Australian Privacy Principles and Your Website

Your website is the most visible place you collect personal information. And it's where most Australian Privacy Principles breaches start.

Not from hackers. Not from some sophisticated attack. From a contact form that collects too much. A cookie banner that doesn't work. An analytics tool sending data overseas without anyone realising.

If you run an Australian business with a website (so, every business), the APPs apply to what's happening on that site right now. Here's what to check.

Your Forms Are Probably Collecting Too Much Under the Australian Privacy Principles

APP 3 says you can only collect personal information that's reasonably necessary for what you do. Most business websites ignore this completely.

Look at your contact form. Do you ask for a phone number when email would do? Do you collect a company name, job title, and address just to send a quote? Every field you add is data you have to protect, report if breached, and justify collecting in the first place.

This also applies to job application forms, newsletter signups, and account creation flows. The less you collect, the less you have to secure, and the less damage a breach can do.

Your Analytics Might Be Sending Data Offshore Without You Knowing

APP 8 covers overseas disclosure of personal information. If you're using analytics, chat widgets, or marketing tools hosted outside Australia, you're probably disclosing personal data overseas. That's fine, but only if you've taken reasonable steps to ensure the overseas recipient handles the data consistently with the APPs.

In practice, this means checking where your tools actually store data. Google Analytics sends data to the US. So do most live chat tools, email marketing platforms, and CRM systems. You need to know which ones, and you need contracts (or at minimum, privacy policies from those vendors) that commit to APP-equivalent protections.

Most SMEs have no idea which of their 15-30 SaaS tools touch customer data from the website. That's the gap auditors and insurers are starting to ask about.

Your Privacy Policy Probably Doesn't Match What You Actually Do

APP 1 requires an up-to-date privacy policy that accurately describes how you handle personal information. APP 5 requires you to notify people at or before the point of collection about what you're collecting and why.

Here's what I see constantly: a privacy policy written three years ago by a lawyer, sitting in the footer, that describes a version of the business that no longer exists. You've added new tools, new forms, new integrations. The policy hasn't kept up.

Your privacy policy needs to list the types of personal information you collect, why you collect each type, who you share it with (including overseas recipients and which countries), and how someone can access or correct their data. If any of that has changed since the policy was written, it's out of date. And an out-of-date privacy policy is a breach of APP 1.

Update it whenever you add a new tool that touches customer data. That's the actual rule.

Cookie Banners Alone Don't Make You Compliant

A cookie consent banner is not a privacy compliance strategy. It's one small piece.

The APPs don't have a specific "cookie law" like the EU's GDPR. But cookies that collect personal information (and most analytics cookies do, especially with the broadened definition from the December 2024 amendments) still fall under the APPs. You still need to tell people what you're collecting, and you still need a lawful reason for it.

If your cookie banner says "we use cookies to improve your experience" and nothing else, that's not meaningful notification under APP 5. It needs to explain what data is collected, link to your privacy policy, and ideally give users a real choice.

What to Fix This Week

You don't need a six-month project. Start with your website because it's the most exposed surface and the easiest to fix.

First, audit every form. Remove fields you don't need. If you can't justify collecting it, don't.

Second, list every third-party tool on your website. Analytics, chat, email capture, payment processing, heatmaps. Check where each one stores data. If it's overseas, make sure you have a data processing agreement or equivalent.

Third, read your own privacy policy. Does it match what your website actually does today? If not, update it.

These three things will close the most common website-related APP gaps. They take a few hours, not a few months. And they're the first things that come up in a compliance review or after a breach.

Your website is where your customers hand over their data. It should be the first place you get right.