It is vitally important for your business to have a privacy policy. In this guide, we’ll step you through what you should include in your privacy policy and you’ll hear from an experienced eCommerce lawyer.
This article will be particularly helpful for new businesses. Whether you sell goods or services, its important to inform people you interact with how your business will handle their personal information.
What is a privacy policy?
A privacy policy is essentially a disclaimer that states in clear terms how your company handles the personal information of your customers.
If your business is covered by the Privacy Act 1988 (Cth), you must have a stated privacy policy. Some eCommerce platforms and search engines also require businesses to have a privacy policy available to their customers.
Generally, the Privacy Act covers organisations operating in Australia and having an annual turnover of more than $3 million.
You can print your privacy policy on paper, make it available to everyone on your website, or have it displayed on your customers’ mobile devices.
Information Your Privacy Policy Should Provide
There are a number of things that your privacy policy should contain. For more detailed guidance, you should talk to an eCommerce lawyer.
The Privacy Policy of your organisation must inform your customers of:
- Your name
- Your contact details
- What personal information you are collecting and storing
- How you are collecting the personal information
- Where you are storing it
- The reasons for collecting such personal information
- How you will use and disclose such information
- How your customers can access their personal information
- How they can ask for a correction
- How your customers can complain if they feel that their information is being mishandled
- How you can handle customer complaints
- In case you have to disclose customer information outside of Australia, then which countries you are more likely to disclose such information to
If your organisation’s privacy policy states that you are likely to send the personal information of your customers overseas, and if something goes wrong, your eCommerce might be held legally responsible for it.
In that case, you should talk to an eCommerce lawyer.
Things Your Privacy Policy Should Include
There are a set of things that you must include in your privacy policy to avoid legal complications.
If you are unsure, always talk to an eCommerce lawyer.
For instance, your privacy policy should include information like the duration for which you are going to keep the personal information of your customers with you and whether it will be scanned. For your convenience, we have put together a list containing the most important things that you should include in your privacy policy:
Things Your Privacy Policy Should Include
In the opening statement of your privacy policy, you should mention your organisation’s commitment to maintaining the confidentiality of the information that you are going to collect.
You should also include the necessary documents that show your compliance with the Privacy Act, the Australian Privacy Principles, and other privacy obligations that are relevant to your business, like the Privacy (Credit Reporting) Code 2014.
An eCommerce lawyer can help you to draft an opening statement in your privacy policy.
Collection and Use of Personal Information
In this section, you should mention in detail:
- What is personal information
This is information that can render an individual reasonably identifiable.
- What type of personal information your business is collecting
This information can include name, phone number, email address, social media profile, employment history, etc. You should provide the details of the information that is collected through apps and websites, such as date and time of website access, IP addresses, location information, and cookies
- How your business has collected that information
Here, you can inform your customers that you can collect their information directly from them, a third-party provider, any publicly available source, or cookies
- Why you have collected that information
Explain if such information is helping you in improving your products and services, or expanding your marketing scope, or designing personalisation, etc.
Each of these points is vitally important and you should consult with an eCommerce lawyer to understand how each of these requirements relates to your eCommerce business.
Collection and Use of Sensitive Information
In this part of the Privacy Policy, you must define the term ‘sensitive information’. This is usually information related to an individual’s ethnic or racial origin, religious beliefs, political opinion and/or association, sexual orientation, professional association, membership of a trade, health information, criminal records, etc.
While explaining this point, you must mention that such sensitive information is collected only when the individual consents to providing them. You should also clarify that this information is going to be used for the original purpose of collection only.
If you are unsure how your eCommerce business can collect and use sensitive information, you should contact an eCommerce lawyer.
Disclosure of Personal and Sensitive Information
In this segment, you need to describe when, why and to whom you might disclose the personal information of your customers. For instance, you might have to share it with your contractors and marketers.
You might need to provide their information for data analysis to apps like Google Analytics or present them to authorities and/or courts as required by law. You also need to mention if the information is likely to be disclosed overseas, and if so, what will be the impact of that on data protection.
Storage/Security of Personal Information
In this section of your privacy policy, you should state how you are storing and protecting your customers’ personal information, for example through encryption.
You should mention how long you are going to keep the information. Your eCommerce business should also explain if you are combining the personal information of individuals in a file or storing them separately.
An eCommerce lawyer can help you to frame the wording of your privacy policy.
Access to and Correction of Personal Information
It is very important to include in your Privacy Policy that every individual has the right to access their personal information held by your business. They can also request to change, update, or correct that information if required.
Enquiries and Complaints
You must describe in detail an enquiry and complaint process in your Privacy Policy. You should also elucidate the additional steps that the other parties can take if they are unsatisfied with the result of an enquiry or complaint.
For example, you can guide them first to an external dispute resolution scheme and then to the Office of the Australian Information Commissioner.
You must also provide a generic phone number and an email address for your customers to get in touch with you. These contact details should not change, irrespective of the staff member in charge.
A lawyer can provide legal advice on how to handle privacy complaints.
Review of Privacy Policy
In the end, you must incorporate in your Privacy Policy a statement about your business’s commitment to keeping your privacy policy up to date and publishing every change that you make to the privacy policy on all mediums.
Privacy Policies in Summary
While creating your Privacy Policy, you need to elaborate everything carefully to avoid legal complications. Also, you must update your privacy policy if your information handling practices change.
You can either publish your updated privacy policy on your website or send them to your customers through email or post a hard copy to their physical address.
Frequently Asked Questions
Is a privacy policy legally required in Australia?
Yes, in Australia, having a privacy policy is often legally required. The Privacy Act 1988 (Cth) governs the handling of personal information. The Act includes the Australian Privacy Principles (APPs). These set out the standards, rights, and obligations for the handling, collection, use, and disclosure of personal information.
Under the Privacy Act, entities covered by the Act are generally required to have a privacy policy that outlines how they manage personal information. This policy should cover various aspects, including the type of personal information collected, how it is used and disclosed, security measures in place to protect the information, and how individuals can access and correct their personal information.
It’s important to note that specific obligations may vary depending on the size and nature of the organisation, as well as the kind of personal information it handles. Entities that are covered by the Privacy Act may face penalties for non-compliance, so it’s crucial to ensure that privacy practices align with the legal requirements.
What are the key elements that should be included in a privacy policy?
A privacy policy should include the following key elements:
Types of personal data collected: The privacy policy should clearly state the types of personal data that are collected from the users, such as name, email address, physical address, IP address, and other relevant information.
Purpose of data collection: The policy should specify the reasons for collecting user information and how it will be used. This may include providing services, improving user experience, or marketing purposes.
Data storage and security measures: The policy should outline how long the data will be stored, where it will be kept, and the security measures taken to protect the data.
Third-party sharing: If the data is shared with any third parties, the policy must disclose this, including who the third parties are and why the data is being shared.
Enquiry and complaint process: The policy should detail how users can raise enquiries or complaints about their data, and what steps they can take if they are unsatisfied with the outcome.
Updates to the policy: The policy should specify that it can be updated from time to time, and how users will be notified of these updates.
Why is it important to update the privacy policy if information handling practices change?
It’s crucial to update the privacy policy when information handling practices change to maintain transparency with users and ensure compliance with the law. This includes changes in the types of data collected, how the data is used, where it’s stored, what security measures are in place, and whether the data is shared with third parties.
By keeping users informed of these changes, you can maintain their trust and avoid potential legal complications.