Articles and legal news from the Atkinson Vinden Team.

Does My Business Need a Privacy Policy?

Commercial Law

There are many things to consider when implementing your company’s privacy policy, but the first question people often ask is, do I need one? The short answer is “yes”.

Every business, and every website that business operates, needs a privacy policy.

Furthermore, not only are companies legally required to implement a privacy policy, but they must allow everyone access to the policy.

What is a privacy policy?

A privacy policy is a document, contract, or agreement between your business and every individual that you collect personal information from. The policy should demonstrate, at minimum, clear explanations as to what personal information you’re collecting, how this information is used and stored, and finally if/when the personal information is disclosed to a third-party company.

The nature of personal data which can be collected includes (but is not limited to):

  • Names
  • Addresses (physical or e-mail)
  • IP addresses
  • Telephone numbers
  • Date of birth
  • Financial information, such as debit or credit card details
  • Browsing behaviour
  • Political inclinations
  • Biometric information
  • Medical records
  • Facial recognition
  • And more

What kind of businesses need a privacy policy?

Every business should have a privacy policy implemented if they collect any amount of data on anyone who interacts with their business. Considering most (if not all) websites will use cookies to gain comprehension on their site visitors’ behaviour, it’s safe to say that any business with an online presence requires a privacy policy. The personal information which companies hold on their own employees also falls under these rules.

The moment you decide to handle any personal information is when you need to demonstrate you are clearly abiding within the Australian Privacy Principles as outlined in Schedule 1 of the Privacy Act 1988 (Privacy Act). Not only this but if you are an employer who retains data on your employees, for whatever reason, it is pivotal that you demonstrate your compliance with the Privacy Act.

The collection of data could be facilitated through email, website landing pages, letters, in-person forms, phone calls, HR records, or more. If you collect data in any manner, you need a privacy policy. Furthermore, if your privacy policy is deemed ineffective towards protecting the data rights of your visitors, customers, or employees you could face significant fines and even litigation taken against you or your company.

Why is it important to have a privacy policy?

There are numerous reasons as to why privacy policies are crucial.

First, as we have elucidated above, it is a legal requirement. Without a comprehensive and rigorous policy in place, you risk the possibility of being sued. For example, large corporations such as Snap Chat, Google and more have faced large lawsuits in the past over their questionable privacy policies.

Second, many third-party applications and programs require you to have a firm privacy policy in place. For example, companies like Google and Apple will ask that you display a privacy policy on your website if you wish to use their product. Furthermore, even if your business is not consciously collecting this data, if you use services such as Google Analytics or AdSense, these third-party services do collect data and you will need to convey this information accordingly.

Third, with many 2019 data scandals remaining newsworthy, it is important to demonstrate your commitment to keeping your customers’ privacy safe. More than ever, the public is on guard for bad practices by business, especially after such large cases as Facebook’s user data breaches, and Apple’s glitch that allowed users to surreptitiously listen in on others.

Having a rigorous and robust approach to your policy sends a clear message to your customers that says, “We value your privacy”.

Who needs access to my privacy policy?

By law, everyone who you collect data on needs access to your policy.

What key things do I need to include in my policy?

At a standard level, most privacy policies should include the following.

  1. Age appropriateness: Whether minors can use your site without parental supervision
  2. Personal Information: Information pertaining as to what data will be collected, how it will be handled, and how users can change information.
  3. Cookie data: Ensure it’s clear that your site uses cookies. These can either be to influence the site’s functionality, accessibility and user experience.
  4. GDPR: Are the visitors to your site from Europe? If so, you need to comply with GDPR within your privacy policy.
  5. Changes: Have you changed anything on the site? If so, you’ll need to ensure your visitors are kept notified of these changes.

Privacy policies can become a strenuous task but are also legally required. It’s crucial that you gain expert knowledge on how to create one that will not only protect your business but your customer’s data.

For a free consultation on how to create a compliant privacy policy, contact the dedicated team at AV lawyers today.


Protecting your reputation starts with simplifying the complex. This handy checklist should quickly point you in the right direction and help you understand whether you have a case, and where to start to secure the best possible outocme.