When Do You Need A Privacy Policy?

If your business collects any information about people - customers, leads, employees, patients, or even website visitors - you’re probably wondering whether you need a Privacy Policy.

In Australia, privacy law can feel confusing. There’s a small business exemption, exceptions to that exemption, online data collection to think about, and evolving customer expectations around transparency and trust.

In this guide, we’ll clarify when a Privacy Policy is legally required, when it’s strongly recommended, and what it should include so you can confidently put the right protections in place.

What Is A Privacy Policy And Why It Matters In Australia

A Privacy Policy is a clear, public statement that explains how your business collects, uses, stores, and discloses personal information, and how people can access and correct their data or make a complaint.

It’s not just a document for your website. It’s a promise to your customers (and your team) about how you handle their personal information - and it underpins your processes and staff training.

Even when it’s not strictly mandated by law, having a well-drafted Privacy Policy builds trust, reduces confusion, and keeps your practices aligned with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

Do You Legally Need A Privacy Policy Under The Privacy Act?

Whether you must have a Privacy Policy depends on whether the Privacy Act applies to your business. In simple terms, if you are an “APP entity,” you need a clearly expressed Privacy Policy that’s up-to-date and available free of charge (APP 1).

The $3 Million Small Business Exemption (and When It Doesn’t Apply)

Many Australian small businesses with an annual turnover of $3 million or less are exempt from the Privacy Act. However, there are important exceptions. You will still be covered by the Act (and must have a Privacy Policy) if you, for example:

• Provide health services and hold health information (e.g., GPs, allied health, beauty or wellness services that collect health information).
• Trade in personal information (sell, rent, or purchase personal information).
• Are a credit reporting body or handle certain credit reporting functions.
• Hold Tax File Number (TFN) information.
• Contract with the Commonwealth to provide services.
• Are related to a larger business covered by the Act (e.g., a subsidiary of an APP entity).

So, even if you’re under $3 million, you may still be required to comply with the APPs and publish a Privacy Policy if you fall into any of these categories.

Situations Where A Privacy Policy Is Mandatory Regardless Of Turnover

Outside the $3 million threshold, most medium to large businesses must have a Privacy Policy. In practice, you will also need one if you:

• Operate a health, medical, or wellness service and collect health records.
• Run an online platform or marketplace that collects user profiles, IDs, payment details, or behavioural data.
• Offer services to overseas users where foreign privacy regimes (like GDPR) may apply to your activities.
• Engage in direct marketing, audience profiling, or adtech that involves personal information.

Plus, many partners, enterprise clients, and marketplaces require you to have a Privacy Policy as a condition of doing business - so it can be a commercial requirement even if your turnover is low.

Collecting Personal Information Online (Websites, Apps, Cookies)

If your website or app captures personal information (for example via sign-up forms, checkouts, or analytics), a Privacy Policy is expected. Customers also expect a short, plain-English explanation of tracking technologies - often handled alongside a Cookie Policy - so people understand why and how you use cookies and similar tech.

To be clear: an email field on a “Contact Us” form, a lead magnet download, or a newsletter sign-up is personal information collection. For most businesses, that alone is enough to justify a Privacy Policy even if you’re not legally compelled by the Act.

Common Triggers In Everyday Business

Not sure whether your activities amount to personal information collection? Here are common triggers that should prompt you to put a compliant Privacy Policy in place.

• Online sales and bookings: collecting names, emails, shipping addresses, and payment references at checkout.
• Newsletter sign-ups and lead generation: building a mailing list for offers and updates (and complying with email marketing laws).
• Customer accounts and loyalty programs: storing purchase history, preferences, and identifiers.
• Job applications and HR files: collecting resumes, identification, and reference details.
• CCTV in-store or on premises: capturing images that could identify individuals.
• Guest Wi‑Fi or smart devices: logging device identifiers and connection data.
• Telehealth, fitness, or wellness services: handling sensitive health information.
• B2B SaaS and platforms: onboarding users, monitoring usage, and processing end-customer data.

If any of these sound like your business, it’s time to document how you handle personal information and make your policy accessible (typically from your website footer and app settings).

What Should An Australian Privacy Policy Cover?

Under APP 1, your Privacy Policy must be “clearly expressed and up to date.” In practice, that means addressing (at minimum) the following topics in plain English:

• What you collect: the types of personal information and sensitive information (e.g., contact details, IDs, health information, usage analytics).
• How you collect it: directly from individuals, from third parties, or via technology (forms, cookies, integrations, point‑of‑sale).
• Why you collect it: the purposes (e.g., providing services, customer support, direct marketing, analytics, fraud prevention).
• Direct marketing and opt‑outs: when you’ll send marketing and how people can unsubscribe.
• Disclosures to third parties: service providers, payment gateways, and any overseas disclosures, plus how you safeguard data sent offshore.
• Security and retention: steps you take to protect information and how long you keep it (linked to legal, tax, or business needs).
• Access and correction: how individuals can request access to or correction of their information.
• Complaints handling: how to lodge a privacy complaint and your process for resolving it (and that the complainant can escalate to the OAIC if unsatisfied).
• Cookies and analytics: a summary of tracking (with a link to your standalone Cookie Policy if you have one).
• Unique identifiers: if you use government identifiers (like TFNs) or assign your own customer IDs.
• Children and minors: if your services are used by under‑18s and any additional protections.
• Contact details: a dedicated privacy contact email or form for requests and complaints.

Your policy should match reality. If you change your systems, marketing tools, or data flows, update the policy and your internal procedures together for consistency.

Related Privacy Documents You May Also Need

Privacy compliance is more than a single page on your website. Depending on your model and risk profile, you may also need:

• Privacy Collection Notice: a short notice shown at the point of collection (e.g., forms, checkouts) telling people what you’re collecting and why, and linking to your Privacy Policy.
• Data Breach Response Plan: a step‑by‑step plan so your team knows how to identify, assess, and notify eligible data breaches quickly and lawfully.
• Data Processing Agreement: contract terms for handling personal data as a processor/sub‑processor (common with SaaS providers and vendors).
• Website Terms and Conditions: rules for using your site or platform, covering acceptable use, IP ownership, and liability alongside your privacy terms.
• Cookie Policy: a dedicated summary of cookies and tracking technologies you use and the choices available to users.
• Email Disclaimer: helpful for professional communications that may contain personal or confidential information.

If you operate in multiple jurisdictions or target EU residents, consider whether you also need GDPR wording, which can be addressed in an adapted Australian policy or via a separate GDPR‑aligned privacy notice.

How To Roll Out Your Privacy Practices (Step‑By‑Step)

If you’re building or updating your privacy framework, here’s a simple rollout plan you can follow.

1) Map Your Data

List what you collect, where it comes from, where it goes (vendors, storage locations, and overseas transfers), who can access it, and how long you keep it. This “data map” drives everything else.

2) Decide Which Laws Apply To You

Confirm whether you’re an APP entity, whether any exceptions pull you into the Privacy Act, and whether foreign regimes (like GDPR) may apply based on your audience. If you’re unsure, it’s wise to get help early from a privacy specialist.

3) Draft (Or Refresh) Your Privacy Policy

Tailor it to your data map and actual practices. Keep it plain English and user‑friendly, but legally complete. Align the policy with your Website Terms and Conditions, security measures, and internal procedures.

4) Add Collection Notices Where You Gather Data

Place a concise Privacy Collection Notice on forms, sign‑ups, and checkouts. Link back to your Privacy Policy and explain what’s needed and why (including any marketing use).

5) Implement Cookie and Consent Controls

Publish your Cookie Policy and, where appropriate, enable consent tools for analytics/advertising cookies. Ensure your unsubscribe and opt‑out tools are easy to find and use.

6) Update Your Vendor Contracts

If suppliers or software providers access personal information, ensure your agreements include a suitable Data Processing Agreement (or equivalent clauses) covering security, sub‑processing, and breach notification.

7) Prepare For Incidents

Put a practical Data Breach Response Plan in place and run a short tabletop exercise so your team knows who does what if something goes wrong.

8) Train Your Team And Review Regularly

Brief your staff on handling requests (access, correction, opt‑out) and on basic privacy hygiene. Revisit your policy and processes whenever you change tools, launch new products, or enter new markets.

Frequently Asked Questions

Do I need a Privacy Policy if I only collect email addresses for a newsletter?

Yes, in practice you should have one. It sets transparent expectations for subscribers, supports compliance with direct marketing rules, and is now widely expected by users and partners. Pair it with a simple unsubscribe link in every email and make sure your practices align with Australia’s email marketing laws.

Is a Privacy Policy the same as a Cookie Policy?

No. Your Privacy Policy covers your general data handling under Australian privacy law. A Cookie Policy focuses on web and app tracking technologies. Many businesses have both and cross‑link them so users can find the right information quickly.

What if I use overseas tools like cloud hosting or analytics?

You can disclose personal information overseas, but you should identify those disclosures in your policy and ensure you have appropriate contractual and security protections in place. That’s where strong vendor terms and a fit‑for‑purpose Data Processing Agreement become important.

We’re under $3 million turnover - do we still need a Privacy Policy?

Legally, some small businesses are exempt unless an exception applies. Practically, a policy is still recommended because customers, partners, and platforms expect it, and it makes day‑to‑day compliance (like handling access requests and marketing opt‑outs) much easier.

Key Takeaways

• If you’re an APP entity under the Privacy Act, a clear, up‑to‑date Privacy Policy is mandatory.
• Even if you fall under the small business exemption, exceptions (like health services or trading in personal information) can still require a Privacy Policy.
• Common triggers include online checkouts, mailing lists, loyalty programs, CCTV, job applications, and any use of cookies or analytics.
• Your policy should reflect reality: what you collect, why you collect it, who you share it with, security, retention, access/correction, and complaints.
• Support your policy with practical tools: a Privacy Collection Notice, a Data Breach Response Plan, robust vendor terms (like a Data Processing Agreement), and clear Website Terms and Conditions.
• Treat privacy as an ongoing practice - update documents and train staff whenever your systems or services change.

If you’d like tailored help putting together a Privacy Policy and the right supporting documents for your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.