibition on misleading conduct.
• Refund and returns policy - state your policy clearly, but remember it sits on top of (not instead of) consumer guarantee rights.
• Delivery terms - specify estimated delivery windows, who bears risk during transit, and what happens if goods are lost or damaged.
• Subscription terms- for recurring billing, make the billing cycle, cancellation process, and any auto-renewal terms unmissable. The ACCC has flagged "dark patterns" that make cancellation harder than sign-up as a priority enforcement area.

SaaS-Specific Terms

Software-as-a-service businesses should also address service level commitments (uptime targets), data ownership (who owns the data your customers upload), data portability (can customers export their data when they leave?), and what happens on termination (data retention and deletion timelines). A well-drafted SaaS agreement protects both you and your customers, so it is worth getting those terms settled properly before launch.

Selling through platforms like Amazon, eBay, or Etsy does not remove your legal obligations - it adds another layer. You are bound by both Australian law andthe marketplace's own seller terms.

• Platform terms override yours- most marketplaces impose their own refund, returns, and dispute resolution policies. Your own T&Cs apply to your standalone website, but on-platform sales generally follow the marketplace's rules.
• ACL still applies - consumer guarantees apply to goods sold on marketplaces exactly as they apply to your own site. The ACCC has confirmed that both the seller and the platform can be liable for misleading product listings.
• Brand and IP risk - register your trade marks before listing on large marketplaces. Counterfeit sellers are common, and having registered IP makes takedown requests far simpler.
• GST on low-value imports - if you sell into Australia from overseas (or an overseas marketplace fulfils orders for you), the platform may be required to collect and remit GST on sales of A$1,000 or less.

The Privacy Act 1988 (Cth) is the centrepiece of Australian privacy regulation. It sets out 13 Australian Privacy Principles (APPs) that govern how organisations collect, use, disclose, and store personal information.

"Personal information" is defined broadly - it means any information or opinion about an identified or reasonably identifiable individual, whether true or not. That includes names, email addresses, phone numbers, IP addresses, purchase history, and anything you could use to figure out who someone is.

The 13 APPs are grouped into five areas. Your privacy policy should address each one in language your customers can actually understand. Here is a practical overview:

1. APP 1 - Open and transparent management - have a clear, up-to-date policy and make it easy to find.
2. APP 2 - Anonymity and pseudonymity - give people the option of not identifying themselves where practical.
3. APP 3 - Collection of solicited information - only collect personal information that is reasonably necessary for your business functions.
4. APP 4 - Dealing with unsolicited information - if you receive information you did not ask for, decide whether you could have collected it under APP 3; if not, destroy or de-identify it.
5. APP 5 - Notification of collection - tell people what you are collecting, why, and who you will share it with, at or before the time of collection.
6. APP 6 - Use or disclosure - only use or disclose personal information for the purpose you collected it, unless an exception applies.
7. APP 7 - Direct marketing - you can only use personal information for direct marketing if the individual would reasonably expect it, or has consented.
8. APP 8 - Cross-border disclosure - if you send data overseas (including using cloud services hosted outside Australia), you must take reasonable steps to ensure the overseas recipient complies with the APPs.
9. APP 9 - Adoption, use, or disclosure of government identifiers - do not use government IDs (like TFN or Medicare numbers) as your own customer identifiers.
10. APP 10 - Quality of personal information - take reasonable steps to ensure the data you hold is accurate, complete, and up to date.
11. APP 11 - Security - protect personal information from misuse, interference, loss, and unauthorised access. Destroy or de-identify it when you no longer need it.
12. APP 12 - Access - give individuals access to the personal information you hold about them on request.
13. APP 13 - Correction - correct personal information if it is inaccurate, out of date, incomplete, irrelevant, or misleading.

A good privacy policy does not need to reproduce the APPs word for word. It needs to explain, in plain English, what data you collect, why, how you protect it, and how someone can contact you about it. For help drafting one, see our privacy policy services.

The Notifiable Data Breaches (NDB) scheme, under Part IIIC of the Privacy Act, requires you to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when a data breach is likely to result in serious harm. A breach occurs when personal information is accessed, disclosed, or lost without authorisation.

When You Must Notify

If you suspect an eligible data breach, you need to assess it quickly and in a way that is reasonable and expeditious. In practice, the OAIC treats 30 days as the outside limit for completing that assessment wherever possible. If you then reasonably believe the breach is likely to cause serious harm - and you have not been able to remediate that risk - you must notify the OAIC and affected individuals as soon as practicable.

• Serious harm includes financial loss, identity theft, damage to reputation, and emotional distress.
• Remediation means taking action to prevent the harm - for example, remotely wiping a lost device before the data is accessed.
• Penalties for failing to notify can reach up to $50 million for serious or repeated breaches (post-2022 amendments).

Every business should have a data breach response plan before a breach happens. The OAIC publishes a template, but your plan should also name the person responsible for managing breaches internally and set out your communication protocol.

Australia does not have a dedicated cookie consent law equivalent to the EU's ePrivacy Directive. There is no legal requirement to show a cookie banner to Australian visitors. However, that does not mean you can ignore tracking entirely.

• If the Privacy Act applies to you, APP obligations still matter - if your cookies or tracking pixels collect personal information, you need to disclose that collection in your privacy policy and collection notices.
• Best practice is moving toward consent- the Attorney-General's ongoing Privacy Act review has flagged cookie consent as a potential future requirement. Building consent mechanisms now avoids a scramble later.
• Third-party tools matter - if you embed Meta Pixel, Google Analytics, or similar tools, you are sharing visitor data with those platforms. Your privacy policy should disclose this, and you should understand what data those tools collect.

The EU's General Data Protection Regulation (GDPR) can apply to an Australian business if it intentionally offers goods or services to people in the EU, or monitors the behaviour of people while they are in the EU. Simply having a website that can be viewed from Europe is not enough, and a small number of incidental EU customers does not automatically mean the GDPR applies. The real question is whether you are actively targeting the EU market or tracking EU users in a way the GDPR regulates.

Key differences from Australian privacy law:

• You need a lawful basis for each processing activity. Consent is only one lawful basis, but it is often the relevant one for non-essential cookies and some types of direct marketing.
• Individuals have a right to erasure ("right to be forgotten") that goes beyond Australia's correction and access rights.
• Cookie consent is mandatory, with granular opt-in/opt-out controls for different tracking categories.
• Penalties for non-compliance can reach 4% of global annual turnover or EUR 20 million, whichever is higher.

If the GDPR applies, your privacy policy and internal data-handling practices need to reflect both Australian and EU requirements. You may also need to consider issues like an EU representative, cross-border transfer mechanisms, and GDPR-style records of processing. If you are deliberately targeting the EU, it is worth getting specific advice rather than assuming your Australian privacy settings are enough.