It is almost guaranteed that mobile apps will collect some form of personal information from users, so if you are building an app, you need to consider whether Australian privacy laws apply to you. This is especially important as it will determine how you collect and deal with users’ information. If you are a business which is subject to the Australian privacy laws, you will therefore have legal obligations. Failure to fulfill these obligations can result in serious penalties. This article explains when you need to comply with Australian privacy laws if you are building an app.

Australian Privacy Laws

In Australia, the Privacy Act 1988 contains principles on privacy protection called the Australian Privacy Principles (APP). These principles are binding for APP entities.

Generally speaking, you are an APP entity if your business has an annual turnover of more than $3 million. However, startups and small businesses with a turnover of less than $3 million can also be APP entities in certain circumstances. This may be the case if:

  • your app shares information with third parties for a benefit;
  • you are providing a health service;
  • you purchase personal information; or
  • you use personal information to sell advertising through your app.

Examples of personal information your app may be collecting include:

  • names;
  • contact details;
  • IP addresses;
  • location information; or
  • photos.

Sensitive Information

If you are an APP entity, it is important to know if your app collects ‘sensitive information’, which is generally afforded greater protection under the Privacy Act. This is because misuse of sensitive information can result in discrimination, mistreatment and other adverse consequences.

Sensitive information is information which can be used to identify an individual’s:

  • racial or ethnic origin;
  • political or religious opinions or affiliations;
  • membership of professional or trade association;
  • sexual orientation;
  • criminal record;
  • health information; or
  • biometric information.

Many businesses mistakenly believe they are not collecting sensitive information because they are not collecting health information. However, you must be conscious of whether the information your app is collecting can be inadvertently classed as sensitive information. For example, if your app allows users to post photos of themselves or make comments, it may be possible to identify a person’s religious affiliation or ethnic origin through those photos and comments.

Privacy Obligations

If you are an APP entity building an app, you need to comply with the APPs which require businesses to deal with information in specific ways. Your obligations under the APPs include making users aware of the information you are collecting and the purpose for which you are collecting that information, as well as allowing users to access the information you are storing.

Additionally, there are further requirements if you are an APP entity which collects sensitive information. Generally, your app should only be collecting sensitive information where:

  • the user consents to the collection; or
  • it is reasonably necessary for the function of your business.

Privacy Policy

If you are an APP entity because you meet the requirements, you must have a publicly available privacy policy as provided for under the Privacy Act. Your policy should be readily accessible to all users of your app and set out:

  • the kinds of personal information that you collect and hold;
  • how you collect personal information;
  • how you hold personal information;
  • the purposes for which you collect, hold, use and disclose personal information;
  • how an individual may access their personal information and seek correction of it;
  • how an individual may complain if you or a contractor breaches the APPs or a binding registered APP code; and
  • whether you are likely to disclose personal information to overseas recipients, including a related body corporate, and the likely countries that you may send the information to.

Even if you are not an APP entity which is subject to the Australian privacy laws, it is still good business practice to have a privacy policy. You should ensure it is compliant with the benchmark of privacy protection set out in the APPs.

Users are becoming increasingly aware of privacy and data protection and, accordingly, many will require the apps they use to be transparent about the information they collect and store, regardless of whether the law requires this transparency. This is even more likely to be the case if users are disclosing sensitive information on your platform.

Key Takeaways

If you are an APP entity building an app which is collecting sensitive information, you should comply with your privacy obligations. Otherwise, you risk severe fines for breaching the Privacy Act. Even if you are not an APP entity, it is best practice to have a privacy policy to gain the trust of your users.

Additionally, your app’s users should be able to readily access the policy and understand how you collect and use their information. If you have any questions, contact LegalVision’s online lawyers on 1300 544 755 or fill out the form on this page.

Sophie Mao
If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.
If you would like to receive a free fixed-fee quote for a legal matter, please get in touch using the form on this page.