Last updated: 31 August 2021
Privacy and the gathering and use of personal information is a worldwide and Australian focus. The laws are quickly changing and Australian websites are being actively monitored by the Office of the Australian Information Commissioner (OAIC). Make sure you understand what is expected of you if you gather any customer or website visitor personal information.
Legal issues covered in this guide
Click on any of the questions below to jump to that section of this legal guide.
- The Basics
- Differences in Legal Notices
- Standard Clauses
- Practicalities of Privacy Policies
If after reading this guide you still have a question, get in touch as we’d love to keep adding your questions to this comprehensive guide.
- You will respect a visitor’s privacy
- You will keep their personal information secure, and
- You will not misuse their email address
Your Policy must comply with the Australian Privacy Act, which has specific requirements in terms of wording and content. Privacy Policies are also called Privacy Notices or Privacy Statements and are often linked to in the footer of a website.
Your Policy tells your website visitors and customers that you will keep their personal information secure and confidential and that your business is compliant with Australian law. If you request their email address, you will not ‘spam’ them or sell their email address to a third party. If you collect financial, health or personal information, you will not share this information with anyone else.
Your Policy is your opportunity to reassure your website visitors and potential customers that you are a reputable business, aware of their privacy concerns and the security of their information and that you are a professional business.
Australian privacy legislation now requires websites to post a Privacy statement if they collect ANY customer or website visitor information. This includes:
- Email addresses
- Physical addresses
- Telephone numbers
- Credit card numbers, etc.
First, Australian law requires you to post one. If you collect any kind of private information – even a simple email address – then you need to tell people what you’re going to do with it.
Differences in Legal Notices
Your Policy should deal with the collection, confidentiality and security of visitor and customer information collected through your website, such as email addresses and browsing activity. Your Terms & Conditions deal with customer service levels, delivery, return and refund policies, limitation of liability, copyright protection, etc.
If you are selling products or services online, your website should have both.
Your website should have both.
When people use the term “Confidentiality Policy” they might be referring to one of two things:
- A Confidentiality clause in a legal agreement that says both parties to the agreement will keep various information secret and confidential, or
- The type of personal information that you collect and store
- The purposes for which you collect, hold, use and disclose personal information
- How you collect and securely store personal information
- A promise not to ‘spam’, sell or rent a visitor’s email address
- How an individual may access and correct any information you hold on them, including unsubscribing from any email list
- How an individual may complain about a breach of the Australian Privacy Principles and how you’ll deal with the complaint
- Whether you disclose personal information to other people or organisations, and if they’re overseas which countries, and
- Your contact details
It is not enough for you to post a compliant Privacy notice on your website – you and your business need to uphold the Australian Privacy Principles. For example:
- Take precautions against being hacked
- Purge out-of-date customer database records
- Act on email list unsubscribe requests promptly
Yes. Your Policy should include a ‘cookie’ notification clause.
A ‘cookie’ is a small file placed in your web browser that collects information about your web browsing behaviour. Use of ‘cookies’ allows a website to tailor its configuration to your needs and preferences, as well as potentially serve ads to you while you are browsing the Internet. Although ‘cookies’ do not access information stored on your computer or any personal information (e.g. name, address, email address or telephone number), they do allow collection of identifiable information.
If your website targets UK or EU users you should be aware of these additional ‘cookie’ regulations.
Yes. Google Analytics, Google AdSense and other analytics and ad serving networks track your website visitors using ‘cookies’. And these ‘cookies’ allow the collection of personally identifiable information from your visitors.
Maybe. If you accept online payments – either via PayPal or an online credit card transaction processor like Stripe – you need to tell your website customers how you handle their credit card details, address, telephone number, etc.
Do you store credit card details on your servers or in your shopping cart software? Is customer information encrypted and transmitted over secure (i.e. https) connections? Do your payment processing providers comply with international PCI (payment card industry) standards for data security?
Sometimes it is appropriate to link to the Privacy Policies of your payment processing providers – to give your customers greater comfort when dealing with you.
Privacy Policies for blogs?
- Comments: If you’re allowing blog comments, then you need a strong Website Disclaimer to inform visitors that you are not responsible for comments made by other people.
- Advertisements: Ad serving networks usually track your visitors using ‘cookies’ and so your blog Privacy notice needs to include a notification to this effect.
Privacy Policies for e-commerce websites?
E-commerce websites and online stores have a higher standard to meet when dealing with customer information and privacy data issues. If you run an e-commerce site you will be taking payments online and transmitting/storing customer information such as credit card details, addresses, telephone numbers, etc.
- Credit card transaction processor
- Shopping cart provider
- Online CRM software provider, etc.
handle personal customer information – and then include this in your Policy. Any offshore providers will have to meet Australian privacy standards.
Privacy Policies for apps?
Privacy Policies for email marketing?
Did you know Australia has a Spam Act? Yes it does!
The Spam Act of 2003 prohibits the “sending of unsolicited commercial electronic messages”. And the penalties for breaking this law can be steep. For sending emails without consent, individuals can be fined $8,500 for each breach and companies can be fined $170,000!
If you are engaging in email marketing or you’re an affiliate marketer, make sure you comply with ACMA (Australian Communications and Media Authority) and American CAN-SPAM guidelines.
- Get consent by making people opt into your email list
- Link to your Policy whenever you use an opt-in form, and
- Include an unsubscribe link in every email you send
Privacy Policies for health-related businesses?
If you run a business that is involved in “assessing, recording, maintaining or improving a person’s health” then, under Privacy Law, you fall into the ‘Special Health Privacy’ category. This is quite a broad description but typically covers a business that offers, for example:
- Health advice, including alternative therapies
- Massage, yoga and meditation
- Fitness, exercise and personal training, etc.
If you offer these types of services, you likely collect health, medical and other sensitive information in order to deliver your services. And Privacy Law requires that you comply with stricter Privacy standards.
You need to do these 5 things in your business:
- Only collect personal information you require to deliver your services
- Only use the personal information for the purpose you have agreed
- Destroy the personal information when you no longer need or use it
- Ensure you have a regular system for securely destroying information you have not used in a “reasonable” amount of time (you cannot keep it ‘just in case’)
Privacy Policies for selling email lists
Do you buy, sell or trade customer email lists? If you do, then you are ‘dealing in’ personal data. And Privacy Law also requires that you comply with stricter Privacy standards.
You need to do these 3 things in your business:
- Ensure you have ‘active agreement’ (opt-in) by your customers to use their personal information
- Have very clear language that details how you use their personal data (e.g. provide to 3rd parties for marketing related services)
- Ensure the customer has a clear understanding of who and where you are providing their personal data
A good Privacy statement has a number of elements. Your Privacy statement should be:
- Easy to read (i.e. not in a small font)
- Easy to understand, and
- Easy to find
And of course, your Policy needs to comply with the latest Australian privacy legislation.
Here at Legal123 we have a great website legals generator!
Practicalities of Privacy Policies
Do I need Privacy Policies for other countries?
Do Australian website Privacy Policies meet UK and EU law?
No. Australia’s privacy regulations fall short of the UK’s (and EU’s) in one important respect. The UK’s Privacy and Electronic Communication Regulations include the requirement that if a website uses ‘cookies’ to track website visitor behaviour, then the visitor must be notified and consent to the use of ‘cookies’.
Australian online privacy laws may be modified in the future and more closely follow the UK/EU approach. However, this ‘cookie’ notification rule has been widely criticised and resulted in only 3 fines being issued in 3 years of implementation. So it may be that this regulation is either modified or disbanded in the future, before it is implemented in other countries.
Do Australian website Privacy Policies meet US law?
No. Australia’s privacy regulations are generally stricter than the US. However, they differ from the US’s in one important respect. US privacy law requires that websites not collect information from children under 13 years of age. As this is difficult for a website to control, your Policy will need to explicitly state that it is not aimed at children under 13 years of age and will not intentionally collect data from them.
If your website is, in fact, aimed at children under the age of 13 years, you will need to ensure that you do not collect their data or information. In addition, you should add a clause to this effect in your website Privacy statement to ensure that you comply with the US requirements.
For over a decade there has been a great deal of debate in the US about strengthening their privacy laws. At the moment, there is no single regulatory body in the US that oversees privacy regulation. But with privacy being in the spotlight and with EU countries significantly modifying their privacy laws in recent years, this could easily change in the future.
Posting a well drafted Privacy statement on your website is not sufficient. You need to stand by it, have compliance measures in place in your business and respect the confidential nature of your customers’ personal information. The potential damage to your business from ‘spamming’ your customers or being hacked can be huge and irreversible.
We hope you found this guide to Australian Privacy Policies helpful.