As an operator of an online marketplace you likely need to comply with the Australian Privacy Principles (APP), including by having a comprehensive marketplace privacy policy. Those who must comply APP entities are those business’ that:

  • have a turnover of $3 million or above; or
  • collect personal information about an individual to provide a service for others (i.e. collecting information about customers for your suppliers).

Most online marketplaces meet at least one of these two criteria.

Personal information includes all information that allows the person to be identified. For example, names, email addresses or phone numbers. This article describes how you can meet your privacy obligations while still collecting the information you need to run your marketplace.

Disclose How You Collect Personal Information

It is important to disclose to your visitors how you will collect and use personal information. This disclosure should be made through three documents:

  1. Marketplace privacy policy
  2. Website terms of use
  3. Marketplace terms and conditions

Marketplace Privacy Policy

You should have a marketplace privacy policy on your website which sets out what personal information you collect. This policy should also describe how you collect, use and disclose this information. It should be easily accessible. For example, by being linked in the website footer.

Website Terms of Use

Website terms of use apply to anyone who visits your marketplace. The terms of use will set out how visitors can and cannot use your website, including prohibiting use of the website in breach of privacy. For example, the terms may prohibit data mining of the information that visitors submit to the website. The terms of use should also reference and link to your privacy policy.

Marketplace Terms and Conditions

Your marketplace terms and conditions will apply to anyone who makes a purchase through your website. This usually happens by asking customers to click a checkbox that states their agreement at time of purchase.

At the time of registration or sale you will likely collect further personal information from the visitor. For example, their phone number, delivery address or credit card details. Therefore, the terms and conditions should refer and link to your privacy policy. They should also state how you keep data secure.

The marketplace terms and conditions should also require the customer to agree not to infringe on third parties’ privacy through anything they share or post on the marketplace website. For example, by not posting photos tagged with another person’s name.

Only Use Personal Information for Agreed Purposes

You should follow the undertakings you make in your marketplace privacy policy, website terms of use and marketplace terms and conditions. Therefore, ensure that you are familiar with what information your policies state that you will collect. For example, consider if you request profile photos for all registered users. If previously there was no option to upload a photo, it’s likely that your privacy policy, website terms of use and marketplace terms of conditions will have to be updated to include the collection of photos.

If your policies and terms also set out systems or procedures for protecting the collected personal information, you need to ensure these systems and procedures are actually in place.

For example, if your privacy policy states “All personal information will be securely encrypted”, then you will need to use encryption that is strong enough to keep your visitors’ information secure against external hacking attempts. Internally, access to the information should also be restricted to only those employees who need it to perform their job.

To keep these systems and procedures effective, you should update software regularly and provide ongoing privacy training for your staff.

Take Care When Sharing Personal Information Overseas

As a marketplace operator, you may need to disclose visitors’ personal information to overseas sellersIf you disclose personal information to an overseas recipient, you will be liable for an act or practice of the overseas recipient that would breach an APP as if you had breached the APP yourself.

An exception is where a person agrees, via a clause in your marketplace terms and conditions, that:

  • they consent to the disclosure; and
  • you will not be liable for any breaches of the APP.

However, even with this clause, you should still be careful to whom you disclose your visitors’ personal information. Therefore, when disclosing to an overseas third party you must be confident that they will handle the personal information in line with the APP. This means you need to be:

  • aware of who the third party is; and
  • assured that they have sufficient procedures in place that will protect personal information.

Key Takeaways

As a marketplace operator you will likely need to abide by the APP. This first means having a comprehensive marketplace privacy policy. You will also need to address privacy in your website terms of use and marketplace terms and conditions. These documents should describe what personal information you collect, as well as how you use, disclose and protect it. You should also take practical steps to keep data secure, including keeping security software up to date and training staff on a regular basis.

If you need assistance with meeting your marketplace privacy obligations, call LegalVision’s online lawyers on 1300 544 755 or fill out the form on this page.

Jacqueline Gibson
If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.

Would you like to get in touch with Jacqueline about this topic, or ask us any other question? Please fill out the form below to send Jacqueline a message!