Don’t Let Your Data Privacy Compliance Be A Blunder From Down Under

As with many countries around the globe, Australia has a data privacy law that affects the way in which companies can collect data from its residents. In many ways, Australia has been ahead of the curve, as the foundation of Australia’s privacy protocols came into effect in 1988, before the modern Internet as we know it today existed. Australia’s Privacy Act (“APA”) and the Australian Privacy Principles (“APP”) within the APA are intended to provide a basis for privacy regulation, facilitate the free flow of information outside of Australia while ensuring that individual privacy is respected, provide a complaint mechanism, and impose obligations regarding the collection and use of personal information. The APA is similar to many of the requirements of GDPR, but there are differences in the regulations that companies need to know in order to manage data from Australian residents in a compliant way.

You call that a privacy act?

Though the APA originally dates back to 1988, it has been amended more than thirty times as technology has evolved and become more complex. The APA regulates all companies, organizations and websites who operate in Australia and creates a national standard for collecting, processing and sharing personal information. The APA created the APPs, which are a set of thirteen codes of conduct that must be followed in order to be compliant with the APA. The APA and APPs are enforced by the Office of the Australian Information Commissioner  (“OAIC”), Australia’s version of the EU’s Data Protection Board (“EDPB”).

Similar to GDPR, the APPs make a distinction between personal information and sensitive personal information, compared below:

Personal Information Sensitive Personal Information
Name Racial or ethnic origin
Signature Political opinions
Addresses Religious beliefs
E-mail Sexual orientation
Phone number Criminal history
Social security numbers Health information
Date of birth Genetic data
Signature Biometric information
Credit or bank information
IP addresses and browser history
Location data

How is my website affected?

The APA requires a website to have an updated privacy policy (known as APP privacy policy) that informs users of how it collects and handles personal information. If you have a website, it’s likely that you run cookies (such as Google Analytics, Facebook Pixels, or Hotjar) Most cookies and trackers on your website will collect personal information from visitors and must therefore be disclosed in your APP privacy policy. Companies can struggle to have a compliant privacy policy on their website, however if you have updated your privacy policy for GDPR purposes, you’re well on your way to compliance.  

The APPs state that your website is only allowed to collect and process personal information if it is reasonably necessary for or directly related to your website’ functions and activities, which must be clearly stated in your privacy policy. With sensitive personal information, websites must usually ask users for their express consent before collection. The APA outlines two different types of consent: express and implied. Express consent is the user's "open and obvious" decision to accept, where implied consent is the "reasonable belief" by websites, organizations and companies that they have the user's consent.

A principled approach

The APPs are thirteen codes of conduct created by the APA that websites, companies and organizations who operate in Australia must follow for compliance.

Small businesses may be exempt from APP and APA compliance, however if a small business discloses personal information for “a benefit, service or advantage” then they do fall under the APA/APPs; given how low a threshold this is, many small businesses need to comply.


The 13 APPs are:

1. open and transparent management of personal information

2. enabling user anonymity and pseudonymity

3. collection of solicited personal information

4. dealing with unsolicited personal information

5. notification of the collection of personal information

6. use or disclosure of personal information

7. direct marketing

8. cross border disclosure of personal information

9. adoption, use or disclosure of government related identifiers

10. quality of personal information

11. security of personal information

12. access to personal information

13. correction of personal information


All 13 principles are important, however we’ll go into further detail on those principles our customers ask about most.

Open and transparent management of personal information: This APP requires websites to have a clear and transparent privacy policy that includes:

• what types of personal information that your website collects, stores and shares;

• how your website collects personal information like cookies;

• why you collect, store and share personal information;

• how your users can access the personal information you’ve collected on them;

• how your users can correct their personal information if wrong;

• whether or not you send users’ personal information overseas; and

• Free and easy access to your privacy policy.


Collection of solicited personal information:
This APP makes the distinction between personal information and sensitive personal information (as detailed above), and the compliance requirements for each.

Notification of the collection of personal information: Generally, at or before the time of collection – or as soon as possible after – your website must notify users that you are collecting personal information. While this may sound like you need a cookie consent tool (commonly referred to as a cookie banner, not to be confused with a cookie wall), your website isn’t legally required to have one unless you collect sensitive personal information. A best practice here is to include a cookie consent tool, however that choice is one for your business to make.

Use or disclosure of personal information: If your website collects personal information on users and your privacy policy outlines only one purpose for usage, you are not allowed to use or disclose it for any other purposes – unless you obtain the consent to this from your users. Whatever your usage of data, make sure it is clearly outlined in your privacy policy.

Quality of personal information: As a website owner, you must ensure that the personal information you collect is accurate, up-to-date and complete.

Security of personal information: As a website owner, you must protect the personal information you collect from misuse, interference and loss, unauthorized access, modification or disclosure. That means you’ll need to implement proper security protocols to comply.

Access to personal information: You must empower individuals to request access to the personal information you have collected on them, free of charge and in a reasonable period of time.  

Correction to personal information: You must empower individuals to request corrections of the personal information you have collected on them. You are also required to notify third parties of such correction requests.

New amendments to the Privacy Act coming in 2020

The Australian government has announced that it will amend the APA to increase fines for data breaches, as well as creating a whole new privacy code to regulate the collection and processing of personal information on digital platforms. It has also announced that a broad review of the APA will take place in 2020 to assess whether it accurately protects users’ privacy and their personal information online.


Key Takeaways

Australia’s data protection laws closely resemble GDPR, but there are nuances that your company needs to be aware of in order to comply.  consists of the Privacy Act and its Australian Privacy Principles. These require your website to have a clear and exhaustive APP privacy policy that lists all cookies, trackers and any other data collection tools embedded on your website by you or third parties.


How can I get my website compliant?

The APA is just one of many data privacy laws that exist today. Whether you need to comply with the APA, GDPR, CCPA, or any other data privacy out there, Clym can help. Book a demo with one of our specialists today to find out how you can get your website compliant quickly and easily for one low monthly fee.