Lawpath Blog
5 Mistakes to Avoid in Your Privacy Policy

5 Mistakes to Avoid in Your Privacy Policy

Are you a small business or a not-for-profit owner? Avoid these common mistakes when using a Privacy Policy for your website.

26th June 2019
Reading Time: 3 minutes

The recent Facebook scandal saw people all over the world debate and raise concerns about online privacy and data collection. Your customers and website users have the right to know how their personal information is collected and used. Legally, you are required to have a privacy policy that is compliant with the Privacy Act 1988 (Cth) and the 2014 amendment called the Australian Privacy Principles (APPs). In this guide, we’ll discuss the 5 Mistakes to Avoid in Your Privacy Policy.

What is a Privacy Policy?

A Privacy Policy outlines what personal data will be collected and how this data is retained. In addition, this policy also addresses how this data is used by your business and any third-parties. Informing customers about how you manage their personal information through a Privacy Policy would foster a positive relationship with them.

Do I need a Privacy Policy?

Australian laws require you to have a Privacy Policy if:

  • You are an Australian or Norfolk Island Government agency
  • Your business or not-for-profit generates an annual turnover of at least $3 million.
  • You are a health service provider in the private sector.

A few specific business structures and not-for-profit with less than $3 million are required to have a Privacy Policy if they fall under the following exemptions:

  • Employee associations registered under Fair Work (Registered Organisations) Act 2009 (Cth).
  • Contracted service providers for a Commonwealth contract
  • All business that sells or purchase personal information
  • Credit reporting bodies
  • All subsidiaries of a company covered by the Privacy Act 1988 (Cth)

If you are unsure whether your small business needs to comply with the Privacy Act 1988 (Cth), please visit the Privacy Business Resource.

What mistakes should you avoid while setting up your Privacy Policy?

1. Failing to disclose how you collect data

It is vital that you consider how your business collects, retains, uses and discloses personal information before drafting your privacy policy. You have a legal obligation to provide accurate and updated details about data collection and retention through your website. Any updates to the existing Privacy Policy requires a notice of the changes issued to all users. Failure in doing so can result in serious consequences.

If you are unsure about your business’s policies regarding data collection and usage, visit our website to connect with a business lawyer who can guide you through this process.

2. Collecting data without permission

Ensure that you have taken the necessary precautions to avoid collecting any unintended or undisclosed data. Only collect the required data as outlined in your Privacy Policy. For instance, if you have specified that you will be collecting email addresses, then you are only permitted to collect this data. You cannot collect their date of birth at the same time without disclosing it.

3. Failing to disclose third-party access

Your website or mobile app may permit third parties to collect data from users. However, your Privacy Policy should explicitly mention this in its provisions. You are responsible to provide an outline as to how this data will be retained and used by third parties.

Furthermore, if you intend on sharing aggregated or de-identified information to third parties, you have to mention this in your Privacy Policy.

4. Failing to treat data security seriously

Protecting the privacy of customers or users that access your website and app is a serious business. Further, it is pivotal that the data collected is not misused, modified, disclosed or accessed without authorisation. Incorporating reasonable steps like algorithms, filters, secured servers and anonymisation tools will help protect the data collected. This can be done by analysing the harm that would occur if the data collected is compromised before incorporating a suitable security measure. For example, your website can incorporate SSL, if you intend on collecting sensitive information like credit card details. This will establish an encrypted link between your web server and browser to ensure all data that passes between them remains private.

5. Your procedure for dealing with complaints

Your Private Policy should outline the procedure for receiving any complaints related to privacy breaches. This will ensure users that your business has an effective complaint handling procedures in place to specifically deal with privacy breaches. It is also essential that you provide contact details for users to make a complaint in case of a privacy breach.


It is crucial to have an accurate and updated version of a Privacy Policy for your website. Even if the Privacy Act 1988 (Cth) does not apply to your business, it is prudent to have a Privacy Policy for your website or app as this would help build a rapport with your customers and visitors. Finally, the reassurance provided by your Privacy Policy will help you build customer confidence in your products and services.

Don’t know where to start? Contact us on 1800 529 728 to learn more about customising legal documents and obtaining a fixed-fee quote from Australia’s largest lawyer marketplace.

Anjaly Tessa Saji

Anjaly is working in our Content Team as a Legal Tech Intern. She is currently studying a Bachelor of Laws and Bachelor of Science at Macquarie University. She has a particular interest in Intellectual Property Law, Employment Law, and exploring how technology can improve access to justice.