A good privacy policy is an important feature of a successful startup. Putting the legal requirements aside for a moment, its good commercial practice to have a privacy policy for your business to follow. Not only will this put frameworks in place to guide your business, it will reassure your customers as to the safety of their personal information when engaging with your service of product.
Privacy law in Australia
The fundamental piece of legislation in Australia concerning privacy law is the Privacy Act 1988 (the Act), which is a federal statute that sets out privacy requirements in Australia. This legislation, however, does not apply to all businesses. At first instance, the Act only applies to businesses with an annual turnover of $3m or more. If your business has a turnover of less than $3m, than you’re considered a “small business” for the purposes of the Act, and the Act does not apply. There are, however, some exemptions to this rule. For example, health service providers, credit reporting agencies, or businesses that operate a residential tenancies database, are all bound by the Act regardless of whether or not they are a small business. For a complete list of small businesses that the Act applies to, see https://www.oaic.gov.au/privacy/privacy-for-organisations/trading-in-personal-information/.
If you operate a small business to which the Act does not apply, then your legal privacy obligations are, legally speaking, fairly minimal. Notwithstanding, that doesn’t mean that you should disregard privacy altogether. We recommend that all startups have a well drafted privacy policy in place. This will not only provide assurance to your customers, it will be a framework in place for you to use when your business exceeds the $3m threshold.
What to include in your privacy policy?
The contents of a privacy policy will vary depending on the nature of your business. However, if you are operating in the tech space, there is a good chance you will be, at some point, collecting personal information about your customers. Therefore, there are certain topics that all startup privacy policies should address, regardless of your product or service.
1. The Privacy Act
If your business is governed by the Privacy Act, your privacy policy should commence with a statement disclosing this to your user, and that you will comply with all privacy obligations under the Act. Even if the Act doesn’t apply because you are a small business, it is still useful to include such a statement. This means you don’t need to amend and republish your privacy policy once you breach the $3m threshold.
2. The types of information you are collecting, and how it is collected
As a simple starting point, all privacy policies should detail what information will be collected about your customer. At a minimum, this is likely to include the name and contact details of your customer, and possible payment information such as credit card or bank details. Depending on the nature of your business, you should also consider whether you will be collecting information such as:
- Demographic information (ie age, country of birth, occupation);
- Market information (ie interests or hobbies);
- Any health information such as allergies or special needs requirements; or
- Professional information such as business associates, suppliers, or client base.
Once you have detailed the type of information collected, you should also mention how you will be collecting it from the customer. For example, when they fill out a registration form, when they input their payment details, or perhaps information will be collected as part of their use of the product by inputting information for analysis. You should fully disclose all relevant processes so that your customer is made fully aware of when they are sharing their information with you.
3. How the information is stored and dealt with
Once you have explained what information you will collect and how you collect it, you should explain how the information will be stored. For most startups, this tends to be on cloud-based storage systems, however many businesses still utilise paper files. When explaining your storage system, you should also assure your customer that there are mechanisms in place to protect the information.
Your privacy policy should also contain a robust outline on how the personal information will be used. Special attention should be paid to whether it will be shared with any third parties and, if so, for what purpose. It is common for businesses to share the personal information of their customers with third party service providers such as marketing consultants or professional advisors. If this is the case, this should be made clear in your privacy policy.
4. Cookies and analytics
If your businesses operate a website, it is likely that you will be using cookies and some sort of analytics, such as Google analytics. Your privacy policy should disclose this to your customer, and contain an explanation of:
- What a cookie is, and how it collects information;
- What analytics platform you use; and
- How the analytics platform is used, and for what purpose.
5. Direct marketing
There is much commercial value to engaging in direct marketing with your customer base. This can be a useful way to keep them updated on new products or services, special deals, or industry developments. If you are planning on direct marketing, your privacy policy should disclose this to your customer. Not only that, it should also alert them that they have the option to opt out if they wish.
6. Contact information
Your privacy policy should contain information on how your customer can contact you if they have a question about your privacy policy, or if they believe you have breached your privacy policy. This demonstrates good faith to your customer and ensures that their concerns can be addressed in an efficient manner.
Let us help
Here at Allied Legal, our commercial lawyers have drafted numerous privacy policies for a wide range of startups. If you need a privacy policy drafted, or if you have any queries about your privacy obligations under Australian law, gives us a call on 03 8691 3111 or email us at hello@alliedlegal.com.au.
