What Information Must Be in an Australian Privacy Policy?

Q: What information must be in an Australian Privacy Policy?

Your Privacy Policy must disclose what personal data you collect, how you collect it, why you collect it, who you share it with, how long you keep it, and how people can access or correct their data. It must also include your physical address, privacy contact email, and explain how you handle data breaches and overseas transfers.

The Legal Minimum Requirements

Under the Privacy Act 1988 and the 13 Australian Privacy Principles (APPs), your Privacy Policy must disclose specific categories of information. The level of detail matters — vague policies don't meet legal standards and won't protect you if a complaint is lodged with the Office of the Australian Information Commissioner (OAIC).

Think of your Privacy Policy as a transparency document. Users need to understand exactly what data you collect, why, and what happens to it. Australian courts and regulators expect clear, specific language — not marketing jargon or legal double-speak.

What Personal Data You Collect

Be specific. Don't write "personal information" — list actual examples. Your Privacy Policy should disclose:

Identifying information: Names, email addresses, phone numbers, physical addresses, ABN or ACN, date of birth
Online identifiers: IP addresses, device identifiers, unique usernames, cookie IDs, browser fingerprints
Financial data: Credit card numbers, bank account details, payment transaction history
Behavioral data: Website browsing history, page interaction patterns, time spent on pages, search queries
Technical data: Device type, operating system, browser type, internet service provider information
Location data: GPS coordinates (if you collect it), city/country from IP address, geolocation from mobile apps
Inferred data: Age group estimates, interest categories, purchasing preferences (derived from collected data)

The more specific your list, the clearer your compliance. If you collect customer payment history but don't mention it, you're breaking the Privacy Act.

How You Collect It

Explain the mechanism of collection. Users should understand that you don't just "magically" have their data. Common collection methods include:

Direct entry: Contact forms, registration pages, checkout, profile creation
Automatic collection: Cookies, analytics tracking, analytics scripts like Google Analytics 4
Third-party sources: Social login (Facebook, Google), payment processors, email service providers
Passive tracking: Session recording tools (Hotjar, Crazy Egg), pixel tags on pages, email open tracking

If you use cookies, specifically mention that you use both essential (functional) cookies and optional tracking cookies. The user should be able to understand that simply visiting your site triggers data collection.

Why You Collect It (Legal Purposes)

The Privacy Act requires you to have a lawful purpose for collecting personal data. Typical purposes include:

Fulfilling transactions: Processing orders, payments, shipments, invoices
Communication: Responding to support requests, sending transactional emails, confirmations
Service improvement: Analytics, usability testing, understanding user behavior to improve your site
Marketing: Newsletters, promotional emails (with consent), targeted ads
Compliance: Tax records, legal obligations, fraud prevention, security
Legitimate business interests: Business analysis, customer segmentation, product development

Don't collect data without stating a clear purpose. The OAIC will challenge vague purposes like "for business purposes" or "for future use."

Who You Share Data With

Australian Privacy Principle 1.2 requires you to disclose any recipient of personal information. List all third parties that access customer data:

Service providers: Payment processors (Stripe, PayPal), email services (Mailchimp, SendGrid), hosting providers
Analytics partners: Google Analytics, Hotjar, Mixpanel — they see user behavior data
Marketing platforms: Meta Pixel, Google Ads, TikTok Pixel — they receive conversion and tracking data
Customer support: Zendesk, Intercom, HubSpot — if customers contact you, their data goes there
Affiliates or partners: If you share customer lists with affiliates, disclose it
Overseas recipients: If any third party is located outside Australia, you must disclose this and the country

For each recipient, briefly explain what data they see and why. For example: "Stripe processes payment information to authorize and complete transactions" or "Google Analytics receives IP address and browsing behavior to generate traffic reports."

How Long You Keep Data (Retention Periods)

Specify retention periods for different categories of data. You can't keep everything forever. Examples:

Customer transaction records: 7 years (required for tax law)
Account data: Until the customer requests deletion or account is inactive for 2 years
Analytics cookies: 2 years from creation date
Marketing email lists: Until the user unsubscribes
Support chat history: 1 year from last interaction
Server logs: 30 days

If you don't have a clear retention schedule, create one. The OAIC expects businesses to regularly audit and delete outdated personal data.

Data Subject Rights and Access

Under APP 12.1, users can request access to their personal data and ask for correction if it's inaccurate. Your Privacy Policy must explain:

How users can request access to their data (email address, form, process)
How long you'll take to respond (typically 30 days)
Any fees involved (usually free)
How users can request correction or deletion of inaccurate data
The process if they want to lodge a complaint with the OAIC

Include a dedicated privacy contact email (e.g., privacy@yoursite.com). This isn't optional — the Privacy Act requires it.

Data Breach Notification Process

If there's a data breach, explain your response:

How you'll detect breaches (monitoring, customer reports, audits)
Who will assess the severity (risk team, legal, management)
When you'll notify affected individuals (as soon as practicable)
How you'll notify them (email, SMS, press release for large breaches)
What information the notification will contain (description of breach, what data was affected, steps they should take)

Australia doesn't have a strict 72-hour mandatory notification window like GDPR, but the Privacy Act requires notification "as soon as practicable" if there's a serious privacy incident.

Your Contact Details

Provide both:

Physical address: Your actual business address (required by Privacy Act for Australian businesses)
Privacy contact email: A dedicated email for privacy inquiries (e.g., privacy@yourcompany.com.au)
Optional: Phone number, contact form

Users and regulators need to be able to reach you. A "Contact us" form isn't enough — provide a direct email address.

Overseas Data Transfers

If you store data overseas or use overseas services (which is very common), disclose:

Which countries your data goes to (e.g., USA for Google Analytics, EU for some SaaS tools)
What data goes overseas (e.g., "customer IP addresses and browsing behavior sent to Google Analytics servers in the USA")
Why (for analytics, payment processing, etc.)
Note that overseas recipients may not have the same privacy protections as Australia

APP 1.2 requires this disclosure if any recipient is outside Australia.

Key takeaway: Your Privacy Policy is a transparency document, not a security blanket. The more specific and detailed you are, the better you're complying with the Privacy Act and the more trust you build with users. Vague policies invite complaints to the OAIC.

Generate your Privacy Policy in 2 minutes

Answer a few questions. Get a lawyer-reviewed document ready to use — free.

Generate now →