Skip to content
LegalVision

Marketing-Advertising Agencies: Do They Need a Privacy Policy?

Avatar photo

By Tim Jones
Senior Lawyer

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Summarise with: ChatGPT logo ChatGPT Claude logo Claude Perplexity logo Perplexity Microsoft Copilot logo Microsoft Copilot
Table of Contents

Data confidentiality is increasingly a concern for consumers in our technological and globalised world. Businesses typically respond to these concerns using a comprehensive privacy policy describing how personal and sensitive information is collected, disclosed, stored and processed and the purpose for doing so. However, privacy policies can sometimes be a source of confusion. 

Commercial entities often require clarification on whether they are legally required to have a privacy policy and what information it should contain. If you are a marketing and advertising agency with such questions, this article discusses why you need a privacy policy, when you need one and what it should say.

When Do I Need a Privacy Policy?

The Australian Privacy Principles (APP) govern privacy law in Australia. In short, you must have a privacy policy if you meet the definition of an ‘APP entity’. The APP defines an APP entity as an agency or organisation.

Under the APP, agency refers to government departments and other public bodies or offices, including, among others, Ministers, the Australian Federal Police and Federal Courts. It is a concept distinct from a marketing or advertising agency.

An organisation under the APP is:

  • an individual;
  • a body corporate;
  • a partnership;
  • any other unincorporated association; or
  • a trust.

However, even if the organisation meets the qualities above, it will not be an APP entity if it is a:

  • small business operator;
  • registered political party; or
  • agency or a state or territory authority or a prescribed instrumentality of a state or territory.

Further, a small business operator is an individual, body corporate, partnership, unincorporated association or trust that:

  • carries on one or more small businesses; and
  • does not carry on a business that does not qualify as a small business.

A small business is a business whose annual turnover for the preceding financial year was $3,000,000 or less.

Small Businesses

Nevertheless, even if you are a small business, you may still be considered an APP entity if you:

  • provide services under a commonwealth contract;
  • disclose personal information about another individual for a benefit, service or advantage, or provide a benefit, service or advantage to collect personal information about another individual from anyone else (unless they do so with the consent of the individual or are required or authorised by law to do so); or
  • provide a health service and hold health information other than in an employee record (although this is unlikely to apply to marketing and advertising agencies).

In simpler terms, your marketing and advertising agency must have a privacy policy if:

  • your business structure makes you an organisation under the APP, and your annual turnover exceeds $3,000,000; 
  • you provide services under a Commonwealth contract, for example, to a Federal Government agency; or
  • you disclose personal information for a benefit or service.

However, even if your business is not an APP entity and, therefore, not legally obliged to have a privacy policy, it is an excellent idea to have one regardless. Many customers like to know how a business they engage with handles their data. Consequently, they may be more inclined to use your services if that information is readily accessible.

Additionally, your business may become an APP entity in the future. Therefore, it is wise to have proper privacy processes in place from the start. This reasoning is not legal but commercial. A privacy policy can inspire customer confidence and build goodwill, particularly as data is increasingly being commoditised.

Why Do I Need a Privacy Policy?

Some commercial enterprises (such as marketing and advertising agencies) require a privacy policy to meet their legal obligations under the Australian Privacy Principles (APP).

Principle 1 ensures that all APP entities manage personal information openly and transparently. These entities must take reasonable steps to implement internal practices, processes and procedures to comply with the APP. Such entities also need to efficiently handle customer enquiries and complaints about their compliance with the APP.  

In total, 13 APPs outline the obligations of APP entities. Principle 1.3 requires all APP entities to have a clearly expressed and up-to-date policy concerning their management of personal information.

Front page of publication
2023 Key Data and Privacy Developments

This fact sheet outlines the changes to data and privacy protection in 2023.

Download Now
Continue reading this article below the form
Loading form

Contents of a Privacy Policy

In general, your privacy policy should tell consumers about their privacy rights. This includes how you handle, secure and protect your data, and manage and identify potential risks to that data. It should detail how individuals can access their data and how your agency handles complaints about data management. 

Furthermore, ensure you discuss how your organisation manages the quality of its data and its policies when engaging third-party providers or contractors to whom you might disclose information and who those third parties are.

Your policy should be structured well and carefully utilise headings. Use plain language and focus on the likely concerns of your customers. Be specific but do not hesitate to summarise if necessary to guarantee the policy’s accuracy. Above all, ensure that your policy is easy to read and accessible. Also, provide information allowing a consumer to contact you to ask a question or make a complaint.   

The Office of the Australian Information Commissioner (OAIC) provides a helpful guide to developing an APP Privacy Policy. The guide is informative, easy to read and includes practical tips and checklists for drafting a privacy policy. It is freely available on their website.

Key Takeaways

If your marketing and advertising agency is considered an APP entity, you are legally required to have a privacy policy. However, regardless of whether or not you are an APP, a legitimate privacy policy can benefit your business. Many businesses find that a solid privacy policy can build trust and goodwill with customers. 

If you need help with your privacy policy or want to improve your existing policy, our experienced contract lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions

I run a small business. Do I still need a privacy policy?

Suppose you operate a business that has an annual turnover of less than $3 million. In that case, you may still be legally required to have a privacy policy if you provide a health service (such as a gym or medical practice), if your business discloses personal information for a benefit, service or advantage, or if you contract with a commonwealth agency.

Where should I put my privacy policy?

Your privacy policy should be easily accessible to your customers at any time. This can be achieved by placing it clearly on your website and hyperlinking it whenever you are collecting personal information, such as in a contact us form or when users sign up for your platform.

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Tim Jones

Tim Jones

Senior Lawyer | View profile

Tim is a Senior Lawyer in LegalVision’s Employment, Corporate and Commercial teams.

Qualifications: Bachelor of Laws, Bachelor of International Studies, Macquarie University.

Read all articles by Tim

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

I Am Starting a Marketing Agency. What Legal Documents Do I Need? 

I Operate a Media Agency. What Should I Include in My Client Agreements?

Can I Collect an Individual’s Personal Information From a Third Party?

Five E-Commerce Practices to Know When Starting an Online Store

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards