Privacy Law and Small Business in Australia
Many small business owners assume privacy law only applies to big corporations. In practice, the rules are more nuanced — and the consequences of getting it wrong can be costly.
Who Does the Privacy Act Apply To?
The Privacy Act 1988 and the Australian Privacy Principles (APPs) apply to businesses with an annual turnover of more than $3 million. However, there are important exceptions that catch many smaller businesses:
- Businesses that trade in personal information
- Health service providers (regardless of size)
- Businesses that are related to a larger entity covered by the Act
- Businesses that opt in to the Act voluntarily
- Credit reporting bodies
Even if your business technically falls outside the Act, having a privacy policy is still strongly recommended. It builds customer trust, is increasingly expected by consumers, and protects you if the rules change.
What Should a Privacy Policy Include?
If you are covered by the Privacy Act, your privacy policy must explain:
- What personal information you collect and why
- How you collect it (forms, cookies, phone calls, etc.)
- How you store and protect it
- Whether you share it with third parties, and who those parties are
- How customers can access or correct their information
- How to make a privacy complaint
What Counts as Personal Information?
Personal information is any information that identifies an individual or could reasonably be used to identify them. This includes names, email addresses, phone numbers, addresses, photos, payment details, and even IP addresses in some contexts.
If your website has a contact form, you are collecting personal information. If you keep a customer database, you are storing personal information. Most businesses collect far more than they realise.
Practical Steps for Small Businesses
Even if you are not legally required to have a privacy policy, here is what we recommend as a baseline:
- Write a simple privacy policy and publish it on your website. The OAIC (Office of the Australian Information Commissioner) has free templates at oaic.gov.au.
- Only collect what you need. Do not ask for information you have no use for.
- Secure your data. Use strong passwords, keep software updated, and limit who in your business has access to customer data.
- Have a data breach plan. Know what you would do if customer data was compromised. Under the Notifiable Data Breaches scheme, businesses covered by the Privacy Act must notify affected individuals and the OAIC of serious data breaches.
What About Website Cookies?
If your website uses cookies — which most do, particularly if you use Google Analytics or run Facebook ads — you should disclose this in your privacy policy. While Australia does not yet have the strict cookie consent laws seen in Europe, transparency is good practice and expected by customers.
Getting Help
Privacy law can be complex, particularly as your business grows. If you are unsure whether the Privacy Act applies to your business or what you need to do, consulting a business lawyer is worthwhile. The OAIC also offers free guidance and resources for small businesses at oaic.gov.au.
Need a business lawyer? Search our directory for legal professionals in your area.