Do I Need a Privacy Policy in Australia?

The Short Answer: Yes

If you run any business in Australia and collect personal data — even small amounts — you need a Privacy Policy. The Privacy Act 1988 makes it compulsory. There's no exemption for small businesses, sole traders, or websites that "don't collect much data."

What Counts as Collecting Data?

Many businesses think they don't collect data because they don't explicitly ask for it. That's a common mistake. Data collection includes:

• Contact forms: Someone submits their email or name — that's data collection
• Google Analytics: Tracking visitor IP addresses and behavior — that's data collection
• Payment processing: Stripe or Square collects payment info — that's data collection
• Cookies: Your website sets cookies — that's data collection
• Email newsletters: You store subscriber emails — that's data collection
• Customer accounts: Users create profiles or make purchases — that's data collection
• Session tracking: Tools like Hotjar or Crazy Egg that record user interactions — that's data collection
• Social media pixels: Facebook Pixel, TikTok Pixel on your site — that's data collection

The Privacy Act uses the broad term "personal information" — any information about an individual that could identify them, even indirectly. If your website has any of the above, you need a Privacy Policy.

Who Must Have a Privacy Policy

You must have one if you:

• Are an Australian business, organization, or sole trader
• Collect any personal data from customers, website visitors, employees, or contractors
• Use any third-party tools (analytics, payment, email, ads) that collect data
• Operate a website, app, or online service

There are very limited exceptions:

• Businesses with fewer than 100 employees: Not technically required to have a Privacy Policy, but it's still recommended and wise. If you face a complaint, a Privacy Policy shows good faith compliance.
• Non-business organizations: Some not-for-profits and charities may have exemptions, but consult a lawyer if unsure.

Even the small-business exemption doesn't mean you can ignore privacy law. If you collect personal data, you still must comply with the 13 Australian Privacy Principles (APPs) — a Privacy Policy just makes that compliance transparent.

What Happens If You Don't Have One?

Non-compliance with the Privacy Act carries real penalties:

• OAIC complaints: The Office of the Australian Information Commissioner can investigate complaints from customers. They can order you to stop breaching privacy, apologize, or pay compensation.
• Reputational damage: Users lose trust if they discover you're collecting data without disclosing it.
• Data breach liability: If a breach occurs and you have no Privacy Policy, you can't claim you told users how you'd protect their data. You're liable.
• Legal fines: For serious breaches, the Privacy Commissioner can impose civil penalties (though prosecution is rare, it happens).
• Regulatory action: If you're in a regulated industry (finance, health), missing a Privacy Policy is grounds for regulatory action.

Privacy Act 1988 Requirements

The Privacy Act requires that you:

• Have a Privacy Policy available to the public
• Make it easy to find (usually on your website footer or privacy link)
• Keep it up-to-date as your practices change
• Provide a way for people to contact you with privacy questions

The Privacy Act doesn't specify exactly what must be in the policy — that's why compliance is about following the 13 Australian Privacy Principles (APPs), not copying a template. That said, a well-written Privacy Policy that covers the APPs is your best defense.