How to Write a Privacy Policy for Your Website

Last updated: 4 March 2024

How to Write a Website Privacy Policy in Australia – This comprehensive guide outlines everything you need to know about Privacy Policies for Australian websites, blogs, ecommerce stores, etc.

Privacy and the gathering and using personal information is a worldwide and Australian focus. The laws are quickly changing and Australian websites are being actively monitored by the Office of the Australian Information Commissioner (OAIC). Ensure you understand what is expected of you if you gather customer or website visitor personal information.

TLDR: Quick Summary of this Legal Guide

  • A Privacy Policy statement tells your website, visitors and customers that you will keep their personal information secure and confidential and that your business complies with Australian law.
  • Australian privacy legislation requires websites to post a Privacy Statement or have a Privacy Policy if they collect ANY customer or website visitor information. This means almost EVERY Australian website needs a Privacy Policy.
  • Your Privacy Policy needs to cover many elements of information collection, the most important ones being the types of information you collect, the purpose of collecting information, how you store collected information, whether you disclose information to other parties, a ‘cookie’ notification clause and how you handle credit card details if you accept online payments.
  • A breach of your Privacy Policy (such as ‘spamming customers or having customer information stolen or hacked) can cause huge and irreversible damage to your business. The Australian Privacy Commissioner may also ask you to issue an apology, change your business processes, or pay fines and compensation for any financial loss those affected by the breach suffer.

Legal issues covered in this guide

Click on any of the questions below to jump to that section of this legal guide.

If after reading this guide you still have a question, get in touch as we’d love to keep adding your questions to this comprehensive guide.

The Basics

What is a Privacy Policy?

A Privacy Policy is a brief legal notice which is posted on your website and states:

  • You will respect a visitor’s privacy
  • You will keep their personal information secure, and
  • You will not misuse their email address

Your Policy must comply with the Australian Privacy Act, which has specific requirements in terms of wording and content. Privacy Policies are also called Privacy Notices or Privacy Statements and are often linked to in the footer of a website.

What does a Privacy Policy do?

Your Policy tells your website visitors and customers that you will keep their personal information secure and confidential and that your business complies with Australian law. If you request their email address, you will not ‘spam’ them or sell their email address to a third party. If you collect financial, health or personal information, you will not share this information with anyone else.

Your Policy is your opportunity to reassure your website visitors and potential customers that you are a reputable business, aware of their privacy concerns and the security of their information and that you are a professional business.

Do I Need a Privacy Policy on My Website in Australia?

image of who needs a privacy policy

All Australian websites need a Privacy Policy.

Australian privacy legislation now requires websites to post a Privacy statement if they collect ANY customer or website visitor information. This includes:

  • Email addresses
  • Physical addresses
  • Telephone numbers
  • Credit card numbers, etc.

So even if you have a basic Contact Form on your website, you MUST have a Privacy Policy statement.

Why have a Privacy Policy?

We commissioned this video from Professor Hans Von Puppet a while ago – after all, legal stuff doesn’t have to be dull! If you don’t have time to watch the video, here are 3 important reasons you need to have a Privacy Policy:

First, Australian law requires you to post one. If you collect private information – even a simple email address – you need to tell people what you will do with it.

Second, Google requires you to post one. Google checks if your website has a Privacy Policy. And if you don’t, you’ll get penalised in the Google search results.

Third, it helps build trust with your visitors. A well-written, easy-to-understand and comprehensive Privacy Policy statement can add to your credibility and help build rapport with your website visitors.

Privacy Policy vs Terms and Conditions?

A Privacy Policy is a different type of legal notice than a Terms & Conditions statement. However, there can be some overlap and a Terms & Conditions statement often references (and links to) your Privacy Policy. Remember, Terms & Conditions notices can also be called Terms of Service or Terms of Use.

website legal package from legal123

Website Legal Package

Protect your online business in less than 5 minutes with Legal123’s Website Legal Package! Get a customised Privacy Policy, Website Disclaimer and Terms & Conditions tailored to your business. Free updates when the legislation changes. Approved by major Australian banks and credit card processors. Secure your online business today!

Your Policy should deal with the collection, confidentiality and security of visitor and customer information collected through your website, such as email addresses and browsing activity. Your Terms & Conditions deal with customer service levels, delivery, return and refund policies, limitation of liability, copyright protection, etc.

If you sell products or services online, your website should have both.

Privacy Policy vs Website Disclaimer?

A Privacy Policy statement is completely different from a Website Disclaimer. Your Privacy Policy deals with the collection, confidentiality and security of visitor and customer information on your website, such as email addresses and browsing activity. A Website Disclaimer deals with information accuracy, copyright, liability for loss or damage, website availability, links, etc.

Your website should have both.

Privacy Policy vs Confidentiality Policy?

When people use the term “Confidentiality Policy”, they might be referring to one of two things:

  • A Confidentiality clause in a legal agreement that says both parties to the agreement will keep various information secret and confidential, or
  • A Privacy Policy posted on a website

When the Internet was in its infancy, much of the online legal terminology was in flux and hadn’t been standardised. Privacy Policy is now the recognised term for a website Confidentiality Policy.

Standard Clauses

What should my Privacy Policy include?

Your Privacy Policy needs to cover the following 8 elements:

  1. The type of personal information that you collect and store
  2. The purposes for which you collect, hold, use and disclose personal information
  3. How you collect and securely store personal information
  4. A promise not to ‘spam’, sell or rent a visitor’s email address
  5. How an individual may access and correct any information you hold on them, including unsubscribing from any email list
  6. How an individual may complain about a breach of the Australian Privacy Principles and how you’ll deal with the complaint
  7. Whether you disclose personal information to other people or organisations, and if they’re overseas which countries, and
  8. Your contact details

It is not enough for you to post a compliant Privacy notice on your website – you and your business must uphold Australian Privacy Principles. For example:

  • Take precautions against being hacked
  • Purge out-of-date customer database records
  • Act on email list unsubscribe requests promptly
  • Keep your Privacy Policy notice up-to-date, etc.

Should my Privacy Policy include ‘cookies’?

Yes. Your Policy should include a ‘cookie’ notification clause.

A ‘cookie’ is a small file placed in your web browser that collects information about your web browsing behaviour. The use of ‘cookies’ allows a website to tailor its configuration to your needs and preferences and potentially serve ads to you while you are browsing the Internet. Although ‘cookies’ do not access information stored on your computer or any personal information (e.g. name, address, email address or telephone number), they do allow the collection of identifiable information.

If your website targets UK or EU users, you should know these additional ‘cookie’ regulations.

Should my Privacy Policy include Google Analytics and AdSense?

Yes. Google Analytics, Google AdSense and other analytics and ad-serving networks track your website visitors using ‘cookies’. And these ‘cookies’ allow the collection of personally identifiable information from your visitors.

So your Policy needs to include a notification to this effect. You should also note that it is a condition of using these Google services to post an “appropriate” Privacy Policy notice.

Should my Privacy Policy include PayPal and Stripe?

Maybe. If you accept online payments – either via PayPal or an online credit card transaction processor like Stripe – you need to tell your website customers how you handle their credit card details, address, telephone number, etc.

Do you store credit card details on your servers or in your shopping cart software? Is customer information encrypted and transmitted over secure (i.e. HTTPS) connections? Do your payment processing providers comply with international PCI (payment card industry) standards for data security?

Sometimes it is appropriate to link to the Privacy Policies of your payment processing providers – to give your customers greater comfort when dealing with you.

Privacy Policy Types

Privacy Policies for Blogs?

Two distinctive features of blogs are that they usually allow visitor comments and publish online advertisements from providers such as Google AdSense, Amazon Associates, etc. So your blog Privacy Policy probably needs to take these into account:

  • Comments: If you’re allowing blog comments, you need a strong Website Disclaimer to inform visitors that you are not responsible for comments made by other people.
  • Advertisements: Ad serving networks usually track your visitors using ‘cookies’, so your blog Privacy notice needs to include a notification.

Privacy Policies for Ecommerce websites?

Ecommerce websites and online stores have a higher standard to meet when dealing with customer information and privacy data issues. If you run an ecommerce site, you will be taking payments online and transmitting/storing customer information such as credit card details, addresses, telephone numbers, etc.

Not only will your Privacy Policy statement need to explain how YOU will use, store and keep this information secure. But you will also need to explain how your third-party providers:

  • Credit card transaction processor
  • Shopping cart provider
  • Online CRM software provider, etc.

Handle personal customer information – and then include this in your policy. Any offshore providers will have to meet Australian privacy standards.

Privacy Policies for Apps?

Australian privacy laws have recently changed and are continually changing. App stores now require apps to have their specific Privacy Policy, stating what personal data is accessed and how it is used and stored. Privacy has become an important focus for Australian regulators. The move to cover apps has become necessary as apps increasingly access personal data (through app permission settings) that users are often unaware of!

In addition, Apple iTunes and the Google Play store require your app to have your own Privacy Policy to be listed with them.

Privacy Policies for email marketing?

Did you know Australia has a Spam Act? Yes, it does!

The Spam Act of 2003 prohibits the “sending of unsolicited commercial electronic messages”. And the penalties for breaking this law can be steep. For sending emails without consent, individuals can be fined $8,500 for each breach and companies can be fined $170,000!

If you are engaging in email marketing or you’re an affiliate marketer, make sure you comply with ACMA (Australian Communications and Media Authority) and American CAN-SPAM guidelines.

As for your Privacy Policy, make sure you do these 3 things:

  1. Get consent by making people opt into your email list
  2. Link to your Policy whenever you use an opt-in form, and
  3. Include an unsubscribe link in every email you send

If you run a business that is involved in “assessing, recording, maintaining or improving a person’s health” then, under Privacy Law, you fall into the ‘Special Health Privacy’ category. This is quite a broad description but typically covers a business that offers, for example:

  • Health advice, including alternative therapies
  • Massage, yoga and meditation
  • Fitness, exercise and personal training, etc.

If you offer these types of services, you likely collect health, medical and other sensitive information to deliver your services. And Privacy Law requires that you comply with stricter Privacy standards.

You need to do these 5 things in your business:

  1. Have a Privacy Policy and Privacy Compliance System in place
  2. Only collect the personal information you require to deliver your services
  3. Only use the personal information for the purpose you have agreed
  4. Destroy the personal information when you no longer need or use it
  5. Ensure you have a regular system for securely destroying information you have not used in a “reasonable” amount of time (you cannot keep it ‘just in case’)

Privacy Policies for selling email lists

Do you buy, sell or trade customer email lists? If you do, then you are ‘dealing in’ personal data. And Privacy Law also requires that you comply with stricter Privacy standards.

You need to do these 3 things in your business:

  1. Ensure you have an ‘active agreement’ (opt-in) by your customers to use their personal information
  2. Have very clear language that details how you use their personal data (e.g. provide to 3rd parties for marketing-related services)
  3. Ensure the customer has a clear understanding of who and where you are providing their personal data

If you need help reviewing your company’s Privacy requirements or writing a more comprehensive Privacy Policy, just get in touch here.

Privacy Policy Templates & Generators

What makes a good Privacy Policy?

A good Privacy statement has several elements. Your Privacy statement should be as follows:

  • Easy to read (i.e. not in a small font)
  • Easy to understand, and
  • Easy to find

And of course, your Policy must comply with the latest Australian privacy legislation.

Should I write my own Privacy Policy?

Are you an Australian lawyer? No? Then you probably shouldn’t write your own Privacy Policy!

Plenty of people try to write their own, copy other websites, and mix and match clauses they “liked” from other websites in other countries. It never ends well. Getting a professionally written Privacy Policy, specifically for your website and business, is not expensive. Plus, if you choose the right provider, they’ll ensure your Privacy notice is up-to-date with Australian legislation.

Where to get a Privacy Policy?

Here at Legal123, we have a great website legals generator!

You must input a few simple details about your business (such as your website URL, address, type of business, etc.). Our online generator will create a customised Privacy Policy for you. Then copy/paste the text into your website (usually in the footer) and you’re done.

We also offer free updates to our privacy policy templates for Australia – so YOU don’t have to worry about changes to the privacy legislation. We’re Australian lawyers and make it our business to keep up with these changes. We don’t overwhelm you with emails, but we will let you know when the law changes in Australia and the privacy policy is updated.

Practicalities of Privacy Policies

Where to put a Privacy Policy on my website?

Websites: An Internet standard has emerged over the years to place links to your legal notices (Privacy Policy, Website Disclaimer and Terms & Conditions) in the footer of your website. Keeping to this standard will make it easier for visitors and customers to find your Privacy notice.

Apps: Your app should have a website. It’s a great sales tool and does not have to be long or detailed. This should also be the home of your app legals – link in the footer to your app Privacy Policy, Disclaimer, Terms of Use and EULA. These should also be available somewhere in your app navigation.

Email marketing: You should link to your Privacy Policy whenever you use an opt-in form to capture email addresses. And you should probably include a link to your Policy in the footer of every email you send.

Do I need Privacy Policies for other countries?

Australia’s privacy regulations are some of the strictest in the world. So if your Privacy Policy in Australia meets our legal standards, you’ll probably meet the minimum legal standards in most English-speaking jurisdictions such as New Zealand, the UK, the US, Canada, Singapore and most of the EU, provided you comply with the GDPR requirements.

However, do a significant amount of business in non-Australian countries. You should have a Privacy Policy covering these other jurisdictions, particularly if you deal with EU residents. Privacy regulations are usually not contradictory in different countries, but there might be specific features that you need to include in your Privacy statement and implement in your business.

Most importantly, your Privacy Policy (and Terms & Conditions) should clearly state that the use of your website and sale of any products or services are governed by Australian law. This is called a ‘Governing Law’ clause and ensures that should any problems arise the claim will be heard in an Australian court and determined by Australian law.

Do Australian website Privacy Policies meet UK and EU law?

No. Australia’s privacy regulations fall short of the UK’s (and EU’s) in one important respect. The UK’s Privacy and Electronic Communication Regulations require that if a website uses ‘cookies’ to track website visitor behaviour, then the visitor must be notified and consent to the use of ‘cookies’.

Current Australian law requires that if you use ‘cookies’ then your Privacy Policy must state how the information is stored (for example, on a secure server) and what it is used for. However, notification and active consent are NOT required. If you do a significant amount of business in the UK and EU, you might consider modifying your website to generate a ‘cookie’ notification pop-up for UK and EU visitors that needs to be clicked on.

Australian online privacy laws may be modified in the future and more closely follow the UK/EU approach. However, this ‘cookie’ notification rule has been widely criticised and resulted in only 3 fines being issued in 3 years of implementation. So it may be that this regulation is either modified or disbanded in the future before it is implemented in other countries.

information

May 2018 – New GDPR Legislation in UK and EU

New privacy legislation – The General Data Protection Regulation (GDPR) – came into effect in May 2018. This affects all businesses that collect personal information from UK and EU citizens. If you are an Australian business engaged in email marketing to UK and EU customers and collect EU resident email addresses, you must comply with the new regulations.

For more information read our guide: How to Comply with GDPR

Do Australian website Privacy Policies meet US law?

No. Australia’s privacy regulations are generally stricter than the US. However, they differ from the US in one important respect. US privacy law requires that websites not collect information from children under 13 years of age. As this is difficult for a website to control, your Policy must explicitly state that it is not aimed at children under 13 years of age and will not intentionally collect data from them.

If your website is, in fact, aimed at children under the age of 13 years, you will need to ensure that you do not collect their data or information. In addition, you should add a clause to this effect in your website Privacy statement to ensure that you comply with the US requirements.

For over a decade, there has been much debate in the US about strengthening their privacy laws. At the moment, there is no single regulatory body in the US that oversees privacy regulation. But with privacy being in the spotlight and with EU countries significantly modifying their privacy laws in recent years, this could easily change in the future.

What is a Privacy Policy breach?

If you ‘spam’ your email list or you or one of your third-party providers gets hacked and customer/visitor information is stolen, you may have breached your Privacy Policy. Whilst it is relatively uncommon to be sued concerning Privacy data breaches, complaints are regularly made to the Australian Privacy Commissioner. The possible outcomes may range from an apology and requirement to change your business processes to fines and compensation for any financial loss the individual(s) suffered.

Posting a well-drafted Privacy statement on your website is not sufficient. You need to stand by it, have compliance measures in place in your business and respect the confidential nature of your customers’ personal information. The potential damage to your business from ‘spamming’ your customers or being hacked can be huge and irreversible.

We hope you found this guide to Australian Privacy Policies helpful.

website legal package from legal123

Website Legal Package

Protect your online business in less than 5 minutes with Legal123’s Website Legal Package! Get a customised Privacy Policy, Website Disclaimer and Terms & Conditions tailored to your business. Free updates when the legislation changes. Approved by major Australian banks and credit card processors. Secure your online business today!

vanessa emilio of legal123

About the Author: Vanessa Emilio

Vanessa Emilio (BA Hons, LLB, ACIS, AGIA) is the Founder and CEO of Legal123.com.au and Practice Director of Legal123 Pty Ltd. Vanessa is a qualified Australian lawyer with 20+ years experience in corporate, banking and trust law. Click for full bio of or follow on LinkedIn.

Disclaimer: We hope you found this article helpful, but please be aware that any information, comments or recommendations are general in nature, do not constitute legal advice and may not be suitable for your specific circumstances. Whilst we try our best to ensure that the information is accurate, sometimes there may be errors or new information that has yet to be included. Any decisions you take based on information on this website are made at your own risk and we cannot be held liable for any losses you suffer. Contact us directly before relying on any of this information.