Skip to content

I Run a Beautician Business. What are My Privacy Obligations?

In Short

  • Beauticians must adhere to privacy laws concerning client data.
  • Consent is required before collecting, using, or sharing client information.
  • Implement strong data protection measures to secure client records.

Tips for Businesses

Familiarise yourself with privacy legislation relevant to your beauty business. Always obtain clear consent from clients before handling their personal information. Use secure systems to store data and regularly update your privacy policies to enhance compliance and build client trust. Training staff on privacy protocols is also essential.


Table of Contents

If you run a beautician business, you will often collect and store personal information about your clients, such as their allergies and prior health conditions. In this context, you may have legal obligations regarding the handling of this personal information. Understanding these obligations helps you avoid breaching laws and facing heavy penalties. This article explains when you will need to comply with Australian privacy law for your beautician business.

The Privacy Act

The Privacy Act aims to protect individuals’ personal information and sets out how a business collects, stores and discloses personal information. Examples of personal information about clients that you might have include your clients’:

  • names;
  • addresses; 
  • emails;
  • dates of birth; and
  • medical history.

Am I an APP Entity? Do I Need to Comply With the Privacy Act?

You are an APP entity if : 

  • you have an annual turnover of more than $3 million; 
  • are a health service provider and you hold health information which is not in an employee record; or
  • trade in personal information.

There are also other entities which might be APP entities but they are probably not relevant to you.

A health service provider is someone who intends to 

  • assess;
  • maintain; 
  • improve;
  • diagnose; 
  • manage;
  • treat; or 
  • record an individual’s health. 

You will be regarded as providing a health service if you claim that the activity produces specific results, such as facial treatments that address certain skin conditions or LED light therapy designed to achieve particular outcomes.

Hence, even if your annual turnover is $3 million or less, you may qualify as an APP entity and need to comply with the Privacy Act.

Continue reading this article below the form
Loading form

What are My Obligations under the Privacy Act?

If you want or need to comply with the Privacy Act, the Act sets out a number of key principles or guidelines that you must comply with, which are called the Australian Privacy Principles (or APPs).

Some of the APPs distinguish between personal information and sensitive information. Relevantly for beauticians, sensitive information includes health information about an individual. You may request that your clients complete a questionnaire before some treatments.

Under the Act, you may have collected sensitive information if the questionnaire asked about:

  • allergies; 
  • pregnancy; 
  • breastfeeding; 
  • overall health; 
  • diseases; or
  • blood pressure.

Below, we set out key APPs and examples specifically relevant to beauticians.

Collection

You can only collect personal information if it is reasonably necessary for your activities. 

For example, some more invasive treatments may require you to know about prior health conditions, like cosmetic tattooing. You should avoid collecting personal information where you do not have to. For example, if you are providing makeup services, certain information may be relevant, such as a history of skin conditions, but other information, such as a history of heart conditions or medical surgical history may be less relevant.

You might also collect customer data in different ways.

For example, booking systems store contact details, appointments and preferences. Loyalty program sign-ups ask for more personal information like demographics and personal history. Feedback forms show what customers think and where the business can improve.

You need to notify customers when you are collecting their personal information. You should have a Privacy Collection Notice, which should be made available to your client when you are collecting their information.

A Privacy Collection Notice is a statement detailing what personal information you are collecting from the individual, why you are collecting it, and how it will be used or disclosed. You must clearly explain what information you want, why you need it, and how you will use it or share it. 

Sensitive Information

If you are collecting health information, this is defined as ‘sensitive information’ which is afforded higher levels of protection under the Privacy Act. You need to obtain consent before collecting any sensitive information. 

Transparency 

You must have a clear, easy-to-read and updated privacy policy which sets out how you deal with your clients’ personal information. You can make the policy available on your website, and at your front desk, so it is easily accessible to your clients.

Use of Personal Information

You can generally use personal information you collect from clients for the primary purpose of collection, such as providing your beauty services or maintaining client records. For any other uses (secondary purposes), you must ensure the use is reasonably expected and related to the primary purpose. Otherwise, you need to obtain the client’s consent. For example, sending appointment reminders via email after collecting a client’s email address for booking a facial treatment would likely meet this criterion.

For sensitive information, like health details, you must ensure the secondary purpose directly relates to the primary purpose. An example of this would be using a client’s allergy information, initially collected to ensure safe treatment, to adjust future treatment plans or product recommendations.

You may also use or disclose information if the law requires it or in specific situations like preventing a serious threat to someone’s health. Always use the minimum necessary information and protect your clients’ privacy. It is best to clearly inform clients how you will use their information when you collect it.

Key Takeaways

Protecting your clients’ personal information creates more trustworthiness for your beautician business. You may be considered to be an APP entity, and thus required to comply with the Privacy Act if you have an annual turnover of over $3 million, or you are considered to be providing health services and collecting health information. Either way, the Privacy Act sets out principles you should comply with, including:

  • only collecting information if necessary; 
  • using the information for the primary purpose for which it was collected or for a secondary purpose that your client would reasonably expect the information to be used for; and
  • making sure your clients know how you handle personal information in a privacy policy.

If you need help preparing a privacy policy, our experienced contract lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions

When does a beautician business need to comply with the Australian Privacy Act?

A beautician business must comply with the Australian Privacy Act if it qualifies as an APP entity. This happens if the business has over $3 million in annual turnover, provides health services, or trades in personal information. Even with less turnover, a business may still be an APP entity if it collects health-related information.

What key obligations must beautician businesses follow under the Australian Privacy Act?

Beautician businesses must adhere to the Australian Privacy Principles (APPs). They should collect personal information only when necessary, obtain consent for sensitive data collection, and inform clients with a Privacy Collection Notice. Businesses must have an accessible privacy policy and use client information primarily as collected. For other uses, they must ensure it is expected or obtain client consent.

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Maddison Zahra

Maddison Zahra

Lawyer | View profile

Maddison is a Lawyer at LegalVision, working in the Corporate and Commercial Team. She has particular expertise in commercial contracts, data and privacy and regulatory compliance advice for small businesses and startups within the Australian landscape. She also has previous experience in Government and Property Law, where she worked with a variety of clients, from small to medium businesses to large corporate and Government clients.

Qualifications:  Bachelor of Laws, Bachelor of International Studies, University of New South Wales.

Read all articles by Maddison

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards