When did you last think about your Privacy Policy? Never? It’s not surprising. Small business owners have their priorities pulled in many different directions, and their Privacy Policy usually isn’t anywhere near the top of the list. A privacy policy is one of those things where you don’t realise how important it is until it’s too late. If you’re debating whether you need a Privacy Policy, read this first.

When I speak with small business owners about their legal obligations, their Privacy Policy has one of many of these issues to address.


  1. They don’t have a Privacy Policy

Every business needs a privacy policy. If you’re collecting personal details via a website, Facebook ad, paper form, website cookie or any other means, your business needs a policy for collecting and protecting that data.

In Australia, the Privacy Act 1988 (Privacy Act) is the Australian legislation that sets the obligations for handling personal information about individuals.

General Data Protection Regulations (GDPR) across the European Union are very specific in their protection of the privacy of EU residents and those with an IP address located in the EU, whilst the California Consumer Privacy Act (CCPA) also gives individuals more control over the personal information collected by businesses.

Though your business operates from Australia, if you are:

  • conducting business online
  • open to accepting business or subscribers from other countries
  • collecting data of any kind online from customers or visitors that may be located in the EU

then GDPR laws apply to you. I’ve got a quick and useful checklist you can download to check your compliance with GDPR requirements. Download it here.

There are sizable fines for breaching Privacy Acts, so complying is essential.


  1. Having a privacy policy but not following it

A Privacy Policy means little if it’s added to your website and you don’t follow it. Adding a policy from a website provider without reading it is risky. The policy may cover obligations for a country you don’t operate in or set requirements for your business that you can’t or won’t follow.

It’s not uncommon to hear that a client has copied and pasted a Privacy Policy from a friend or competitor’s website. Whilst I understand that a custom-drafted Privacy Policy may be out of reach for many small businesses, you need to have a policy that reflects YOUR business, not someone else’s.

Your business procedures should reflect what your Privacy Policy has said it will do. Don’t risk your business by using someone else’s policy.


  1. Making their privacy policy difficult to understand

Privacy Policies don’t have to be complicated. How will you implement it into your business procedures if it’s too difficult for you to understand?

There are some essential factors that you should understand, including,

  • what personal information includes,
  • how you collect that personal information and
  • what you do with it, including storage.

Avoid legalese, and don’t overcomplicate it. Yes, you have a variety of obligations to consider for privacy, but complicating it will make it harder to follow.


  1. Not understanding what procedures need to support the policy

When you’re writing or updating your Privacy Policy, this is an excellent opportunity to reflect on what processes you have in place and if you can improve them.

For example, ‘We take your credit card details and store them in our filing cabinet in the office.” doesn’t sound professional and secure when written down. (If this is your current practice, please improve it immediately.)

Small businesses are likely collecting and storing information in a variety of places, including:

  • Through websites
  • Through social media
  • Stored in their CRM
  • Stored in their phone
  • Stored in paper files
  • Collected and stored in their email

How you then use each of these platforms needs to tie in with your privacy obligations. For example, if you use contractors or overseas VAs, do you have processes in place that ensure you continue to follow your privacy policy?


  1. Not considering the privacy of everyone interacting with the business

Privacy requirements apply to all the people who interact with your business, not just customers. Your Privacy Policy should reflect how you manage obligations for many individuals, including, but not limited to:

  • clients & customers
  • potential clients
  • contractors
  • employees
  • visitors
  • volunteers
  • suppliers

Consider each area of your business in the Privacy Policy.

Do you have client lists up in an office that others can see?

Do you store client details in a filing cabinet or on your desktop?

Are you providing customer details to a third party, etc.?


  1. Not updating their privacy policy when needed

Businesses change and grow over time. You’ve almost certainly changed how you use and manage personal information if you’ve been in business for a year or two.

Have you added new products, or services, started a joint venture, or started working with contractors or new technology? It could be time to update your Privacy Policy.

Don’t forget, laws change over time too. Put a time in your calendar to review your policy, update it as needed, or get practical legal advice to make it effective for your small business.


A well-drafted template for small business will likely cover your privacy obligations and legal requirement for a suitable Privacy Policy. The Love Your Legals templates collection of policy and contract templates has helped many small business owners quickly and easily get a policy that will help them rest easy, knowing they’ve made a wise, affordable investment for their business.