How to Create a Privacy Policy (2026 Update)

How to create a privacy policy in Australia comes down to matching what you actually do with personal information to a clear, plain-English document that sits on your website. Your policy has to cover what data you collect, how you use it, where it goes, how long you keep it, and how someone can complain if something goes wrong. Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), it is a legal requirement for most businesses collecting personal information online. As of the 2024 reforms, privacy policies also need to prepare for automated-decision-making disclosures that become mandatory in December 2026.

Most business owners treat their privacy policy like a sticker they slap on the website so they can launch. You copy one from another site, change the name, and move on. This worked, sort of, in 2018. It does not work in 2026. Since the Privacy and Other Legislation Amendment Act 2024 commenced, the stakes of getting this wrong have moved up several notches. There is now a statutory tort that lets individuals sue for serious privacy breaches, tiered civil penalties, and infringement notices up to $66,000 per contravention. A privacy policy that does not reflect what your business actually does with data is the kind of gap that now has real financial and legal consequences.

What a privacy policy actually does (and what it doesn’t)

A privacy policy is a public-facing legal document that tells people three things: what personal information you collect, how you handle it, and what rights they have in relation to it. That includes what data you capture through your website, how you store it, who you share it with, whether it goes overseas, how long you keep it, how someone can access or correct their own data, and how they can complain if they think you have mishandled it.

Worth understanding the limits of what a privacy policy does. The policy sets the public commitment, but it does not shield you from a data breach, does not form a contract between you and your users (your Website Terms and Conditions do that), and does not substitute for actually protecting the data. Everything beyond the policy is the hard work of living up to it, and under Australian Privacy Principle 11 you now need to take reasonable technical and organisational measures to keep personal information secure, which the 2024 reforms explicitly clarified.

Customers, investors, enterprise buyers, and app stores now expect a privacy policy to be present before they will do business with you. Apple’s App Store review guidelines require one. Google Play requires one. Many enterprise procurement teams will not even get to a first call without seeing one. So beyond compliance, it is now table stakes for being taken seriously online.

Who legally needs a privacy policy in Australia?

The Privacy Act 1988 (Cth) and the Australian Privacy Principles apply to any Australian business or organisation that meets at least one of the following tests:

• Annual turnover over $3 million (this is the commonly-cited trigger but it is only one of several)
• Health service providers of any size, including allied health, GPs, dentists, pharmacies, and NDIS providers
• Credit reporting bodies and credit providers
• Businesses that trade in personal information, including selling or buying mailing lists
• Contractors and subcontractors who handle personal information under a Commonwealth contract
• Residential tenancy database operators and certain other specific business types

Most online businesses are caught by one of these tests even well below the $3 million turnover threshold. If you run an e-commerce site, sell on Facebook or eBay, operate a booking platform, collect email subscribers, or use third-party analytics that captures user data, you are almost always going to have obligations either directly under the Act or through platform requirements such as Apple, Google, Meta, or enterprise customer contracts. In practical terms, if you are asking the question of whether you need one, you almost certainly do.

Expect the small business exemption to narrow further. It has been under review for years and Tranche 2 of the privacy reforms is expected to tighten it. Lawpath’s view is that any business building for growth should adopt APP-compliant practices now rather than redesign them later.

What the 2024 to 2026 privacy reforms actually changed

The Privacy and Other Legislation Amendment Act 2024 (Cth), commonly called POLA or Tranche 1, received Royal Assent on 10 December 2024. It is the most significant change to Australian privacy law since the Act commenced. If your privacy policy has not been reviewed since 2022 or 2023, it is out of date. Here is what changed and what you need to know.

Statutory tort for serious invasions of privacy (in force from 10 June 2025)

This is the biggest change. Individuals now have a direct personal right to sue for serious invasions of privacy, separate from the Privacy Act framework and separate from any OAIC involvement. Two categories are covered: intrusion upon seclusion (for example, being photographed without consent in a private context) and misuse of information relating to the person. To succeed, the plaintiff needs to show the invasion was intentional or reckless and that they had a reasonable expectation of privacy. Non-economic damages can be awarded and are capped at the same level as defamation, which is substantial.

What this means in practice: a data breach caused by known or obvious system weaknesses can now give rise to a tort claim, independent of any APP contravention. Class action risk has increased because the cause of action is actionable without proof of loss. The bar for recklessness is high, so ordinary negligence will not suffice, but organisations with known-but-unaddressed security gaps are exposed.

Tiered civil penalties and infringement notices (in force now)

Under POLA, the old single-penalty structure has been replaced. The OAIC can now issue infringement notices of up to $66,000 per contravention for lower-level breaches, compliance notices that specify how privacy failures must be fixed, and pursue tiered civil penalties in court. For serious or repeated interferences with privacy, penalties can reach the greater of $50 million, three times the benefit obtained, or 30 per cent of adjusted turnover during the breach period. The old “$1.7 million” figure some older articles still reference is well out of date.

Cyber security uplift under APP 11 (in force now)

APP 11 requires reasonable steps to keep personal information secure. The 2024 reforms explicitly clarified that “reasonable steps” now includes both technical measures (encryption, access controls, logging) and organisational measures (staff training, access policies, incident response plans). Organisations relying on a “we have a firewall” approach to security will struggle under the new standard.

Automated decision-making transparency (commences 11 December 2026)

From 11 December 2026, if your business uses a “computer program” (which covers AI, machine learning, rules-based engines, and similar) to make decisions that significantly affect an individual, your privacy policy will need to disclose this. The affected decision types include service access, pricing, application approvals, fraud detection, and anything that changes how someone is treated. There is a 24-month grace period that ends in December 2026, so the privacy policy you draft now should already be planning for this disclosure if you use any form of automated processing.

Children’s Online Privacy Code (to be registered by 10 December 2026)

Work is underway on a specific code for how the APPs apply to children’s privacy online. The OAIC must register it by 10 December 2026. If your product is accessed by anyone under 18, your policy and practices will need to meet this code when it is finalised.

Doxxing is now a criminal offence

New offences were added to the Criminal Code by the 2024 reforms for online disclosures of personal data that are menacing or harassing. This sits alongside the Privacy Act rather than inside it, but it is part of the same reform package and shapes the risk landscape for any business handling user content.

Tranche 2 is coming

A second tranche of reforms is under consultation as of 2026, addressing the recommendations from the 2022 Privacy Act Review Report that did not make it into Tranche 1. Likely inclusions: a “fair and reasonable” test for data handling, reform of the small-business exemption, broader consent and definition changes, and further-expanded individual rights. The broad direction is GDPR-alignment, so policies that already meet APP-plus-GDPR standards will be better placed when Tranche 2 lands.

What to include in your privacy policy

A privacy policy that complies with the APPs needs to cover ten things. Each corresponds to one or more Australian Privacy Principles. Miss any of them and your policy is either non-compliant or materially incomplete.

1. The kinds of personal information you collect. Names, contact details, payment info, health info, IP addresses, location data, analytics identifiers, device identifiers, cookies, anything from third-party APIs. Be specific.
2. How you collect it. Forms, account creation, purchases, analytics, cookies, social login, third-party APIs (for example, Google Places, Stripe, Meta Pixel), inferred from behaviour.
3. Why you collect it and how you use it. The primary purpose (delivering your service) and any secondary purposes. If you use data for marketing, analytics, or product development, say so.
4. Who you share it with. Specific named third parties where possible (payment processors, hosting providers, email platforms, analytics providers), or clearly-defined categories. Vague “trusted partners” language will not hold up.
5. Whether data goes overseas. If so, which countries, and what safeguards are in place. The 2024 reforms are simplifying overseas transfer rules through ministerial whitelisting, but until those determinations land, standard contractual safeguards still apply.
6. How you store and secure the information. The storage location, retention period, and the technical and organisational measures protecting it. Post-2024, vague assurances are a liability.
7. How users can access and correct their own information. The Privacy Act gives individuals a statutory right to access and correct their data. Your policy must explain how to make that request.
8. How users can make a privacy complaint. The contact details, the internal process, the timeline, and the external options (OAIC) if they are unhappy with the outcome.
9. Use of cookies and tracking technologies. Categories of cookies, whether they are essential, analytics, or advertising, and how users can control them. This increasingly needs its own cookie banner or management interface as well.
10. Automated decision-making (from December 2026). If you use computer programs to make decisions with significant effects, you need to disclose this, explain how the decision-making works at a high level, and cover human oversight arrangements.

How to actually create your privacy policy

For most small businesses, drafting a privacy policy from scratch is both unnecessary and risky. A solid template customised to your business is faster, more consistent with APP compliance, and more cost-effective. Here is the practical sequence:

1. Map what data you actually collect. Before you touch a template, write down every form, third-party integration, analytics tool, and payment processor that touches personal information on your site or app. If you do not know, your policy cannot be accurate.
2. Use a customisable template. Lawpath’s Privacy Policy template is built for Australian businesses and walks you through each APP-aligned section. For businesses with EU customers, the GDPR Privacy Policy variant covers both regimes.
3. Fill in honestly, not aspirationally. The policy has to describe what you do, not what you wish you did. If you share data with Stripe, name Stripe. If your analytics vendor is based in the US, say so.
4. Get it reviewed by a lawyer. A Legal Advice Plan gives you a lawyer review at a fraction of bespoke drafting. For most businesses this step is worth it because templates cannot catch what is missing from your own data practices.
5. Publish it visibly. Link it from the footer on every page, the account creation flow, the checkout, and anywhere you collect personal information. A policy buried under a menu does not meet APP 1.
6. Review it every 12 months, and any time your data practices change. New third-party integration, new product feature, new marketing tool, new country of operation. All of them can invalidate the existing policy.

What we see in Lawpath consultations

Three patterns come up consistently in privacy-related briefs and consultations. Knowing them in advance saves the rush work at launch.

Compliance is treated as the last step before launch, not the first

Here’s a recent example: a brief from a property-comparison platform came in with the front and back end completely built, integration with Google Places APIs live, user session handling working, and a clear plan to commercialise aggregated user data down the line. The only remaining step was the privacy policy and website terms, and they wanted both in place before productionising. That order of operations is more common than it should be. The problem is the privacy policy drives design decisions about what data you can collect, how long you can keep it, and what you can do with it commercially. Drafting the policy after the build means either the policy compromises to fit the build, or the build has to change to fit the policy.

The “copy another startup’s policy” reflex

Founders regularly reach out after pasting an adapted version of a competitor’s privacy policy on their site. The issue is rarely the drafting. It is the mismatch between the policy and the actual data flows. You cannot credibly say you do not share data with third parties if you use Meta Pixel. You cannot claim you only store data in Australia if your SaaS stack is US-hosted. The policy has to match the reality of your stack, and a template customised to your answers catches most of this automatically. The OAIC and any plaintiff under the new statutory tort will look at what you actually do rather than what your policy says.

The commercialisation-of-data clause goes in too late

Businesses that plan to monetise aggregated or anonymised data need to signal that in the privacy policy from day one. Adding it later is legally possible but practically messy, because it requires re-consenting users or at least prominently notifying them, and the resulting drop-off rate is significant. Founders who know they might later want to sell data insights, partner with advertisers, or train models on user-generated content should say so in the initial policy. “Future commercialisation of aggregated data” is a valid inclusion if that is a genuine plan.

Common mistakes to avoid

• Using an outdated template that cites the old $1.7 million penalty cap. Anything drafted before December 2024 is out of date on penalties, statutory tort, and the APP 11 cyber security uplift. If you last refreshed your policy before POLA, refresh it now.
• Vague third-party descriptions. “We may share your data with trusted partners” is not enough. Name the categories or, better, the specific providers.
• Silent on overseas transfers. Most SaaS stacks involve US or European hosting. Not mentioning this is a gap.
• No complaint process. APP 1 requires you to explain how complaints are handled. A contact email is a start but the policy also needs to describe what happens after a complaint lands.
• No review schedule. Privacy policies go stale fast. Set a 12-month review in your calendar and also review any time your stack or product changes.
• Silent on automated decision-making. If you use AI or machine learning for pricing, approvals, recommendations, or fraud detection, you will need ADM disclosure by December 2026. Leaving it out now means a mandatory update soon.
• Not linking the policy from every relevant page. Footer link is a minimum. Account creation, newsletter signups, and checkout flows should all link it too.

Frequently asked questions

Do I legally need a privacy policy in Australia?

If your business has an annual turnover over $3 million, is a health service provider, handles credit information, trades in personal information, or holds a Commonwealth contract, you are legally required to have a privacy policy under the Privacy Act 1988 (Cth). Even if you do not meet those tests, platform requirements (Apple, Google, Meta), payment processors, and enterprise customers almost always require one before they will do business with you.

How much does it cost to create a privacy policy?

Creating an Australian Privacy Policy through a template platform such as Lawpath costs a few hundred dollars a year as part of a legal plan and is ready in minutes. Bespoke drafting by a privacy lawyer typically runs between $1,500 and $5,000 depending on scope and the complexity of your data flows. For most small and mid-sized businesses, the template-plus-review approach is the most cost-effective.

What happens if I do not have a privacy policy?

If you are required to have one and you do not, the OAIC can investigate, issue infringement notices of up to $66,000 per contravention, require specific remedial action, or pursue civil penalties through the Federal Court. For serious breaches, penalties can reach the greater of $50 million, three times the benefit obtained, or 30 per cent of adjusted turnover. Beyond the regulator, customers can now sue directly under the statutory tort introduced in 2025 if they suffer a serious privacy invasion.

Can I just copy another business’s privacy policy?

This is the single most common mistake. Copying another business’s policy means your policy describes their data practices, not yours. If you share data with third parties they do not, or use tools they do not, your policy is inaccurate from day one. The OAIC and any plaintiff will look at what you actually do, not what your policy borrowed from someone else.

How often should I update my privacy policy?

At least every 12 months, and immediately whenever your data practices change. That includes new integrations, new product features, new marketing tools, new countries of operation, and new laws. If your policy has not been touched since before December 2024, it does not reflect the current Privacy Act regime and needs a refresh.

Do I need a GDPR privacy policy as well as an Australian one?

If you offer goods or services to people in the EU, or you monitor their behaviour (through analytics cookies, for example), the GDPR applies to you regardless of where your business is based. Many Australian privacy policy templates can be extended to meet GDPR requirements, or you can use a dual-compliant policy. The Lawpath GDPR Privacy Policy covers both regimes.

What does the 2025 statutory tort mean for my business?

The statutory tort for serious invasions of privacy lets individuals sue your business directly if you seriously misuse their personal information or intrude on their seclusion, and if the invasion was intentional or reckless. This applies even if you are not otherwise covered by the Privacy Act. The practical takeaway is that known-but-ignored security gaps are now a litigation risk, not just a regulatory one, and proper cyber security and privacy governance have become materially more important.

You don’t have to get this perfect. You do have to get it current.

Most business owners have been putting privacy policy work in the “important but not urgent” bucket for years. That was fine in 2020. It is no longer fine in 2026. The Privacy Act has changed, the penalty regime has changed, and customers can now sue you directly. But nothing about the work is difficult. You just need a policy that matches your actual data practices, reviewed against the current Act, and updated when your stack changes.

Lawpath gives you the privacy policy template, the lawyer review, and the ongoing plan in one place. Start with the template, get it reviewed, publish it, and set a calendar reminder for 12 months from now.