How To Write A Privacy Notice For Your Australian Business

If you run a startup or small business, you’re probably collecting personal information more often than you realise - customer enquiries, email newsletter sign-ups, online orders, client onboarding forms, job applications, even analytics cookies on your website.

That’s where a privacy notice comes in. A good privacy notice helps you stay compliant, build trust, and avoid awkward (and sometimes costly) disputes about how you use people’s information.

In this guide, we’ll walk you through what a privacy notice is, when you need one in Australia, and how to write one that’s clear, practical and actually matches what your business does.

What Is A Privacy Notice (And How Is It Different From A Privacy Policy)?

A privacy notice is a short, clear statement that tells someone what you’re doing with their personal information at the time you collect it.

Think of it as the “heads up” you give at the point of collection - for example:

• on a website contact form
• at checkout when someone places an order
• in an onboarding form for new clients
• in an app when a user signs up
• in-store on a sign-up sheet

In Australia, people often use the terms interchangeably, but practically there’s a difference:

• Privacy notice: point-in-time disclosure (short and specific)
• Privacy policy: your broader, ongoing document explaining how your business handles personal information overall

Many small businesses use both. For example, your Privacy Policy might sit in your website footer, while your privacy notice appears directly under your form fields (where customers are most likely to see it).

In Australian privacy law terms, the point-in-time version is often referred to as a “collection notice” - and it’s a key part of compliance when the Privacy Act applies to your business.

Do You Need A Privacy Notice In Australia?

Whether you legally must have a privacy notice depends on whether the Privacy Act 1988 (Cth) applies to you, and how you collect personal information.

When The Privacy Act Typically Applies

The Privacy Act (and the Australian Privacy Principles, or “APPs”) generally applies to:

• Businesses with an annual turnover of more than $3 million
• Some small businesses under $3 million (often called “small business operators”) where an exception applies - for example, if they provide a health service and handle health information, or if they buy/sell personal information
• Businesses that trade in personal information
• Other organisations and activities that are covered regardless of size in certain circumstances (for example, some contractors or service providers handling personal information for government agencies)

It’s worth noting that handling “sensitive information” (like health information) doesn’t automatically mean the Privacy Act applies to every small business in every situation - coverage depends on the type of business and why/how the information is being collected and used.

Even if you’re under the $3 million threshold, a privacy notice is still a smart move because:

• it helps customers feel confident buying from you
• it reduces miscommunication and complaints
• it forces you to map (and improve) your data handling
• it supports partnerships with larger organisations that expect privacy compliance

When You Should Use A Privacy Notice (Even If You’re A Small Business)

In practice, you should strongly consider a privacy notice if you:

• run an online store and collect customer names, addresses and payment details
• use marketing tools, pixels, cookies, or analytics
• collect resumes and personal details when recruiting
• use third-party platforms to store customer data (CRM, email marketing, booking systems)
• handle any information that could reasonably identify a person

If your business stores payment details, be careful - this can trigger additional compliance obligations beyond privacy law. It’s worth reviewing how you handle payments and storage in line with guidance like storing credit card details.

If you’re unsure whether you’re covered, getting tailored legal advice early can save you a lot of time later. (It’s much easier to set up your privacy foundations before your systems and marketing stack get complicated.)

What Your Privacy Notice Should Include (A Practical Checklist)

A strong privacy notice is not about fancy legal wording. It’s about being transparent, accurate, and specific to your business.

Here’s what your privacy notice should usually cover.

1) What Information You Collect

Be specific. “Personal information” can include things like:

• name
• email address
• phone number
• delivery address
• IP address or device identifiers
• purchase history
• customer support messages

If you collect sensitive information (for example, health information), you should get advice - the compliance expectations are often higher.

2) How You Collect It

For example:

• when someone fills out an online form
• when someone creates an account
• when someone purchases a product
• through cookies and analytics tools on your website
• when someone contacts your team by email or phone

If you use tracking technologies, you may also need a separate cookie disclosure. Many businesses use a Cookie Policy alongside their privacy notice for clarity.

3) Why You Collect It (Your Purposes)

This is one of the most important parts of a privacy notice. List the real reasons you need the data, such as:

• to respond to enquiries
• to provide the product or service
• to create and manage customer accounts
• to send order updates and receipts
• to improve your website or offerings
• to send marketing communications (where permitted)

If you send marketing emails or SMS, your privacy notice should line up with your marketing practices and unsubscribe processes. It also needs to sit alongside your compliance under the Spam Act - which is why many businesses review their approach against email marketing laws.

4) Who You Share It With

Most startups share personal information with service providers - even if they don’t “sell” data.

Common examples include:

• payment processors
• eCommerce platforms
• shipping and fulfilment providers
• CRM systems
• email marketing platforms
• IT hosting and cloud storage providers
• accounting and professional advisers

You don’t always need to list every provider by name in a short privacy notice, but you should at least describe the types of third parties you share information with.

If you share personal information with vendors that process data on your behalf (like a CRM provider), you may also need a contract in place to cover how data is handled. This is often done via a Data Processing Agreement.

5) Overseas Disclosures (If Any)

If your business uses cloud tools, it’s common for data to be stored or accessed overseas (for example, servers located outside Australia, or support teams based offshore).

Your privacy notice should disclose whether you’re likely to share personal information outside Australia, and broadly where (if known).

6) Whether Collection Is Required (And What Happens If They Don’t Provide It)

This is often missed, but it matters. If someone can’t place an order or you can’t provide a service without certain information, say so.

For example:

• “If you don’t provide your delivery address, we can’t ship your order.”
• “If you don’t provide your email address, we can’t send your receipt or updates.”

7) How People Can Access Or Correct Their Information

Your privacy notice should tell people how they can request access or correction of their personal information (and how to contact you to do so).

8) How To Complain

Even small businesses should have a straightforward complaint pathway. Your privacy notice can be short here, for example:

• how to contact you with a privacy complaint
• how you will respond (e.g. within a reasonable timeframe)

If you want a more formal version for broader compliance, this is usually expanded in your privacy policy.

For many businesses, the simplest way to operationalise the “point of collection” requirements is to use a tailored Privacy Collection Notice for each key collection point (like sign-up forms and checkout pages).

How To Write A Privacy Notice Step-By-Step (With Practical Examples)

A privacy notice works best when it’s written for real humans - and when it reflects your actual processes behind the scenes.

Here’s a step-by-step approach you can use.

Step 1: Map Your Data Collection Points

Start by listing where you collect personal information, such as:

• website contact form
• checkout page
• newsletter pop-up
• booking form
• lead magnet download form
• job application form
• in-store sign-up sheet

Each collection point may need a slightly different privacy notice, because the purpose and the data collected can differ.

Step 2: Match Each Notice To The Exact Purpose

Your privacy notice should match what you’re doing right there.

For example:

• If it’s a contact form, the purpose might be responding to enquiries and keeping internal records.
• If it’s a checkout, the purpose might be processing payment, shipping, and providing support.
• If it’s a newsletter, the purpose is marketing communications (and you should mention unsubscribing).

A common mistake is using a generic privacy notice that says “we collect information to improve our services” when you’re actually collecting information to ship goods and send marketing. That mismatch can create risk and customer distrust.

Step 3: Keep It Short, Then Link To The Longer Policy

A privacy notice should be easy to read in 10-20 seconds.

A practical structure looks like:

• 1-3 sentences on what you collect and why
• 1 sentence on who you share it with
• a link to your full privacy policy for more details

Example (contact form privacy notice):

“We collect your name and contact details so we can respond to your enquiry and provide our services. We may share your details with our service providers (such as our IT hosting provider). Our Privacy Policy explains how we handle personal information and how you can access or correct it.”

Example (newsletter sign-up privacy notice):

“By subscribing, you agree we may use your email address to send you updates and marketing. You can unsubscribe at any time using the link in our emails. Our privacy policy explains how we handle your personal information.”

Step 4: Use Plain English (And Avoid Overpromising)

Be careful with statements like “we never share your data” or “your data is always stored in Australia”. If those aren’t strictly true (and for many businesses they aren’t), they can create compliance and consumer trust issues.

A better approach is to say what you actually do, in a calm and straightforward way.

Step 5: Make Sure Your Team Can Follow It

Your privacy notice shouldn’t just exist on your website - it should reflect what happens internally.

Ask yourself:

• Who has access to customer data?
• How do you respond if a customer asks for their data to be corrected?
• What happens if someone unsubscribes?
• Do you have a process if there’s a suspected data breach?

If your notice says one thing and your processes do another, it’s a red flag.

Where To Put Your Privacy Notice (Website, Apps, Forms And In-Person)

A privacy notice is most effective when it appears right where you collect information.

Website Forms

Place the privacy notice:

• directly under the form fields, or
• next to the submit button, or
• as a short statement with a link to your privacy policy

If you use a checkbox (“I agree”), make sure the wording is clear and not misleading. You should also be careful not to bundle unrelated consents together (for example, requiring marketing consent just to submit an enquiry form).

Checkout Pages

Checkout pages usually involve broader data handling (payments, shipping, fraud checks, customer support). Make sure your privacy notice reflects those realities.

It can also help to align your privacy notice with the rest of your customer-facing documents, like your terms of trade or online store terms, so customers aren’t getting mixed messages.

Apps And SaaS Products

If you run an app or subscription product, you may need privacy notices at multiple points:

• sign-up and onboarding
• when collecting device data
• when enabling location features (if applicable)
• when integrating with third-party tools

In-Person Collection

If you collect personal information in person - for example, at events, pop-ups or in-store - you can still use a privacy notice. Options include:

• a sign next to the sign-up sheet
• a short statement printed on the form
• a quick verbal explanation plus a link/QR code to your full privacy policy

Key Takeaways

• A privacy notice is a short, point-in-time explanation of what personal information you collect, why you collect it, and what you do with it.
• Even if you’re a small business, a privacy notice is a practical way to build trust and reduce privacy complaints as you grow.
• A good privacy notice should clearly cover what you collect, your purpose, who you share it with (including service providers), any overseas disclosures, and how people can contact you about privacy.
• Keep your privacy notice short and readable, then link to a fuller privacy policy for the detailed information.
• Make sure your privacy notice matches what your business actually does behind the scenes - accuracy matters more than “perfect” legal wording.

This article is general information only and does not constitute legal advice. Privacy obligations can vary depending on your industry, the type of information you handle, and how your systems are set up.

If you’d like help preparing a privacy notice (or reviewing your privacy compliance more broadly), you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.