Legal Documents You Need For Your Website

Website legal requirements are the rules that decide what your business website must do, display and protect under Australian law: a privacy policy if you collect personal data, terms and conditions if you sell, consumer-law-compliant refunds, and proper handling of customer information. Get them in place before you take your first order, not after.

Here is the bit nobody enjoys. Most founders treat the legal side of a website as the last job on the list, somewhere below choosing a font. Then a customer demands a refund you said you would never give, or a contact form quietly collects emails with no privacy policy behind it. The good news: you can sort the essentials in an afternoon, and this guide walks you through exactly what you need.

What are website legal requirements in Australia?

Website legal requirements are every rule that governs how you operate online: how you collect and store personal data, what you promise customers, how you handle payments, and how you market. They apply to any business with a public website. Not just big online marketplaces.

That is the first thing people get wrong. A common assumption in our consultations is “it’s only a small site, the rules don’t really apply to me.” They do. A one-page site with a contact form is collecting personal information. A Shopify store taking $30 orders sits under the same Australian Consumer Law as a national retailer. Size changes the penalty exposure, not whether the rules bite.

Four kinds of site need to pay attention:

• Online stores selling goods or services, including dropshipping and subscriptions
• Service providers and consultants taking enquiries or bookings
• Content sites, blogs and directories that collect emails or run ads
• Membership platforms and apps with user accounts or user-generated content

Which legal documents does your website actually need?

Start with what you do on the site, then match the document to it. Most Australian websites need the first three below. The rest depend on how your business works.

Document	You need it when
Privacy policy	You collect any personal data, even just names and emails through a contact form
Website terms and conditions	You sell goods or services, or set rules for using your site
Refund and returns policy	You take payment for anything, online or off
Email disclaimer	You send business email and want to limit liability for its contents
Terms for advertisers or contributors	You run classified ads, or let users post content beyond simple comments

One warning our lawyers repeat in nearly every website consultation: do not copy another site’s terms. A pasted policy describes someone else’s business, not yours. It misstates what data you collect, references the wrong refund process, and leaves you exposed on the exact risk you were trying to cover.

Do you need a privacy policy if your turnover is under $3 million?

Probably, yes. The Privacy Act 1988 (Cth) and the Australian Privacy Principles bind “APP entities,” which generally means businesses turning over more than $3 million a year. That is where the myth starts: founders read “$3 million” and assume they are off the hook.

Look at the carve-outs and the exemption shrinks fast. You are caught regardless of turnover if you provide a health service and hold health information, trade in personal data, or handle tax file numbers and credit information. We saw this play out with a small counselling business: tiny turnover, but as a health service provider it had to run a compliant privacy policy and follow the privacy principles in full.

Even when you are genuinely exempt, customers and platforms still expect a clear policy, and Google asks for one before you can run Analytics or ads. So the practical answer for almost every website is the same: publish one, make it findable from every page, and keep it accurate.

“Accurate” is where the second mistake lives. A privacy policy has to describe your real setup: the payment gateway, the analytics tool, the email platform, the shipping provider, and whether any of them store data overseas. A consistent pattern in our ecommerce consultations is a generic policy that names none of the tools the business actually uses. If your policy and your tech stack disagree, the policy is the problem.

The stakes have changed too. Serious or repeated interferences with privacy now carry a maximum penalty for a company of the greater of $50 million, three times the benefit gained, or 30% of adjusted turnover. A lower tier and infringement notices were added in late 2024, and failing to have a privacy policy at all can now attract a penalty. In 2025 a pathology operator copped a $5.8 million penalty, the first of its kind. The “$1.7 million” figure you will still see floating around old blogs has not been current for years.

What does Australian Consumer Law require on your website?

If you sell to consumers, the Australian Consumer Law (ACL) sets the floor. You have to avoid misleading or deceptive conduct, show prices clearly with mandatory fees included, and honour the consumer guarantees: goods of acceptable quality, fit for purpose, and services delivered with due care. Since 1 July 2021, the “consumer” threshold sits at $100,000, up from the old $40,000 you will still see quoted in dated guides.

Here is the part that trips up most online sellers. Consumer guarantees cannot be excluded, restricted or modified. A blanket “all sales final, no refunds” line does not save you. It is void against those guarantees, and stating it as if it were enforceable can be a false or misleading representation in its own right.

Our lawyers apply the same fix again and again: wording that sets your own returns policy (say, 30 days, unopened) while making clear it operates “to the extent permitted by law” and does not exclude any right under the ACL that cannot be excluded. You keep your commercial policy. You stop pretending it overrides the law. A subscription founder we worked with had a hard “no refunds” clause doing exactly that, and the entire fix was adding that one carve-out and lining the refund policy up with the terms of service.

Beyond refunds, the ACCC also expects honest reviews, real scarcity, and prices that include compulsory fees. Fake countdown timers, invented “only 2 left” stock counts, and cherry-picked testimonials are exactly the conduct the regulator has been chasing. The ACCC’s consumer guarantees guidance is the source of truth here, and it is worth a read before you write a word of your refund page.

What about email marketing, hidden fees and subscription traps?

Two areas catch online businesses off guard, and one of them is about to get a lot stricter.

Email and SMS marketing sits under the Spam Act 2003 (Cth). Three rules: you need consent (it can be express, or reasonably inferred from an existing customer relationship), every message must identify your business, and every message must carry a working unsubscribe that you action within five business days. Buying a list almost never meets the consent test, so resist it.

The bigger shift is coming for pricing and subscriptions. The government introduced the Competition and Consumer Amendment (Unfair Trading Practices) Bill 2026 in April 2026, with a planned start of 1 July 2027. If it passes, it bans “drip pricing” (revealing mandatory fees late in checkout), targets “subscription traps” where signing up is easy but cancelling is deliberately hard, and adds a general ban on practices that manipulate buying decisions. You do not get to wait until 2027, though. The ACCC is already pursuing these under existing law, with penalties handed to cinema and travel booking businesses for late-revealed booking fees. If your checkout hides a fee until the final screen, or your cancel button is buried three menus deep, fix it now. The Treasury announcement spells out the direction of travel.

What we see in Lawpath consultations

Across hundreds of website and ecommerce consultations, the same handful of mistakes come up far more often than you would expect. None of them are exotic. All of them are avoidable.

The unenforceable “no refunds” clause. Sellers write it to feel protected. It does the opposite, because it cannot beat the consumer guarantees and can read as a misleading claim. The faster path is a clear returns policy that sits inside the law.

A privacy policy that describes a different business. Either it was copied from another site, or it has not been updated since the founder added Stripe, Klaviyo and a third-party warehouse. The policy has to match the tools you actually use and where customer data actually goes.

Terms built for the wrong model. A software platform using a generic goods template, or an online store using bare-bones terms that say almost nothing. The model decides the document. SaaS terms, goods terms and membership terms are not interchangeable, and using the wrong one leaves real gaps on payment, liability and dispute resolution.

Regulated products with off-the-shelf terms. Selling alcohol needs an age-restriction clause. Cosmetics need a compliance statement and a clear “not therapeutic” line. Importing from overseas suppliers makes you the “manufacturer” for consumer-guarantee purposes, which is rarely what the founder expected. The standard template gets you 80% of the way. The last 20% is where the risk lives.

How do you get your website legally compliant?

Work through it in order. Each step is small on its own.

1. Sort your business basics. If you trade under a name that is not your own, register it with ASIC. A .com.au or .au domain needs an ABN or ACN. These take minutes and underpin everything else.
2. Map what your site does. Do you collect data, take payment, run a mailing list, host user content? Each “yes” points to a document.
3. Put the core three in place. Privacy policy, website terms, refund policy. Customise them to your business, do not paste them from elsewhere.
4. Make them findable. Link your policies in the footer so they appear on every page. A policy nobody can find barely counts.
5. Lock down payments. If you take card payments, your provider’s PCI DSS obligations apply (the current standard is version 4.0.1). Using a reputable gateway like Stripe or PayPal handles most of this for you.
6. Add the EU layer if you need it. Selling to or tracking customers in Europe or the UK pulls in the GDPR, which means a GDPR privacy policy on top of your Australian one.

None of this needs a six-week legal project. Lawpath puts the core documents in one place so you can build, customise and download them in minutes, and talk to a lawyer when a clause needs tailoring. That is the whole point: legal, sorted fast, without the firm-sized bill. Over 650,000 Australian businesses have used Lawpath to get this kind of admin off their plate, with a library of more than 550 document templates to pull from.

Frequently asked questions

Do I need legal documents for a simple informational website?

Usually yes. The moment your site has a contact form, a newsletter signup, or analytics running, you are collecting personal data and should have a privacy policy. If you publish advice or opinions, a disclaimer protects you from readers who rely on them. A brochure site still has website legal requirements.

Do I need a privacy policy if I only use Google Analytics or a mailing list?

Yes. Both collect personal information, and Google’s own terms require a privacy policy when you use Analytics or its advertising features. Your policy should name the tools you use and explain what data they gather and where it goes.

Can I copy terms and conditions from another website?

No. Copied terms describe a different business, often misstate your refund process and data handling, and may breach the other site’s copyright. They tend to fail you on the exact issue you needed covered. Start from a template built for your business model and customise it.

Can I have a “no refunds” policy in Australia?

Not against the consumer guarantees. You can set a returns policy for change-of-mind purchases, but you cannot refuse a refund where goods are faulty, unsafe or not as described. A flat “no refunds” sign is unenforceable and can itself be a misleading claim under Australian Consumer Law.

How do I make a disclaimer statement for my website?

A disclaimer states the limits of what you are responsible for: that your content is general information, not professional advice, and that visitors rely on it at their own risk. Use a disclaimer if you publish guides, opinions or recommendations. The cleanest route is a template you tailor to what your site actually publishes.

What happens if I don’t meet website legal requirements?

It depends on which rule you miss. A serious privacy breach can reach tens of millions in penalties. Misleading consumers can draw ACCC action and fines up to $50 million for a company. Most disputes, though, are smaller: a customer complaint, a chargeback, or a refund you legally cannot refuse.

What legal documents do I need before I launch?

For most websites: a privacy policy, website terms and conditions, and a refund or returns policy. Add an email disclaimer if you send business email, and extra terms if you run ads or host user content. A bundle covers the common set in one go.

Are the requirements different for a law firm or professional services site?

The core set is the same, with a heavier focus on disclaimers and accurate claims. Professional sites publish advice, so a clear “general information only” disclaimer matters, and any qualifications or results you advertise must be genuine to stay clear of misleading conduct rules.

If your list of missing documents feels long, take a breath. This is normal for someone at launch stage, and none of it is hard once you have the right templates in front of you. You do not need to become a lawyer. You need to tick four or five boxes properly, once.

Get the core documents sorted today with Lawpath’s website legal package, then get back to building the business you actually came here to run.