Australian Privacy Legislation: A Complete Guide
Learn about Australian privacy legislation, including the Privacy Act 1988, APPs, and compliance steps for businesses handling personal information.
Australian privacy legislation sets the rules for how businesses and government agencies handle personal information. If you operate a website that collects data from Australian users, understanding these laws is not optional. Failing to comply can result in penalties reaching tens of millions of dollars.
This article is for educational purposes only and does not constitute legal advice. For guidance specific to your situation, consult a qualified Australian privacy lawyer.
What Is Australian Privacy Legislation?
Australian privacy legislation refers primarily to the Privacy Act 1988 (Cth), the federal law that governs the collection, use, storage, and disclosure of personal information. The Act was significantly amended in 2014 to introduce the 13 Australian Privacy Principles (APPs), which replaced the earlier National Privacy Principles and Information Privacy Principles.
The Privacy Act is administered and enforced by the Office of the Australian Information Commissioner (OAIC). The OAIC investigates complaints, conducts assessments, and can seek civil penalty orders through the Federal Court.
Personal information under the Act means any information or opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether it is recorded in a material form or not. This definition is intentionally broad and captures names, email addresses, IP addresses, location data, and behavioural information collected through cookies and analytics tools.
Who Must Comply With Australian Privacy Legislation?
Not every business falls under the Privacy Act. The Act applies to what it calls "APP entities," which include:
- Australian Government agencies (bound by all 13 APPs)
- Private sector organisations with annual turnover exceeding AUD 3 million
- Health service providers, regardless of turnover
- Businesses that trade in personal information, such as data brokers
- Credit reporting bodies and credit providers
- Contractors providing services under a Commonwealth contract
- Small businesses that have opted in to coverage under the Act
Even if your business has turnover below AUD 3 million, you may still be caught if you fall into one of the special categories listed above. The Australian Government's ongoing Privacy Act review has proposed removing the small business exemption entirely, which would bring all businesses under the Act's scope.
State and Territory Privacy Laws
Beyond the federal Privacy Act, several Australian states and territories have their own privacy legislation:
- Victoria: Privacy and Data Protection Act 2014, Health Records Act 2001
- New South Wales: Privacy and Personal Information Protection Act 1998, Health Records and Information Privacy Act 2002
- Queensland: Information Privacy Act 2009
- Australian Capital Territory: Information Privacy Act 2014
These laws apply to state government agencies rather than private businesses, but they are relevant if you contract with state governments or handle health records in those jurisdictions.
The 13 Australian Privacy Principles Explained
The APPs form the backbone of Australian privacy legislation. They are organised into five groups covering the full lifecycle of personal information.
Consideration of Personal Information (APPs 1 to 2)
APP 1: Open and transparent management. Organisations must manage personal information openly and transparently. This requires maintaining a clearly expressed, up to date privacy policy that is freely available. The policy must describe the kinds of information collected, how it is collected, the purposes of collection, how individuals can access and correct their information, and how complaints are handled.
APP 2: Anonymity and pseudonymity. Individuals must have the option to remain anonymous or use a pseudonym when dealing with your organisation, unless it is impractical to do so or a law requires identification.
Collection of Personal Information (APPs 3 to 5)
APP 3: Collection of solicited personal information. Organisations may only collect personal information that is reasonably necessary for their functions or activities. Sensitive information (including health data, racial or ethnic origin, political opinions, and biometric data) requires consent and must be reasonably necessary.
APP 4: Dealing with unsolicited personal information. If you receive personal information you did not ask for, you must determine whether you could have collected it under APP 3. If not, you must destroy or de-identify it as soon as practicable.
APP 5: Notification of collection. At or before the time of collection, you must take reasonable steps to notify individuals about who you are, why you are collecting the information, what you will do with it, and who you may disclose it to.
Dealing With Personal Information (APPs 6 to 9)
- APP 6 restricts use and disclosure to the primary purpose of collection, with limited exceptions
- APP 7 prohibits direct marketing unless specific conditions are met, including providing an opt-out mechanism
- APP 8 requires that cross-border disclosures meet Australian privacy standards
- APP 9 governs the adoption, use, and disclosure of government-related identifiers
Integrity of Personal Information (APPs 10 to 11)
APP 10 requires organisations to take reasonable steps to ensure personal information is accurate, up to date, and complete. APP 11 mandates reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access. When information is no longer needed for any purpose under the APPs, it must be destroyed or de-identified.
Access and Correction (APPs 12 to 13)
Individuals have the right to access their personal information held by an organisation (APP 12) and to request correction of inaccurate, out of date, incomplete, irrelevant, or misleading information (APP 13). Organisations must respond to access requests within 30 days.
Australian Privacy Legislation and Website Compliance
Running a website that collects data from Australian visitors brings specific compliance obligations. Here is what you need to address.
Privacy Policy Requirements
Under APP 1, your website must display a privacy policy that covers:
- The types of personal information you collect (names, emails, IP addresses, cookie data)
- How and why you collect it (contact forms, analytics, advertising pixels)
- How you use and disclose it
- Whether information is sent overseas and to which countries
- How individuals can access or correct their information
- Your complaint handling process
A privacy policy generator can help you create a compliant policy that covers these requirements, though you should have it reviewed by a lawyer familiar with Australian privacy legislation.
Cookie and Tracking Consent
The Privacy Act does not contain a cookie-specific consent mechanism like the EU's ePrivacy Directive. However, cookies that collect personal information (such as analytics tools that record IP addresses or advertising pixels that build user profiles) fall within the Act's definition of personal information. This means:
- You must disclose cookie use in your privacy policy
- Collection must be reasonably necessary for your functions
- You should notify users about tracking at or before the point of collection
- Sensitive information collected via tracking requires consent
The OAIC has indicated that best practice includes providing clear notice about cookies and offering users meaningful control over non-essential tracking. While not strictly required by current law, a cookie consent mechanism demonstrates good privacy practice and positions you well for anticipated legislative reforms.
Notifiable Data Breaches Scheme
Part IIIC of the Privacy Act established the Notifiable Data Breaches (NDB) scheme in February 2018. If your organisation experiences a data breach likely to result in serious harm, you must:
- Conduct a reasonable assessment within 30 days
- Notify the OAIC if the breach is likely to cause serious harm
- Notify affected individuals with details about the breach, the information involved, and recommended steps
Failure to comply with the NDB scheme can attract civil penalties. In 2023, the OAIC took enforcement action against Medibank following a breach affecting 9.7 million individuals, seeking penalties that underscored the seriousness of these obligations.
Penalties Under Australian Privacy Legislation
The Privacy Amendment (Enforcement and Other Measures) Act 2022 significantly increased penalties for serious or repeated privacy breaches. The maximum civil penalty for a body corporate is now the greatest of:
- AUD 50 million
- Three times the value of the benefit obtained through the breach
- 30% of adjusted turnover during the relevant period
For individuals, the maximum penalty is AUD 2.5 million. These penalties place Australian privacy legislation on a comparable footing with the GDPR, which imposes fines of up to EUR 20 million or 4% of global annual turnover.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowThe OAIC also has the power to:
- Accept enforceable undertakings
- Make determinations requiring organisations to compensate individuals
- Seek injunctions through the Federal Court
- Issue infringement notices for specific contraventions
Notable Enforcement Actions
Several high-profile cases illustrate the OAIC's enforcement approach:
- Clearview AI (2021): The OAIC found Clearview AI breached APPs 2, 3, 5, and 11 by scraping Australians' facial images without consent
- 7-Eleven (2021): Found to have collected customers' facial images through in-store tablets without adequate notice
- Medibank (2023): Enforcement proceedings following a breach affecting 9.7 million customers, with the OAIC seeking substantial penalties
Proposed Reforms to Australian Privacy Legislation
The Australian Government's review of the Privacy Act, which began in 2020, has proposed significant reforms. Key proposals include:
- Removing the small business exemption, bringing all businesses under the Act
- Introducing a right to erasure similar to the GDPR's right to be forgotten under Article 17
- Introducing a direct right of action, allowing individuals to sue for privacy breaches without going through the OAIC
- Strengthening consent requirements for targeted advertising and profiling
- Introducing a statutory tort for serious invasions of privacy
- Requiring privacy impact assessments for high-risk activities
- Expanding the definition of personal information to explicitly include technical identifiers such as IP addresses and device fingerprints
The Government agreed or agreed in principle to most of the review's 116 proposals. Legislative change is expected to roll out in stages, with some amendments already introduced. Businesses should prepare for a stricter privacy regime that more closely aligns with international standards like the GDPR.
Steps to Comply With Australian Privacy Legislation
Follow these steps to bring your website and business into compliance with the Privacy Act and APPs.
Audit your data practices. Map what personal information you collect, where it comes from, where it is stored, who has access, and who you share it with. Include cookies, analytics tools, and third-party integrations.
Draft or update your privacy policy. Use the requirements under APP 1 to create a comprehensive, plain-language privacy policy. Tools like a privacy policy generator provide a solid starting point.
Review collection practices. Ensure you only collect personal information that is reasonably necessary. Remove unnecessary form fields, disable tracking you do not actively use, and audit third-party scripts on your website.
Implement notice at the point of collection. Display clear notices explaining what you collect and why. For websites, this includes cookie notices and form-level disclosures.
Secure personal information. Implement appropriate technical measures such as encryption, access controls, and regular security testing. APP 11 requires security that is reasonable in the circumstances.
Establish a data breach response plan. Document your process for identifying, assessing, and notifying data breaches under the NDB scheme. Include roles, responsibilities, escalation paths, and notification templates.
Set up access and correction processes. Create a clear process for individuals to request access to their personal information or corrections under APPs 12 and 13. Respond within 30 days.
Train your team. Ensure everyone who handles personal information understands their obligations under the APPs.
TermsBox offers a compliance scanner that can identify cookies and trackers on your website, helping you understand what personal information your site collects and whether your privacy policy accurately reflects those practices.
Australian Privacy Legislation Compared With GDPR and CCPA
Understanding how Australian privacy law compares with other major frameworks helps businesses operating across multiple jurisdictions.
| Aspect | Privacy Act 1988 (Australia) | GDPR (EU/UK) | CCPA/CPRA (California) |
|---|---|---|---|
| Scope | Organisations with turnover above AUD 3M (plus exceptions) | Any entity processing EU/UK residents' data | Businesses meeting revenue, data volume, or data sale thresholds |
| Consent standard | Required for sensitive information; notification for other data | Required for most non-essential processing | Opt-out model for data sales; opt-in for sensitive data |
| Right to erasure | Not currently in Act (proposed) | Article 17 right to erasure | Right to deletion under Section 1798.105 |
| Breach notification | 30 days to assess, then notify OAIC and affected individuals | 72 hours to notify supervisory authority | Notification without unreasonable delay |
| Maximum penalty | AUD 50M, 3x benefit, or 30% turnover | EUR 20M or 4% global turnover | USD 2,500 to USD 7,500 per intentional violation |
| Cookie consent | Not explicitly required (best practice) | Required for non-essential cookies | Not explicitly required |
For businesses serving users in multiple countries, the practical approach is to build privacy practices that meet the strictest applicable standard. A robust privacy policy, clear consent mechanisms, and strong data security will satisfy requirements across all three frameworks.
Frequently Asked Questions
What is the main Australian privacy legislation?
The Privacy Act 1988 (Cth) is the main federal law governing personal information in Australia. It establishes 13 Australian Privacy Principles (APPs) that regulate how organisations collect, use, store, and disclose personal information.
Who must comply with the Australian Privacy Act?
The Act applies to Australian Government agencies, private sector organisations with annual turnover above AUD 3 million, and certain smaller organisations such as health service providers, businesses trading in personal information, and contractors providing services under a Commonwealth contract.
What are the penalties for breaching Australian privacy legislation?
Serious or repeated breaches can attract civil penalties of up to AUD 50 million, three times the benefit obtained from the breach, or 30% of the organisation's adjusted turnover during the relevant period, whichever is greatest.
Does Australian privacy legislation require a privacy policy?
Yes. APP 1.4 requires every APP entity to have a clearly expressed, up to date privacy policy that explains how the organisation manages personal information. The policy must be available free of charge and in an appropriate form.