Do I Need A Privacy Collection Notice If I Have A Privacy Policy?

If your business collects any personal information in Australia - even something as simple as a name and email address - you’ve probably heard you need a Privacy Policy. But what about a privacy collection notice? Are they the same thing? And if you already have a Privacy Policy, do you still need to show a separate notice when you collect data?

Short answer: yes, in most cases you should have both. They serve different purposes under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Using them together is the best way to stay compliant and build trust with your customers.

In this guide, we’ll break down what each document does, when a collection notice is legally required, what to include, and how to deliver notices across your website, forms and offline touchpoints. We’ll also share practical tips to avoid common mistakes - so you can collect data confidently and do the right thing by your customers.

What’s The Difference Between A Privacy Policy And A Collection Notice?

A Privacy Policy is your overarching, public-facing statement that explains how your business handles personal information across the board - what you collect, why you collect it, how you store and disclose it, and how people can access or correct their information.

A privacy collection notice is a short, context-specific notice you give at (or before) the time you collect personal information. It tells people what you’re collecting right now, why you need it, what happens if they don’t provide it, and who you may share it with for this specific interaction.

Think of it this way:

• Your Privacy Policy is the full story (all your practices, in one place).
• Your Privacy Collection Notice is the timely snapshot (just what’s relevant to this collection).

Both relate to the same subject - personal information - but they’re not interchangeable. The Privacy Policy sits on your website and applies to everything you do. The collection notice meets the APPs’ transparency requirements at the moment you collect data (for example, on a signup form or checkout page).

Do I Still Need A Collection Notice If I Already Have A Privacy Policy?

Yes. Under APP 5, you’re required to take reasonable steps to notify individuals about certain matters when you collect their personal information (or to make them aware of those matters). Linking to your Privacy Policy alone is rarely enough.

In practice, this means you should present a concise notice that covers the key points for that specific collection and then provide a link to your full Privacy Policy for further details. The notice and policy work together - the notice sets expectations in the moment, and the policy explains your broader practices.

For example, if a customer signs up to your newsletter, your collection notice should explain that you’re collecting their name and email to send updates and promotions, that they can opt out at any time, and that you handle their data as set out in your Privacy Policy. This is especially important if you plan to send marketing communications and want to ensure your practices also line up with email marketing laws.

When Does Australian Law Require A Collection Notice?

The Privacy Act applies to most Australian businesses with an annual turnover of more than $3 million, plus many smaller businesses in specific categories (for example, health service providers, businesses that trade in personal information, credit reporting bodies, and service providers to the Commonwealth).

If the Act applies to you, APP 5 requires that you notify individuals of certain matters at or before (or, if that’s not practical, as soon as practicable after) collecting their information. These “APP 5 matters” typically include:

• Your identity and contact details.
• The facts and circumstances of collection (including if you collect from someone other than the individual).
• Whether the collection is required or authorised by law.
• The purposes for which you collect the information.
• The main consequences if the information is not collected.
• Any usual disclosures to third parties (including overseas disclosures and the countries involved, if practicable).
• A link to your Privacy Policy and how the individual can access and correct their information or make a complaint.

Even if the small business exemption applies to you, providing clear collection notices is still best practice. It reduces complaints, improves consent quality, and shows customers you take privacy seriously.

What Should A Good Collection Notice Include?

To comply with APP 5 and keep things user-friendly, your collection notice should be short, plain-English and specific to the context. As a starting point, include:

• Who you are: Your business name and contact details.
• What you’re collecting: The specific fields (e.g. name, email, phone, address, payment details).
• Why you’re collecting it: The primary purpose (e.g. to process orders, respond to enquiries, provide services) and any secondary purposes a reasonable person would expect (e.g. direct marketing, service improvement).
• Whether it’s required: If the information is required by law or necessary to provide the service; what happens if it’s not provided.
• Who you share it with: Categories of third parties (e.g. payment processors, IT providers) and whether any are overseas (ideally naming countries if practicable).
• Where to learn more: A link to your Privacy Policy for access/correction rights and complaints.

Keep the tone clear and accessible. If you need separate notices for distinct contexts (for example, job applications versus customer orders), tailor them - you don’t need a one-size-fits-all notice for your whole business.

Do I Need Consent Too?

Consent isn’t always required to collect personal information, but it is required in some cases (for example, for sensitive information or certain marketing scenarios). Where consent is needed, a collection notice alone may not be enough - pair it with an explicit consent mechanism (like an unchecked tick box) and record that consent. If you’re collecting sensitive health information, take extra care with wording and security practices.

Where And How Should You Present Collection Notices?

The law is flexible about format, but the notice must be timely, clear and reasonably prominent for the context. Here are common touchpoints and practical tips:

Website Forms And Checkouts

• Place the notice adjacent to the form fields or submission button.
• Link directly to your Privacy Policy and related policies (for example, your Cookie Policy if you use tracking technologies).
• Use an explicit consent tick box when appropriate (especially for marketing). Don’t pre-tick it.

Mobile Apps

• Present screens that explain what data the app collects (including device data and permissions) and why.
• Link to your policy and make the notice accessible from settings and onboarding.

Point-Of-Sale And In-Store Tablets

• Display a short, readable notice on the signup screen for loyalty programs or receipts-by-email.
• Ensure staff are trained to point customers to the notice and answer basic questions.

Customer Support, Phone Or Email

• For telephone collection, provide a brief oral notice and direct callers to your policy for more detail.
• Include a footer notice (and a link to your policy) when collecting information by email. Pair this with a clear email disclaimer for outbound communications.

Third-Party And Indirect Collection

• If you collect information from someone other than the individual (e.g. a data provider), you may still need to notify the individual as soon as practicable afterwards, unless a limited exception applies.
• Make sure your supplier contracts authorise the sharing and require lawful collection (a data processing clause is helpful here, or a separate Data Processing Agreement).

Compliance Tips And Common Mistakes To Avoid

Getting privacy right is about being transparent, consistent and practical. These tips will help you stay on track:

• Match your notice to your actual practices. If you say you’ll only use emails for account updates, don’t also use them for advertising without updating your notice and getting appropriate consent.
• Keep notices short and readable. Legalese undermines comprehension and trust. Use plain language and bullets where possible.
• Be upfront about optional versus mandatory fields. Explain the consequences if information isn’t provided (for example, you can’t deliver the service).
• Name overseas disclosure countries if you reasonably can. If not, at least identify the types of providers and state that overseas disclosure may occur.
• Align your notice, Privacy Policy and internal processes. Inconsistency is a common source of complaints.
• Review your notices whenever you launch a new product, add a new integration, or start a new marketing program - quick audits help catch gaps. For high-risk projects, consider a Privacy Impact Assessment Plan.
• Plan for incidents. If something goes wrong, a clear Data Breach Response Plan helps you respond quickly and lawfully.
• Don’t forget data lifecycle hygiene. Your notice can link to how you retain and delete data, and your internal practices should reflect good discipline in line with data retention laws in Australia.

Do Collection Notices Replace Terms Of Use?

No. Collection notices address privacy transparency at the point of collection. Your website or app should still include clear Terms of Use to set the rules for access and acceptable behaviour, which sit alongside your privacy documents.

What About Cookies And Tracking?

If you use cookies or similar technologies, tell users what’s happening and why. A concise banner that links to your Cookie Policy and provides choices is a practical approach, and your collection notice for signups should be consistent with it.

Marketing And Unsubscribe

Be transparent about marketing uses in your notice and make opting out easy. This not only aligns with the APPs and spam rules, it’s also good customer experience - and it avoids friction with email marketing laws.

What Legal Documents Help You Stay Privacy-Compliant?

While your collection notice is short, it should be backed by solid documentation and internal practices. Depending on your business, consider putting these in place:

• Privacy Policy: Your main policy covering collection, use, disclosure, storage, access/correction, complaints and overseas transfers.
• Privacy Collection Notice: Context-specific notices tailored to forms, apps and offline touchpoints.
• Data Processing Agreement: Sets out privacy and security obligations with processors and vendors handling personal data on your behalf.
• Data Breach Response Plan: Clear steps for assessing and responding to privacy incidents, including potential notifications.
• Cookie Policy: Explains your use of cookies/trackers and user choices, aligned with your notices and consent flows.
• Terms of Use: Sets the rules for using your site or app; complements your privacy documentation.
• Privacy Impact Assessment Plan: A framework for assessing higher-risk projects or new technologies before launch.

Not every business will need every item on day one, but most will at least need a clear Privacy Policy, tailored collection notices and strong vendor terms. If you’re unsure where to start, getting targeted privacy advice can save time and reduce risk.

Key Takeaways

• You usually need both a Privacy Policy and a collection notice - they serve different roles and work together under the APPs.
• APP 5 requires you to notify individuals at or before collection about key matters like purpose, disclosures and how to access your policy.
• Keep collection notices concise, context-specific and in plain English; then link to your full Privacy Policy for the details.
• Present notices wherever you collect data: website forms, checkouts, apps, in-store signups and phone/email interactions.
• Align your notices with your real-world practices, vendor contracts and internal processes, and review them when things change.
• Support your notices with core documents like a Privacy Policy, Data Processing Agreement and Data Breach Response Plan.

If you’d like a consultation on drafting a Privacy Collection Notice and aligning it with your Privacy Policy, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.