How to Write a Privacy Policy for Your Website

Last updated: 31 August 2021

How to Write a Website Privacy Policy in Australia – This comprehensive guide outlines everything you need to know about Privacy Policies for Australian websites, blogs, e-commerce stores, etc.

Privacy and the gathering and use of personal information is a worldwide and Australian focus. The laws are quickly changing and Australian websites are being actively monitored by the Office of the Australian Information Commissioner (OAIC). Make sure you understand what is expected of you if you gather any customer or website visitor personal information.

Legal issues covered in this guide

Click on any of the questions below to jump to that section of this legal guide.

If after reading this guide you still have a question, get in touch as we’d love to keep adding your questions to this comprehensive guide.

The Basics

What is a Privacy Policy?

A Privacy Policy is a brief legal notice which is posted on your website and states:

  • You will respect a visitor’s privacy
  • You will keep their personal information secure, and
  • You will not misuse their email address

Your Policy must comply with the Australian Privacy Act, which has specific requirements in terms of wording and content. Privacy Policies are also called Privacy Notices or Privacy Statements and are often linked to in the footer of a website.

What does a Privacy Policy do?

Your Policy tells your website visitors and customers that you will keep their personal information secure and confidential and that your business is compliant with Australian law. If you request their email address, you will not ‘spam’ them or sell their email address to a third party. If you collect financial, health or personal information, you will not share this information with anyone else.

Your Policy is your opportunity to reassure your website visitors and potential customers that you are a reputable business, aware of their privacy concerns and the security of their information and that you are a professional business.

Who needs a Privacy Policy?

image of who needs a privacy policy

All Australian websites need a Privacy Policy.

Australian privacy legislation now requires websites to post a Privacy statement if they collect ANY customer or website visitor information. This includes:

  • Email addresses
  • Physical addresses
  • Telephone numbers
  • Credit card numbers, etc.

So even if you have a basic Contact Form on your website you MUST have a Privacy Policy statement.

Why have a Privacy Policy?

A while ago we commissioned this video from Professor Hans Von Puppet – after all, legal stuff doesn’t have to be dull! If you don’t have time to watch the video, here are 3 important reasons you need to have a Privacy Policy:

First, Australian law requires you to post one. If you collect any kind of private information – even a simple email address – then you need to tell people what you’re going to do with it.

Second, Google requires you to post one. Google checks if your website has a Privacy Policy. And if you don’t, you’ll get penalised in the Google search results.

Third, it helps build trust with your visitors. A well-written, easy-to-understand and comprehensive Privacy Policy statement can add to your credibility and help build rapport with your website visitors.

Privacy Policy vs Terms & Conditions?

A Privacy Policy is a different type of legal notice than a Terms & Conditions statement. However, there can be some overlap and a Terms & Conditions statement often references (and links to) your Privacy Policy. Remember, Terms & Conditions notices can also be called Terms of Service or Terms of Use.

Your Policy should deal with the collection, confidentiality and security of visitor and customer information collected through your website, such as email addresses and browsing activity. Your Terms & Conditions deal with customer service levels, delivery, return and refund policies, limitation of liability, copyright protection, etc.

If you are selling products or services online, your website should have both.

Privacy Policy vs Website Disclaimer?

A Privacy Policy statement is completely different from a Website Disclaimer. Your Privacy Policy deals with the collection, confidentiality and security of visitor and customer information on your website, such as email addresses and browsing activity. A Website Disclaimer deals with information accuracy, copyright, liability for loss or damage, website availability, links, etc.

Your website should have both.

Privacy Policy vs Confidentiality Policy?

When people use the term “Confidentiality Policy” they might be referring to one of two things:

  • A Confidentiality clause in a legal agreement that says both parties to the agreement will keep various information secret and confidential, or
  • A Privacy Policy posted on a website

When the Internet was in its infancy a lot of the online legal terminology was in flux and hadn’t been standardised. Privacy Policy is now the recognised term for a website Confidentiality Policy.

Standard Clauses

What should my Privacy Policy include?

Your website Privacy Policy needs to cover the following 8 elements:

  1. The type of personal information that you collect and store
  2. The purposes for which you collect, hold, use and disclose personal information
  3. How you collect and securely store personal information
  4. A promise not to ‘spam’, sell or rent a visitor’s email address
  5. How an individual may access and correct any information you hold on them, including unsubscribing from any email list
  6. How an individual may complain about a breach of the Australian Privacy Principles and how you’ll deal with the complaint
  7. Whether you disclose personal information to other people or organisations, and if they’re overseas which countries, and
  8. Your contact details

It is not enough for you to post a compliant Privacy notice on your website – you and your business need to uphold the Australian Privacy Principles. For example:

  • Take precautions against being hacked
  • Purge out-of-date customer database records
  • Act on email list unsubscribe requests promptly
  • Keep your Privacy Policy notice up-to-date, etc.

Should my Privacy Policy include ‘cookies’?

Yes. Your Policy should include a ‘cookie’ notification clause.

A ‘cookie’ is a small file placed in your web browser that collects information about your web browsing behaviour. Use of ‘cookies’ allows a website to tailor its configuration to your needs and preferences, as well as potentially serve ads to you while you are browsing the Internet. Although ‘cookies’ do not access information stored on your computer or any personal information (e.g. name, address, email address or telephone number), they do allow collection of identifiable information.

If your website targets UK or EU users you should be aware of these additional ‘cookie’ regulations.

Should my Privacy Policy include Google Analytics and AdSense?

Yes. Google Analytics, Google AdSense and other analytics and ad serving networks track your website visitors using ‘cookies’. And these ‘cookies’ allow the collection of personally identifiable information from your visitors.

So your Policy needs to include a notification to this effect. You should also note that it is a condition of using these Google services that you post an “appropriate” Privacy Policy notice.

Should my Privacy Policy include PayPal and Stripe?

Maybe. If you accept online payments – either via PayPal or an online credit card transaction processor like Stripe – you need to tell your website customers how you handle their credit card details, address, telephone number, etc.

Do you store credit card details on your servers or in your shopping cart software? Is customer information encrypted and transmitted over secure (i.e. https) connections? Do your payment processing providers comply with international PCI (payment card industry) standards for data security?

Sometimes it is appropriate to link to the Privacy Policies of your payment processing providers – to give your customers greater comfort when dealing with you.

Privacy Policy Types

Privacy Policies for blogs?

Two distinctive features of blogs is that they usually allow visitor comments and also publish online advertisements from providers such as Google AdSense, Amazon Associates, etc. So your blog Privacy Policy probably needs to take these into account:

  • Comments: If you’re allowing blog comments, then you need a strong Website Disclaimer to inform visitors that you are not responsible for comments made by other people.
  • Advertisements: Ad serving networks usually track your visitors using ‘cookies’ and so your blog Privacy notice needs to include a notification to this effect.

Privacy Policies for e-commerce websites?

E-commerce websites and online stores have a higher standard to meet when dealing with customer information and privacy data issues. If you run an e-commerce site you will be taking payments online and transmitting/storing customer information such as credit card details, addresses, telephone numbers, etc.

Not only will your Privacy Policy statement need to explain how YOU will use, store and keep this information secure. But you will also need to explain how your third party providers:

  • Credit card transaction processor
  • Shopping cart provider
  • Online CRM software provider, etc.

handle personal customer information – and then include this in your Policy. Any offshore providers will have to meet Australian privacy standards.

Privacy Policies for apps?

Australian privacy laws have recently changed and are continually changing. App stores are now requiring apps to have their own specific Privacy Policy, stating what personal data is accessed and how it is used and stored. Privacy has become an important focus for Australian regulators and the move to cover apps has become necessary as apps are increasingly accessing personal data (through app permission settings) that users are often not aware of!

In addition, Apple iTunes and the Google Play store both require your app to have your own Privacy Policy in order to be listed with them.

Privacy Policies for email marketing?

Did you know Australia has a Spam Act? Yes it does!

The Spam Act of 2003 prohibits the “sending of unsolicited commercial electronic messages”. And the penalties for breaking this law can be steep. For sending emails without consent, individuals can be fined $8,500 for each breach and companies can be fined $170,000!

If you are engaging in email marketing or you’re an affiliate marketer, make sure you comply with ACMA (Australian Communications and Media Authority) and American CAN-SPAM guidelines.

As for your Privacy Policy, make sure you do these 3 things:

  1. Get consent by making people opt into your email list
  2. Link to your Policy whenever you use an opt-in form, and
  3. Include an unsubscribe link in every email you send

If you run a business that is involved in “assessing, recording, maintaining or improving a person’s health” then, under Privacy Law, you fall into the ‘Special Health Privacy’ category. This is quite a broad description but typically covers a business that offers, for example:

  • Health advice, including alternative therapies
  • Massage, yoga and meditation
  • Fitness, exercise and personal training, etc.

If you offer these types of services, you likely collect health, medical and other sensitive information in order to deliver your services. And Privacy Law requires that you comply with stricter Privacy standards.

You need to do these 5 things in your business:

  1. Have a Privacy Policy and Privacy Compliance System in place
  2. Only collect personal information you require to deliver your services
  3. Only use the personal information for the purpose you have agreed
  4. Destroy the personal information when you no longer need or use it
  5. Ensure you have a regular system for securely destroying information you have not used in a “reasonable” amount of time (you cannot keep it ‘just in case’)

Privacy Policies for selling email lists

Do you buy, sell or trade customer email lists? If you do, then you are ‘dealing in’ personal data. And Privacy Law also requires that you comply with stricter Privacy standards.

You need to do these 3 things in your business:

  1. Ensure you have ‘active agreement’ (opt-in) by your customers to use their personal information
  2. Have very clear language that details how you use their personal data (e.g. provide to 3rd parties for marketing related services)
  3. Ensure the customer has a clear understanding of who and where you are providing their personal data

If you need help reviewing your company’s Privacy requirements or writing a more comprehensive Privacy Policy, just get in touch here.

Privacy Policy Templates & Generators

What makes a good Privacy Policy?

A good Privacy statement has a number of elements. Your Privacy statement should be:

  • Easy to read (i.e. not in a small font)
  • Easy to understand, and
  • Easy to find

And of course, your Policy needs to comply with the latest Australian privacy legislation.

Should I write my own Privacy Policy?

Are you an Australian lawyer? No? Then you probably shouldn’t write your own Privacy Policy!

We’ve seen plenty of people try to write their own, copy other websites, mix and match clauses they “liked” from different websites in other countries. It never ends well. Getting a professionally written Privacy Policy, specifically for your website and business, is not expensive. Plus, if you choose the right provider, they’ll make sure your Privacy notice is up-to-date with the latest Australian legislation.

Where to get a Privacy Policy?

Here at Legal123 we have a great website legals generator!

All you have to do is input a few simple details about your business (such as your website URL, address, type of business, etc.) and our online generator will create a customised Privacy Policy for you. Then just copy/paste the text into your website (usually in the footer) and you’re done.

We also offer free updates to our privacy policy templates for Australia – so YOU don’t have to worry about changes to the privacy legislation. We’re Australian lawyers and we make it our business to keep on top of these changes. We don’t overwhelm you with emails, but when the law changes in Australia and the privacy policy is updated we let you know.

Practicalities of Privacy Policies

Where to put a Privacy Policy on my website?

Websites: An Internet standard has emerged over the years to place links to your legal notices (Privacy Policy, Website Disclaimer and Terms & Conditions) in the footer of your website. Keeping to this standard will make it easier for your visitors and customers to find your Privacy notice.

Apps: Your app should have a website. It’s a great sales tool and does not have to be long or detailed. This should also be the home of your app legals – link in the footer to your app Privacy Policy, Disclaimer, Terms of Use and EULA. These should also be available somewhere in your app navigation.

Email marketing: You should link to your Privacy Policy whenever you use an opt-in form to capture email addresses. And you should probably include a link to your Policy in the footer of every email you send.

Do I need Privacy Policies for other countries?

Australia’s privacy regulations are some of the strictest in the world. So if your Privacy Policy in Australia meets our legal standards then you’ll probably meet the minimum legal standards in most English speaking jurisdictions such as New Zealand, UK, US, Canada, Singapore and most of the EU provided you comply with the GDPR requirements.

However, if you do a significant amount of business in non-Australian countries, then you should have a Privacy Policy that covers these other jurisdictions particularly if you are dealing with EU residents. Privacy regulations are usually not contradictory in different countries, but there might be specific features that you need to include in your Privacy statement and implement in your business.

The most important thing is that your Privacy Policy (and Terms & Conditions) should clearly state that use of your website and sale of any products or services are governed by Australian law. This is called a ‘Governing Law’ clause and ensures that should any problems arise, the claim will be heard in an Australian court and determined by Australian law.

Do Australian website Privacy Policies meet UK and EU law?

May 2018 – New GDPR Legislation in UK and EU

New privacy legislation – The General Data Protection Regulation (GDPR) – came into effect in May 2018. This affects all businesses who collect personal information from UK and EU citizens. If you are an Australian business engaged in email marketing to UK and EU customers and collect EU resident email addresses, then you need to comply with the new regulations.

For more information read our guide: How to Comply with GDPR

No. Australia’s privacy regulations fall short of the UK’s (and EU’s) in one important respect. The UK’s Privacy and Electronic Communication Regulations include the requirement that if a website uses ‘cookies’ to track website visitor behaviour, then the visitor must be notified and consent to the use of ‘cookies’.

Current Australian law requires that if you use ‘cookies’ then your Privacy Policy must state how the information is stored (for example, on a secure server) and what it is used for. However, notification and active consent is NOT required. If you do a significant amount of business in the UK and EU you might consider modifying your website to generate a ‘cookie’ notification pop-up for UK and EU visitors that needs to be clicked on.

Australian online privacy laws may be modified in the future and more closely follow the UK/EU approach. However, this ‘cookie’ notification rule has been widely criticised and resulted in only 3 fines being issued in 3 years of implementation. So it may be that this regulation is either modified or disbanded in the future, before it is implemented in other countries.

Do Australian website Privacy Policies meet US law?

No. Australia’s privacy regulations are generally stricter than the US. However, they differ from the US’s in one important respect. US privacy law requires that websites not collect information from children under 13 years of age. As this is difficult for a website to control, your Policy will need to explicitly state that it is not aimed at children under 13 years of age and will not intentionally collect data from them.

If your website is, in fact, aimed at children under the age of 13 years, you will need to ensure that you do not collect their data or information. In addition, you should add a clause to this effect in your website Privacy statement to ensure that you comply with the US requirements.

For over a decade there has been a great deal of debate in the US about strengthening their privacy laws. At the moment, there is no single regulatory body in the US that oversees privacy regulation. But with privacy being in the spotlight and with EU countries significantly modifying their privacy laws in recent years, this could easily change in the future.

What is a Privacy Policy breach?

If you ‘spam’ your email list or you or one of your third party providers gets hacked and customer/visitor information is stolen – then you may have breached your Privacy Policy. Whilst it is relatively uncommon to be sued in relation to Privacy data breaches, there are complaints made regularly to the Australian Privacy Commissioner. The possible outcomes may range from an apology and requirement to change your business processes to fines and compensation for any financial loss suffered by the individual(s).

Posting a well drafted Privacy statement on your website is not sufficient. You need to stand by it, have compliance measures in place in your business and respect the confidential nature of your customers’ personal information. The potential damage to your business from ‘spamming’ your customers or being hacked can be huge and irreversible.

We hope you found this guide to Australian Privacy Policies helpful.

About Vanessa Emilio

Vanessa Emilio (BA Hons, LLB, ACIS, AGIA) is the Founder and CEO of Legal123.com.au and Practice Director of Legal123 Pty Ltd. Vanessa is a qualified Australian lawyer with more than 20 years experience in corporate, banking and trust law. Follow this link to read the full bio of Vanessa Emilio.