How to Draft a Compliant Privacy Policy under Australian Law
May 2026 · 7 min read
A privacy policy is one of the most-read pages on most business websites. It is also one of the most legally consequential. The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) impose specific obligations on businesses that handle personal information, and a poorly drafted policy creates compliance gaps that regulators and customers will spot.
Who needs a privacy policy?
Most Australian businesses are subject to the Privacy Act 1988 (Cth). The Act applies to:
- Australian Government agencies
- Private sector organisations with annual turnover exceeding $3 million
- Smaller businesses in specific categories (health service providers, businesses trading in personal information, contractors providing services to government agencies, credit reporting bodies, and others)
Even where the Act does not strictly apply, having a privacy policy is increasingly expected by customers, partners and regulators, and is often required by overseas counterparts.
What the law requires
The Australian Privacy Principles (APPs) require regulated businesses to:
- Have a clearly expressed and up-to-date privacy policy (APP 1.3)
- Make the policy freely available, in a form most appropriate to the circumstances (APP 1.4)
The policy must address:
- The kinds of personal information collected and held
- How personal information is collected
- The purposes for which it is collected, held, used and disclosed
- How an individual can access or correct their personal information
- How an individual can complain about a privacy breach
- Whether personal information is likely to be disclosed to overseas recipients
Core sections to include
Who we are. Identification of the entity that owns and operates the business, including ABN.
What information we collect. A clear description of the categories of personal information collected, including identification information (name, contact details, date of birth), transaction information, sensitive information (where applicable), technical data (IP addresses, device information, cookies), and information from third parties.
How we collect information. Direct collection (forms, account creation, transactions), indirect collection (cookies, analytics, third parties), and any specific collection notices.
Why we collect information. The primary purposes for which information is collected, used and disclosed. This should be specific, not generic.
How we use and disclose information. Including internal use, disclosure to service providers and contractors, professional advisers, regulators and government agencies, marketing and analytics, and other specific disclosures.
Overseas disclosures. Where personal information may be disclosed overseas, the policy must identify the countries (or that the recipients are likely to be in unspecified countries).
Storage and security. How information is stored, the security measures in place, and how long information is retained.
Sensitive information. Specific treatment of sensitive information (health, racial or ethnic origin, sexual orientation, etc.), which has higher protection under the APPs.
Cookies and tracking. Explanation of cookies and analytics tools, with consent mechanisms where required.
Direct marketing. How direct marketing is conducted, opt-out mechanisms, and compliance with the Spam Act 2003 (Cth).
Access and correction. How individuals can request access to or correction of their information.
Complaints. The process for making a privacy complaint, including escalation to the Office of the Australian Information Commissioner (OAIC).
Notifiable data breaches. A statement that the business will comply with the Notifiable Data Breaches scheme where applicable.
Updates. How the policy will be updated and how users will be notified of changes.
Contact details. Clear contact details for privacy matters.
Specific compliance issues
Notifiable Data Breaches scheme. Most businesses subject to the Privacy Act must notify the OAIC and affected individuals of "eligible data breaches". The policy should reflect the business's compliance with this scheme.
Sensitive information. The collection of sensitive information generally requires consent. The policy should clearly identify whether the business collects sensitive information and on what basis.
Health information. Specific rules apply to health information. Health service providers and others handling health information need additional compliance frameworks.
Credit reporting. Specific rules apply to credit reporting bodies and credit providers. These businesses need credit reporting privacy policies and credit information statements separate from their general privacy policies.
Children. Where services are directed at or used by children, additional considerations apply, including consent and parental notification.
The 2022–2024 reforms
Significant reforms to the Privacy Act were progressed through 2022–2024, with further changes likely. Key themes include:
- Higher penalties for serious or repeated breaches
- Expanded definition of "personal information"
- Removal or narrowing of small business exemption
- Clearer rules on consent, particularly for "high-risk" processing
- Rights of access, correction and erasure broadly aligned with overseas regimes
Privacy policies should be updated to reflect each major change as it takes effect.
Common pitfalls
- Generic policies copied from overseas templates that don't reflect Australian requirements
- Vague descriptions of how information is used and disclosed
- Failure to address overseas disclosures
- Missing notifiable data breach commitments
- Outdated policies that don't reflect current business practices
- Privacy policies inconsistent with actual data flows
- Marketing practices not reflected in the policy
- No clear access and correction mechanism
Beyond the policy
A compliant privacy policy is necessary but not sufficient. Businesses should also have:
- A privacy framework matching the policy
- Trained personnel
- Processes for access and correction requests
- Data breach response plans
- Vendor and processor agreements with appropriate privacy obligations
- Records of processing activities (where applicable)
How Luma Legal can help
We draft privacy policies tailored to specific businesses, their data flows, and the regulatory regimes that apply to them. We also advise on the broader privacy framework, including data breach response, vendor contracts and APP compliance. Where required, we coordinate with technology, security and operations teams to align practice with policy.
This article is general information only and does not constitute legal advice. For advice on your specific circumstances, please contact us.
Related expertise
Corporate & Commercial