Data confidentiality is increasingly a concern for consumers in our technological and globalised world. Businesses typically respond to these concerns using a comprehensive privacy policy describing how personal and sensitive information is collected, disclosed, stored and processed and the purpose for doing so. However, privacy policies can sometimes be a source of confusion.
Commercial entities often require clarification on whether they are legally required to have a privacy policy and what information it should contain. If you are a marketing and advertising agency with such questions, this article discusses why you need a privacy policy, when you need one and what it should say.
When Do I Need a Privacy Policy?
The Australian Privacy Principles (APP) govern privacy law in Australia. In short, you must have a privacy policy if you meet the definition of an ‘APP entity’. The APP defines an APP entity as an agency or organisation.
Under the APP, agency refers to government departments and other public bodies or offices, including, among others, Ministers, the Australian Federal Police and Federal Courts. It is a concept distinct from a marketing or advertising agency.
An organisation under the APP is:
- an individual;
- a body corporate;
- a partnership;
- any other unincorporated association; or
- a trust.
However, even if the organisation meets the qualities above, it will not be an APP entity if it is a:
- small business operator;
- registered political party; or
- agency or a state or territory authority or a prescribed instrumentality of a state or territory.
Further, a small business operator is an individual, body corporate, partnership, unincorporated association or trust that:
- carries on one or more small businesses; and
- does not carry on a business that does not qualify as a small business.
A small business is a business whose annual turnover for the preceding financial year was $3,000,000 or less.
Small Businesses
Nevertheless, even if you are a small business, you may still be considered an APP entity if you:
- provide services under a commonwealth contract;
- disclose personal information about another individual for a benefit, service or advantage, or provide a benefit, service or advantage to collect personal information about another individual from anyone else (unless they do so with the consent of the individual or are required or authorised by law to do so); or
- provide a health service and hold health information other than in an employee record (although this is unlikely to apply to marketing and advertising agencies).
In simpler terms, your marketing and advertising agency must have a privacy policy if:
- your business structure makes you an organisation under the APP, and your annual turnover exceeds $3,000,000;
- you provide services under a Commonwealth contract, for example, to a Federal Government agency; or
- you disclose personal information for a benefit or service.
Additionally, your business may become an APP entity in the future. Therefore, it is wise to have proper privacy processes in place from the start. This reasoning is not legal but commercial. A privacy policy can inspire customer confidence and build goodwill, particularly as data is increasingly being commoditised.
Why Do I Need a Privacy Policy?
Some commercial enterprises (such as marketing and advertising agencies) require a privacy policy to meet their legal obligations under the Australian Privacy Principles (APP).
Principle 1 ensures that all APP entities manage personal information openly and transparently. These entities must take reasonable steps to implement internal practices, processes and procedures to comply with the APP. Such entities also need to efficiently handle customer enquiries and complaints about their compliance with the APP.
In total, 13 APPs outline the obligations of APP entities. Principle 1.3 requires all APP entities to have a clearly expressed and up-to-date policy concerning their management of personal information.

This fact sheet outlines the changes to data and privacy protection in 2023.
Contents of a Privacy Policy
In general, your privacy policy should tell consumers about their privacy rights. This includes how you handle, secure and protect your data, and manage and identify potential risks to that data. It should detail how individuals can access their data and how your agency handles complaints about data management.
Furthermore, ensure you discuss how your organisation manages the quality of its data and its policies when engaging third-party providers or contractors to whom you might disclose information and who those third parties are.
Your policy should be structured well and carefully utilise headings. Use plain language and focus on the likely concerns of your customers. Be specific but do not hesitate to summarise if necessary to guarantee the policy’s accuracy. Above all, ensure that your policy is easy to read and accessible. Also, provide information allowing a consumer to contact you to ask a question or make a complaint.
Key Takeaways
If your marketing and advertising agency is considered an APP entity, you are legally required to have a privacy policy. However, regardless of whether or not you are an APP, a legitimate privacy policy can benefit your business. Many businesses find that a solid privacy policy can build trust and goodwill with customers.
If you need help with your privacy policy or want to improve your existing policy, our experienced contract lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
Suppose you operate a business that has an annual turnover of less than $3 million. In that case, you may still be legally required to have a privacy policy if you provide a health service (such as a gym or medical practice), if your business discloses personal information for a benefit, service or advantage, or if you contract with a commonwealth agency.
Your privacy policy should be easily accessible to your customers at any time. This can be achieved by placing it clearly on your website and hyperlinking it whenever you are collecting personal information, such as in a contact us form or when users sign up for your platform.
We appreciate your feedback – your submission has been successfully received.