CONTACT US
CONTACT US

Privacy Policy – A Startup’s Guide


A good privacy policy is an important feature of a successful startup. Putting the legal requirements aside for a moment, its good commercial practice to have a privacy policy for your business to follow. Not only will this put frameworks in place to guide your business, it will reassure your customers as to the safety of their personal information when engaging with your service of product. 

Privacy law in Australia

The fundamental piece of legislation in Australia concerning privacy law is the Privacy Act 1988 (the Act), which is a federal statute that sets out privacy requirements in Australia. This legislation, however, does not apply to all businesses. At first instance, the Act only applies to businesses with an annual turnover of $3m or more. If your business has a turnover of less than $3m, than you’re considered a “small business” for the purposes of the Act, and the Act does not apply. There are, however, some exemptions to this rule. For example, health service providers, credit reporting agencies, or businesses that operate a residential tenancies database, are all bound by the Act regardless of whether or not they are a small business. For a complete list of small businesses that the Act applies to, see https://www.oaic.gov.au/privacy/privacy-for-organisations/trading-in-personal-information/.

If you operate a small business to which the Act does not apply, then your legal privacy obligations are, legally speaking, fairly minimal. Notwithstanding, that doesn’t mean that you should disregard privacy altogether. We recommend that all startups have a well drafted privacy policy in place. This will not only provide assurance to your customers, it will be a framework in place for you to use when your business exceeds the $3m threshold. 

What to include in your privacy policy?

The contents of a privacy policy will vary depending on the nature of your business. However, if you are operating in the tech space, there is a good chance you will be, at some point, collecting personal information about your customers. Therefore, there are certain topics that all startup privacy policies should address, regardless of your product or service.

1. The Privacy Act

If your business is governed by the Privacy Act, your privacy policy should commence with a statement disclosing this to your user, and that you will comply with all privacy obligations under the Act. Even if the Act doesn’t apply because you are a small business, it is still useful to include such a statement. This means you don’t need to amend and republish your privacy policy once you breach the $3m threshold.

2. The types of information you are collecting, and how it is collected

As a simple starting point, all privacy policies should detail what information will be collected about your customer. At a minimum, this is likely to include the name and contact details of your customer, and possible payment information such as credit card or bank details. Depending on the nature of your business, you should also consider whether you will be collecting information such as:

  1. Demographic information (ie age, country of birth, occupation); 
  2. Market information (ie interests or hobbies); 
  3. Any health information such as allergies or special needs requirements; or
  4. Professional information such as business associates, suppliers, or client base. 

Once you have detailed the type of information collected, you should also mention how you will be collecting it from the customer. For example, when they fill out a registration form, when they input their payment details, or perhaps information will be collected as part of their use of the product by inputting information for analysis. You should fully disclose all relevant processes so that your customer is made fully aware of when they are sharing their information with you.

3. How the information is stored and dealt with

Once you have explained what information you will collect and how you collect it, you should explain how the information will be stored. For most startups, this tends to be on cloud-based storage systems, however many businesses still utilise paper files. When explaining your storage system, you should also assure your customer that there are mechanisms in place to protect the information. 

Your privacy policy should also contain a robust outline on how the personal information will be used. Special attention should be paid to whether it will be shared with any third parties and, if so, for what purpose. It is common for businesses to share the personal information of their customers with third party service providers such as marketing consultants or professional advisors. If this is the case, this should be made clear in your privacy policy.

4. Cookies and analytics

If your businesses operate a website, it is likely that you will be using cookies and some sort of analytics, such as Google analytics. Your privacy policy should disclose this to your customer, and contain an explanation of:

  1. What a cookie is, and how it collects information;
  2. What analytics platform you use; and
  3. How the analytics platform is used, and for what purpose.

5. Direct marketing

There is much commercial value to engaging in direct marketing with your customer base. This can be a useful way to keep them updated on new products or services, special deals, or industry developments. If you are planning on direct marketing, your privacy policy should disclose this to your customer. Not only that, it should also alert them that they have the option to opt out if they wish. 

6. Contact information 

Your privacy policy should contain information on how your customer can contact you if they have a question about your privacy policy, or if they believe you have breached your privacy policy. This demonstrates good faith to your customer and ensures that their concerns can be addressed in an efficient manner. 

Let us help

Here at Allied Legal, our commercial lawyers have drafted numerous privacy policies for a wide range of startups. If you need a privacy policy drafted, or if you have any queries about your privacy obligations under Australian law, gives us a call on 03 8691 3111 or email us at hello@alliedlegal.com.au.   


 

Related Articles

VIEW ALL VIEW ALL

Understanding Startup Equity Vesting Schedules and Share Options

Understanding startup equity can be daunting. This blog demystifies vesting schedules and share options, offering clear guidance on fair ownership distribution. Learn about time-based, milestone-based, and hybrid vesting, as well as the benefits and types of share options like ISOs, NSOs, and RSUs.

Legal Considerations for Co-Founders: Equity Splits, Roles, and Responsibilities

Navigating the complexities of co-founder relationships is crucial for startup success. This article delves into key legal considerations, including equity splits, roles, and responsibilities. Explore various equity distribution methods, such as equal splits, performance-based splits, and negotiated splits. Understand the importance of clearly defined roles, from CEO to COO, to ensure smooth operations.

The Risks of Clients Using ChatGPT to Review Legal Documents

Discover the potential dangers of using ChatGPT for legal document review in our latest article. With generative AI's rise, many clients turn to ChatGPT for instant feedback, unaware of the risks involved. We delve into concerns like information accuracy, confidentiality breaches, privacy issues, and copyright violations. Learn practical strategies for mitigating these risks, including independent verification, data protection, and compliance with legal standards.

Subscribe

Subscribe to our newsletter to receive exclusive offers and the latest news on our products and services.

First Name
Last Name
Email Address

Need some help?

If you need assistance, why not book a call with us today? Or fill out the form below to book in for a free confidential consultation.