Do You Actually Need a Privacy Policy?
Yes — if you run a business in Australia and collect any personal data, a Privacy Policy is legally required under the Privacy Act 1988. This applies to almost every online business: e-commerce sites, SaaS platforms, apps, and even simple websites with contact forms.
Personal data includes names, email addresses, IP addresses, payment information, phone numbers, browsing behaviour, and cookies. If your website collects any of these, you must have a Privacy Policy.
Even if you think you're not collecting much, consider this: Google Analytics tracks visitor IPs and behaviour. A contact form collects emails. A shopping cart collects payment info. All of these require disclosure in your Privacy Policy.
What the Privacy Act 1988 Requires
The Privacy Act 1988 applies to Australian businesses and organisations that collect and hold personal information. It sets out 13 Australian Privacy Principles (APPs) that govern how you collect, use, disclose, store, and handle personal data.
Your Privacy Policy must explain:
- What personal information you collect — be specific (e.g. "names, email addresses, payment details, device identifiers")
- How you collect it — contact forms, analytics tools, cookies, account signups
- Why you collect it — processing orders, sending marketing emails, improving your service
- Who you share it with — payment processors, email services, analytics providers, third-party vendors
- How long you keep it — retention periods for different data types
- How people access and correct their data — include a contact method
- How you handle breaches — your process for responding to data breaches
- Your contact details — a physical address and email for privacy inquiries
Third-Party Tools: What to Disclose
If you use any external services, you must list them in your Privacy Policy. These services may collect, process, or store personal data on your behalf.
Common tools that collect data:
- Google Analytics 4 — tracks website visitor behaviour, IP addresses, device types
- Stripe, PayPal, or Square — processes payments and stores payment information
- Mailchimp, ConvertKit, or Klaviyo — email marketing platforms; store email addresses and subscriber data
- Meta Pixel or Google Ads — conversion tracking for retargeting ads
- Hotjar or Crazy Egg — session recording and heatmaps; can capture user interactions
- Slack, HubSpot, or Zendesk — customer support tools; store customer messages and data
- Shopify, WooCommerce, Squarespace — e-commerce platforms; handle customer data
For each tool, disclose what data it collects, what it does with it, and link to its privacy policy so users can learn more.
Comparing Australian Privacy Law to GDPR
If you have EU users or do business in Europe, you may also need to comply with the General Data Protection Regulation (GDPR). Here's how Australian privacy law differs:
Privacy Act 1988 (Australia):
- Applies to Australian businesses that collect personal data
- 13 Australian Privacy Principles (APPs)
- Requires a Privacy Policy but less prescriptive about its exact content
- Data breach notification required only for serious breaches
- No specific consent required before collecting data (except marketing)
- No mandatory data protection officer
GDPR (European Union):
- Applies to any business collecting data from EU residents, regardless of location
- Stricter rules: explicit opt-in consent required for most data collection
- Mandatory privacy policies with very specific required sections
- Must notify authorities and users within 72 hours of a breach
- Larger companies may need a Data Protection Officer (DPO)
- Users have a right to be forgotten (data deletion)
If you have both Australian and EU users, your Privacy Policy should address both standards — which means following GDPR's stricter requirements will keep you compliant with both.
Essential Information to Prepare
Before generating your Privacy Policy, gather this information:
- Your business name and ABN (if you have one)
- Your website URL
- Your physical business address (required in Privacy Act)
- A contact email for privacy requests — ideally a dedicated privacy@ email
- List all third-party tools your site uses (analytics, payment, email, ads, etc.)
- Your data retention practices — how long you keep customer data (e.g. "3 years for accounting records, 6 months for cookies")
- Details of overseas transfers — do you store data overseas or use overseas services?
- Breach response procedures — describe your process for handling data breaches
When to Update Your Privacy Policy
Privacy law and business practices change. Update your Privacy Policy when:
- You add a new third-party tool or service
- You change how you use customer data
- Australian privacy law changes (the Privacy Act is reviewed regularly)
- You expand to a new country or jurisdiction
- You have a significant data breach
Keep a version history and date your policy clearly so users know when it was last updated.
Frequently Asked Questions
What information must be in an Australian Privacy Policy?
Read full answer →Your Privacy Policy must disclose what personal data you collect, how you collect it, why you collect it, who you share it with, how long you keep it, and how people can access or correct their data. It must also include your contact details and explain how you handle data breaches.
Do I need a Privacy Policy if I use a third-party service like Shopify?
Yes. Even if you use Shopify, WordPress, or another platform, you need your own Privacy Policy. The platform's template only covers their data practices, not yours. You're responsible for disclosing how your business collects and uses customer data.
How do I list third-party tools in my Privacy Policy?
Read full answer →Create a section listing all external tools you use (Google Analytics, Stripe, Mailchimp, Meta Pixel, etc.). For each one, explain what data it collects and link to its privacy policy. Users can then review what each service does.
Do Australian Privacy Laws differ from GDPR?
Read full answer →Yes. The Australian Privacy Act 1988 is less prescriptive than GDPR. GDPR requires explicit opt-in consent and has stricter breach notification rules. If you serve EU users, you must comply with GDPR, which is stricter than Australian law.