Skip to content
LegalVision

Do Online Business Operators Need a Privacy Policy?

Avatar photo

By Elise Willett
Lawyer

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Summarise with: ChatGPT logo ChatGPT Perplexity logo Perplexity Microsoft Copilot logo Microsoft Copilot
Table of Contents

When operating your online business, you likely handle personal data. As such, your business must comply with Australian privacy laws. To demonstrate your compliance, you may choose to have a privacy policy. This article will explore whether your online business needs a privacy policy. 

Australian Privacy Principles

The Australian Privacy Principles (APPs) sit under the Privacy Act 1988 (Cth) and govern standards, rights and obligations around handling personal information. The APPs apply to “APP entities”, including Australian government agencies and private sector organisations with an annual turnover of $3 million or more.

An entity can still be an APP entity if they fall below the annual revenue threshold but meet other criteria that deem them an APP entity, including:

  • businesses that provide health services and hold health information about individuals other than in an employee’s record, such as gyms, child care centres, and private schools;
  • businesses that buy or sell personal information;
  • a credit reporting body;
  • a contracted service provider for an Australian Government contract;
  • an employee association registered or recognised under the Fair Work Act (Registered Organisations) Act 2009 (Cth);
  • a business that has opted-in to the Privacy Act 1988 (Cth);
  • a business related to another business covered by the Privacy Act; or
  • a business identified or included under the terms of the Privacy Regulation 2013

So if your online business will have an annual turnover of more than $3 million or falls under one of the above categories, you must comply with the APPs. Accordingly, you must have a privacy policy.

Nevertheless, adopting a privacy policy can still be valuable even if your business is not officially classified as an APP entity. Having one fosters trust among your customers by demonstrating your commitment to responsibly handling their personal information. Furthermore, it prepares your business for potential future growth. If your business expands to a point where it meets the annual revenue threshold and becomes an APP entity, having a privacy policy from the outset ensures it is already complying with its privacy obligations

Should I Draft My Own Privacy Policy?

You can draft your own privacy policy. However, be aware that this may be risky if you lack the relevant experience and knowledge. An experienced business lawyer familiar with the APPs can ensure your privacy policy complies with privacy law and is tailored to the unique elements of your business.

Continue reading this article below the form
Loading form

Why Should I Have a Privacy Policy?

As technology continues to develop, it becomes more and more important that the privacy of every individual is well-protected. In addition to complying with the APPs and the Privacy Act, having a privacy policy gives your customers peace of mind about how their personal information will be utilised.

These days, consumers expect businesses to have a privacy policy in place. This expectation is particularly heightened by the growing number of data breaches and privacy incidents reported in the news. Implementing the privacy policy fosters data protection best practices within your business. Furthermore, it promotes appropriate and responsible data handling.

What Should a Privacy Policy Include?

The APPs set out exactly what your privacy policy needs to cover.

In general, your privacy policy should set out:

  • your business’ contact details;
  • what personal information you collect, including sensitive information;
  • how you will use that personal information;
  • whether the collection of personal information is required or authorised by law;
  • why you collect, hold, use and disclose the personal information;
  • in what circumstances the personal information can be disclosed and when you might disclose personal information to third parties, and whether the disclosure is made overseas and to what countries;
  • how you store or secure personal information;
  • the consequences of not collecting the information;
  • what rights your customers have to access their personal information;
  • what rights a person has if their personal information is incorrect or inaccurate; and
  • how a customer might complain about a breach of APPs.

What If I Breach the Privacy Act?

Serious or repeated breaches of the Privacy Act can lead to fines of up to $2.5 million for individuals and for corporations, the greater of: 

  • $50 million;
  • three times the value of benefits obtained or attributable to the breach; or
  • 30% of the corporations’ adjusted turnover during the breach turnover period.
Front page of publication
The Ultimate Guide to Starting an Online Business

It’s now easier than ever to start a business online. But growing and sustaining an online business requires a great deal of attention and planning.

This How to Start an Online Business Manual covers all the essential topics you need to know about starting your online business.

The publication also includes eight case studies featuring leading Australian businesses and online influencers.

Download Now

APP 5 deals with the notification of the collection of personal information and requires that if you are an APP entity and you collect personal information about an individual, you must take reasonable steps to notify the individual of certain things, including the purpose for collecting the information and what you will do with it. We refer to this notice as a privacy collection notice (PCN). The PCN should include the following: 

  • the contact details of your business and how to make a complaint;
  • the consequences if an individual chooses not to provide their personal information;
  • whether the personal information will be disclosed to third parties;
  • whether any information will be shared with overseas-based entities; and 
  • information about your business’s privacy policy.

In addition to a privacy policy and privacy collection notice, we recommend that you have a set of business terms and conditions to formalise the contractual relationship between your business and customers. Terms and Conditions will often include payment terms, warranties, a refund policy, disputes process, termination grounds, liability clause and more.

Key Takeaways

When operating a business, whether online or offline, you must have the right legal documents to protect your business. This includes having a well-drafted privacy policy.

If you need help with non-disclosure agreements, our experienced commercial contract lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Register for our free webinars

Demystifying M&A: What Every Business Owner Should Know

Online
Understand the essentials of mergers and acquisitions and protect your business value. Register for our free webinar.
Register Now

Social Media Compliance: Safeguard Your Brand and Avoid Common Pitfalls

Online
Avoid legal pitfalls in social media marketing and safeguard your brand. Register for our free webinar.
Register Now

Building a Strong Startup: Ask a Lawyer and Founder Your Tough Questions

Stone & Chalk Tech Central, Level 1 - 477 Pitt St Haymarket 2000
Join LegalVision and Bluebird at the Spark Festival to ask a lawyer and founder your startup questions. Register now.
Register Now

Construction Industry Update: What To Expect in 2026

Online
Stay ahead of major construction regulatory changes. Register for our free webinar.
Register Now
See more webinars >
Elise Willett

Elise Willett

Lawyer | View profile

Elise is a Lawyer at LegalVision with previous experience in Commercial, Corporate and Estate Planning law. She also has experience in the Wealth Management and Finance sector. Elise provides expert advice to commercial clients, particularly startups and SMEs, on a range of commercial matters.

Qualifications: Bachelor of Laws, Bachelor of Arts, University of Sydney, University of Wollongong, Master of Laws, College of Law.

Read all articles by Elise

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

Does My Charity Need to Comply With the Australian Privacy Principles (APPs)?

Key SaaS Privacy and Data Considerations

Can I Collect an Individual’s Personal Information From a Third Party?

E-Commerce Laws You Must Know To Run An Online Business

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards