Does Your Website Have a Privacy Policy? Here's What Australian Small Businesses Need to Know
Australian Law · disclaimer · EOFY · Privacy Policy · Small Businesses · Website Kit · website terms and conditions ·

Does Your Website Have a Privacy Policy? Here's What Australian Small Businesses Need to Know

You have spent time building your website. Your services are listed, your photos look great, and your contact form is live. But there is one legal document sitting quietly in the missing pile on most small business websites in Australia. And it is not your contract.

It is your Privacy Policy.

Not the most glamorous topic, we know. But if your website collects personal information (and almost every website does), you have legal obligations under Australian law. Ignoring them, or copying a privacy policy from another website and hoping for the best, will not cut it.

Let us break down exactly what you need, why it matters, and how to get it sorted before EOFY.

Table of Contents

Ask most small business owners what legal documents they need and you will hear: a contract, maybe an invoice, perhaps a terms of service. Privacy Policy? It tends to get pushed to the back of the to-do list, or skipped entirely.

Here is the thing. If your website has a contact form, an email opt-in, a checkout page, or even Google Analytics running in the background, your website is collecting personal information. That means the Privacy Act 1988 (Cth) applies to you.

The Privacy Policy is the document that tells people what you collect, how you use it, and how you store and protect it. Without one, you are not just missing a document. You are potentially in breach of Australian law.

What a Privacy Policy for Small Business in Australia Actually Is

A Privacy Policy is a legal document that explains your data practices to the people who visit your website and engage with your business. Under the Australian Privacy Principles (APPs), which sit inside the Privacy Act 1988, organisations that collect personal information must have a clearly expressed and up-to-date Privacy Policy.

Specifically, your Privacy Policy needs to cover:

  • What kinds of personal information you collect (names, emails, phone numbers, payment details, IP addresses)
  • How and why you collect it
  • How you store and protect it
  • Whether you share it with third parties, including overseas services like Mailchimp, Stripe, or Shopify
  • How someone can access or correct their information
  • How they can make a privacy complaint

That is not a short list. And it is not a document you can summarise in two sentences at the bottom of your contact page.

Who Legally Needs a Privacy Policy in Australia

The short answer: if your website collects personal information from Australian users, you need one.

The slightly longer answer: the Privacy Act has traditionally applied to businesses with an annual turnover of $3 million or more, but there are important exceptions that catch a lot of small businesses. You are covered if you:

  • Trade in personal information
  • Provide health services
  • Are a contractor to the Australian Government
  • Run an online business that collects information directly from individuals

There are also proposed reforms to the Privacy Act that would extend obligations further. The direction is clear: towards more coverage, not less.

Even if you technically fall outside the current threshold, having a Privacy Policy builds trust with your audience. Clients and customers expect it. Platforms like Mailchimp and Stripe contractually require it. And if you ever grow past that threshold, you will already be covered.

Why Copying Someone Else's Privacy Policy Is a Problem

This is the one we see constantly. Someone Googles privacy policy example and copies the first result. Or borrows one from a business they admire. Or pastes in the one from a big brand's website and changes the name.

Here is why that is a problem.

That Privacy Policy was written for their business, their tools, and their data practices. Not yours.

Their policy might say they use a particular CRM. You might use a different one. Their policy might not mention the email platform you use, the payment gateway you use, or the countries your data passes through. Their policy says they do not share data with overseas third parties. You do, because your booking tool is based in the US.

The moment you publish a Privacy Policy, you are making legally binding promises to your audience about how you handle their data. If those promises do not match your reality, you have a problem.

Why an Inaccurate Privacy Policy Is Worse Than None at All

This is the part most people do not expect.

If you have no Privacy Policy, you are in breach of your obligations under the Privacy Act. That is a compliance issue.

But if you have a Privacy Policy that makes promises you cannot keep? You are in breach of those promises AND potentially the Australian Consumer Law, which prohibits misleading conduct. You have doubled your exposure.

An inaccurate Privacy Policy can lead to:

  • A complaint to the OAIC (Office of the Australian Information Commissioner)
  • An ACL claim for misleading your customers
  • Loss of trust if a client discovers the mismatch
  • Real liability if there is a data breach and your policy said you had protections in place that you did not

The solution is not to have no Privacy Policy. The solution is to have one that is accurate, up to date, and actually written for your business.

The Three Documents Every Australian Website Needs

A Privacy Policy does not stand alone. It is one of three foundational legal documents your website needs to operate properly. Here is how they work together.

1. Privacy Policy

Covers how you collect, use, store, and share personal information. Required under Australian law if your website collects data (which yours does). Updated when your tools or practices change.

2. Website Terms and Conditions

The rules of the road for your website and your business. This document sets out what users can and cannot do on your site, limits your liability, protects your intellectual property, and sets the terms for buying from you. Without it, someone could argue there was no agreement in place.

3. Website Disclaimer

Limits your liability for the information you publish. If you share tips, advice, or content on your website (including blogs), your Disclaimer makes clear it is general information only and not professional advice. It protects you from claims by someone who acted on your content and had a bad outcome.

All three documents work together. The Terms and Conditions sets the rules. The Privacy Policy covers the data. The Disclaimer limits liability for your content. Miss one, and there is a gap.

What Happens If You Don't Have Them

Let us be direct.

Without a Privacy Policy: you risk a complaint to the OAIC, potential enforcement action, and a damaged reputation with privacy-conscious clients.

Without Website Terms and Conditions: you have no agreement governing how people use your site, no intellectual property protection, and no terms governing purchases or bookings made through your website.

Without a Disclaimer: you are exposed to claims from people who relied on your content, whether that is a blog post, a freebie, an online resource, or advice you shared publicly.

Disputes happen. Clients complain. People misread things. These documents are not about assuming the worst of your clients. They are about having something to point to when a situation gets complicated.

FAQ

Do I need these documents even if I am a small business?

Yes. The Privacy Act threshold is $3 million annual turnover, but there are exceptions that catch many small businesses, and those thresholds are under review. Even if you are technically exempt right now, your email platform, payment gateway, or website host contractually requires you to have a Privacy Policy. And practically, your clients expect it.

What if I use Shopify or Squarespace?

Using a platform does not exempt you from your legal obligations. Shopify and Squarespace provide the technology. They do not write your Privacy Policy or your Terms and Conditions for you. The documents you publish on your website are your responsibility. A generic template from your platform is a starting point at best. It will not cover your specific data practices, your tools, or your Australian legal obligations.

Can I write my own Privacy Policy?

Technically, yes. But a Privacy Policy that is missing key elements, inaccurate about your data practices, or not compliant with the Australian Privacy Principles is worse than no Privacy Policy at all. A lawyer-drafted template that you customise for your actual tools and practices is a far better approach than a DIY attempt.

Get Your Website Legally Sorted Before 30 June

The Foundd Legal Website Kit gives you all three documents in one pack. Privacy Policy, Website Terms and Conditions, and Website Disclaimer.

Each document is:

  • Lawyer-drafted and compliant with Australian law
  • Written in plain English, not legalese
  • Ready to customise for your specific business, tools, and practices
  • Designed for Australian creative entrepreneurs and small business owners

You do not need to spend thousands on a lawyer to get legally covered. You just need documents that are accurate, thorough, and written for businesses like yours.

Until 30 June, you can grab the Website Kit as part of the Foundd Legal EOFY sale. Spend $150 or more and save 30%. It is one of the best investments you will make in your business before the new financial year.

Grab the Website Kit here.

Your website is working hard for your business every day. Make sure it is legally protected while it does.


 

About the Author

Riz is the Founder & Director of Foundd Legal, a lawyer with 20+ years’ experience and a long history of building online and ecommerce businesses.

She helps creatives and online business owners protect and grow their businesses with clear, practical legal tools that actually make sense. 

LEARN MORE ABOUT RIZ

 

 

SIGN UP TO OUR FREE BUSINESS CHECKLIST

Disclaimer

We do our best to keep this content accurate and up to date, but laws change, interpretations evolve, and the internet isn’t perfect. Occasionally, information may be outdated or contain errors.

This content is for general information only and isn’t legal advice. If you choose to rely on it, you do so at your own discretion. For advice specific to your business, you’ll need support tailored to your situation. 

All rights reserved. © Foundd Legal Pty Ltd 

Back to Legal Resources blog

You may also like

View all
Does Your Website Have a Privacy Policy? Here's What Australian Small Businesses Need to Know
Does Your Website Have a Privacy Policy? Here's What Australian Small Businesses Need to Know
Business owner reviewing contract documents at desk Australia | Foundd Legal
Are Your Contracts Actually Protecting You? A Mid-Year Legal Checklist
Australian creative business owner reviewing legal documents before EOFY | Foundd Legal
What every creative business owner should review before 30 June
"I'm Too Small to Need Legal" - Why This Belief Costs Creative Business Owners the Most | Foundd Legal
"I'm Too Small to Need Legal" - Why This Belief Costs Creative Business Owners the Most
Legal Mistakes Creatives Make When Hiring Contractors (and How to Avoid Them) | Foundd Legal
Legal Mistakes Creatives Make When Hiring Contractors (and How to Avoid Them)
5 Contract Clauses Every Online Service Provider Is Missing (and What It’s Costing Them) } Foundd Legal
5 Contract Clauses Most Online Service Providers Overlook, Does Yours Include Them?
Page Bg

Explore our legally legit templates!

Page Bg
Shop all templates