Skip to content

What is Privacy Law and How Should Businesses Handle Customer Data?

Co-Author by Vishaal Kudupudi

KEY INSIGHTS:

  • Privacy law governs how businesses collect, store, use, and disclose personal information, and most Australian businesses are subject to it.
  • A tailored privacy policy and staff training program protects your business far better than a generic template copied from another website.
  • Agreements with suppliers, contractors, and platforms should be reviewed specifically for how they handle your data.
  • Australian privacy law is currently undergoing significant reform, making early advice and precautionary measures more valuable than ever.

Understanding Privacy Law

Privacy law governs how organisations collect, store, use, and disclose personal information. In Australia, this is drawn from the Privacy Act 1988 (Cth) and the Australian Privacy Principles, which set the standards for how businesses must handle the personal and sensitive information of customers, employees, and anyone else they deal with.

If your business collects any kind of customer data, names, emails, payment details, or even browsing behaviour, this law likely applies to you. The Privacy Act has traditionally applied mainly to businesses with an annual turnover of at least three million dollars, along with Commonwealth government agencies, but recent and upcoming amendments are bringing more small businesses into scope every year. So even if you assume this doesn’t apply to you because of your size, it’s worth checking again.

In practice, privacy law shows up in areas such as:

  • How you collect and store customer data.

  • What is set out in your privacy policy?

  • How you handle complaints.

  • What happens when you share data with suppliers or software platforms?

  • How you respond if something goes wrong and you experience a breach.

 

Why This Matters More Than It Used To

Australian privacy law has changed significantly in the past two years, and there’s more change coming

New rules introduced under the Privacy and Other Legislation Amendment Act 2004 gave the privacy regulator, the Office of the Australian Information Commissioner (OAIC), stronger powers, including the ability to issue penalties of up to $50 million for serious breaches. The same reforms created a new right for individuals to sue businesses directly over serious invasions of privacy.

Put simply, a “set and forget” privacy policy can now expose businesses to real legal risks.

 

How to Handle Customer Data Correctly

If you’re running a business, you don’t need to become a privacy expert overnight. A few good habits take care of most of the risk. Start by only collecting what you need. If a customer’s date of birth or home address isn’t necessary to deliver your service, don’t ask for it. The less data you hold, the less you’re exposed to if something goes wrong. Be upfront about what you’re collecting and why; a short, honest line on a sign-up form or at checkout goes a long way with both your customers and the regulator.

You should also know exactly where your data lives, across spreadsheets, your CRM, email inboxes, and payment platforms, and think carefully about who has access to it. Not every staff member needs to see every customer record; access should reflect what someone needs to do their job, nothing more. Set a retention period and stick to it, since data you no longer need isn’t an asset sitting in reserve; it’s a risk with no upside.

Finally, have a plan for when something goes wrong, because at some point, it probably will. Knowing who to notify and how quickly, your customers and the regulator, is something worth working out in advance. The middle of a data breach is the worst time to be figuring that out for the first time.

 

The Risks of Using a Template Privacy Policy 

A privacy policy copied from another website rarely reflects how your business handles data, and regulators have started treating that mismatch as a warning sign. A policy that’s built around how your business operates holds up far better if something goes wrong, because it describes what you do rather than what a template assumes you do.

Just as important is making sure your team understands it, not just that it sits on your website looking official. A privacy policy only protects you in practice if the people handling customer data actually understand it.

 

Know What Your Agreements Actually Say

A lot of businesses assume their contracts already protect their data. Often, they don’t go beyond a single generic clause that sounds reassuring but doesn’t say much. This is especially true of agreements with suppliers, contractors and software platforms, where someone else is storing or processing your data on your behalf.

That distinction matters because you can still be on the hook if something goes wrong on their end, even if the breach itself wasn’t your fault.

A Commercial lawyer can help by reviewing these agreements line by line to find any gaps, vague obligations, or missing protections and to make sure the party handling your data is contractually required to keep it secure.

 

A Key Deadline Businesses Should Know About

If your Business uses automated tools to make decisions about people, such as in recruitment, pricing, or credit checks, there is an important legal deadline to be aware of. The requirement comes from the federal Privacy Act 1988 (Cth). Meaning it applies to eligible businesses across Australia, not just those in New South Wales.

This requirement comes from the new Australian Privacy Principle 1.7 introduced by the Privacy and Other Legislation Amendment Act 2004 (Cht). From 10 December 2026, businesses will need to specifically state in their privacy policy if they use automated systems to make or assist in making decisions about individuals, using their personal information where those decisions could significantly affect them.

 

How Can Coutts Help You?

Privacy law touches almost every part of how a modern business operates: from the data you collect at the point of sale to the systems you use to run day-to-day operations.

If you’re navigating privacy compliance, whether that’s building a policy that reflects your business, reviewing your supplier agreements, or preparing for the new automated decision-making disclosure rules, getting the right advice early can make all the difference.

Speak with our Commercial Law team to understand your options. Every business handles data differently: your business’s privacy law advice should be too.

 


ABOUT ADRIANA CARE:

Adriana is the Managing Partner for Coutts. She acts for large commercial financial institutions in relation to corporate governance, and the provision of retail and wholesale credit and funding facilities for both the commercial and consumer market.

She also acts for a range of ADIs, finance companies, vendor introduces and equipment lessors. She acts for a number of franchisors and franchisees, as well as small property developers, builders, and commercial property leases and debt recovery. Adriana has also worked in the fields of insolvency, commercial disputes and litigation and occupational.


For further information please don’t hesitate to contact:

Adriana Care
Managing Partner
adriana@couttslegal.com.au
1300 268 887

Contact our Coutts Lawyers today.

This blog is merely general and non-specific information on the subject matter and is not and should not be considered or relied on as legal advice. Coutts is not responsible for any cost, expense, loss or liability whatsoever in relation to this blog, including all or any reliance on this blog or use or application of this blog by you.

Contact Us