Privacy Policy Requirements for Australian Small Businesses: What You Must Include

"We have a privacy policy on our website" is not the same as complying with Australia's Privacy Act. Many small businesses have a boilerplate privacy policy copied from the internet — but it does not reflect how they actually handle personal information, and it would not survive an investigation by the Office of the Australian Information Commissioner (OAIC).

This guide explains which businesses must have a privacy policy, what it must actually contain, and what happens when you get it wrong.

Who Must Have a Privacy Policy?

The Privacy Act 1988 (Cth) applies to APP entities — organisations that must comply with the Australian Privacy Principles (APPs). Whether your business is an APP entity depends primarily on your annual turnover:

Mandatory compliance applies to businesses with an annual turnover of more than $3 million.

However, the $3 million threshold has significant exceptions — certain businesses must comply with the Privacy Act regardless of their size:

• Private health service providers (including GPs, allied health providers, gyms with health records, aged care providers)
• Tax file number recipients
• Credit providers and credit reporting bodies
• Operators of residential tenancy databases
• Employee associations
• Businesses contracted to handle government health records
• Businesses that collect or handle personal information about overseas individuals

From 2025–26: Privacy Act reforms being implemented following the Government's response to the Privacy Act Review Report are progressively lowering the threshold and expanding obligations for smaller businesses. Keep an eye on legislative developments.

APP 1: Having and Publishing a Privacy Policy

If your business is subject to the Privacy Act, Australian Privacy Principle 1 requires you to:

1. Have a clearly expressed and up-to-date privacy policy
2. Make it available free of charge (typically on your website)
3. Tell anyone who asks where your privacy policy is

Your privacy policy is not just a website formality — it is a legal document that describes how your business handles personal information. If your actual practices differ from what the policy says, you may be in breach of the Privacy Act.

What Must Your Privacy Policy Include?

A compliant privacy policy must address the following:

1. What Kinds of Personal Information You Collect

Be specific. "Personal information" is broad — it covers names, email addresses, phone numbers, financial details, health information, IP addresses, and any other information that identifies or could identify an individual.

What types of personal information does your business actually collect? From customers? Employees? Contractors? Website visitors?

2. How You Collect It

Personal information can be collected directly (e.g., from a form the person fills in) or indirectly (e.g., through website tracking, from third parties). Your policy must disclose both direct and indirect collection methods.

3. Why You Collect It

Your policy must explain the purposes for which you collect personal information. These purposes should be limited to what is reasonably necessary for your business functions — under APP 3, you cannot collect personal information beyond what is necessary.

4. How You Use It

Explain how you use personal information once collected. Can you use customer information for marketing? Under what circumstances do you use employee information for disciplinary purposes? Be honest and specific.

5. Who You Disclose It To

If you share personal information with third parties — cloud software providers, marketing services, payment processors, delivery partners — your policy must disclose this. Include disclosure to overseas recipients if applicable (see APP 8 below).

6. Overseas Disclosure

If you send personal information overseas — including by using cloud services hosted offshore — you must disclose this under APP 8 and take reasonable steps to ensure the overseas recipient handles the information consistently with the APPs. Using offshore cloud services (e.g., US-based CRM, email marketing platform, payroll software) without disclosing this is a common non-compliance issue.

7. Access and Correction

Individuals have the right to access personal information your business holds about them (APP 12) and to correct it if it is inaccurate (APP 13). Your policy must explain how they can exercise these rights and how you will handle such requests.

8. How You Handle Complaints

Your policy must include information about how individuals can make a privacy complaint and how you will deal with it.

Beyond the Policy: Actual Compliance Obligations

A privacy policy is only the start. Compliance with the Privacy Act involves:

Collection Notices (APP 5)

At or before the time you collect personal information, you must notify the individual of:

• Your identity and contact details
• The fact that they can access your privacy policy
• The purpose of collection
• Any law that requires the collection
• The main consequences if they don't provide it

A collection notice is often incorporated into a sign-up form, contact form, or terms and conditions — not just a link to the privacy policy.

Use and Disclosure (APP 6)

You can only use or disclose personal information for the primary purpose for which it was collected, or for a secondary purpose if the individual would reasonably expect it or consents to it.

Sending marketing emails to customers who have only given their email to receive a receipt is a common breach — the secondary use (marketing) is outside the primary purpose of the transaction.

Direct Marketing (APP 7)

You may use personal information for direct marketing only if:

• You collected it directly from the individual, and
• They would reasonably expect to receive marketing from you, and
• You have not opted out

You must always allow people to opt out of direct marketing, and you must honour opt-out requests promptly.

Data Security (APP 11)

You must take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. What is "reasonable" depends on the sensitivity of the information and your business context.

For most businesses, this includes:

• Secure password management
• Access controls (limiting who in your business can access personal information)
• Encryption for sensitive data
• Secure deletion of information no longer needed

Notifiable Data Breaches

If your business has a notifiable data breach — an unauthorised access or disclosure of personal information that is likely to result in serious harm — you must notify both the affected individuals and the OAIC. You have 30 days from becoming aware of the breach to decide whether it is notifiable, and notify if it is.

The Penalties for Privacy Breaches

The penalties for serious or repeated privacy breaches were significantly increased in 2022:

• For a body corporate: the greater of $50 million, three times the value of the benefit obtained, or 30% of adjusted turnover for the relevant period
• For an individual: up to $2.5 million

Even for minor breaches, the OAIC can investigate, make determinations, and require remedial action. Reputational damage from a reported breach can be significant.

Getting Your Privacy Policy Right

A compliant privacy policy:

1. Reflects your actual practices — not what you would like to say you do
2. Is specific — not a generic template
3. Is up to date — reviewed whenever your data practices change
4. Is accessible — easy to find on your website, in a readable format
5. Is reviewed when new software, integrations, or business activities are introduced

If you are unsure whether your current privacy policy is compliant, have a lawyer with privacy expertise review it — or use the OAIC's guidance materials as a starting point.

How Reguladar Helps

Privacy compliance obligations — from maintaining a current privacy policy to responding to data breach obligations — are ongoing and interconnected. Reguladar surfaces your privacy obligations in your personalised compliance dashboard, including obligations under the Privacy Act, the Notifiable Data Breaches scheme, and any industry-specific privacy rules that apply to your sector.

If new privacy reforms affect your obligations, Reguladar flags what has changed and what you need to do.

Find out what privacy obligations apply to your business. Start your free compliance check at Reguladar and get your full compliance picture today.