In Australia,all small businesses need to comply with a raft of laws in terms of operating their business and marketing to their clients.

In addition, certain small businesses with an annual turnover of less than $3million, already need legally compliant privacy policies in place and displayed on their websites.

Which small businesses are covered by the APP requirements?

The most common small businesses affected by the Privacy Act are:

  • Health service providers that provide services in relation to physical, emotional, psychological and mental health. These include traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals; complementary therapists, child care centres, private schools and private tertiary educational institutions.
  • Commonwealth contracted service providers that provide services to, or on behalf of, Australian or Norfolk Island government agencies under a Commonwealth contract or subcontract.
  • Reporting entities or authorised agents of a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) or its Regulations or Rules.

Small businesses caught under the Australian Privacy Principle (APP) Privacy Policy Guidelines from the OAIC must include privacy policies that include information about:

  • The kinds of personal information that you collect and hold.
  • How you collect personal information.
  • How you hold personal information.
  • The purposes for which you collect, hold, use and disclose personal information.
  • How an individual may access their personal information and seek correction of it. 
  • How an individual may complain if you or a contractor breaches the APPs or a binding registered APP code.
  • Whether you are likely to disclose personal information to overseas recipients (including a related body corporate), and the likely countries that information may be sent.

A reminder: If you target clients in the EU, then you also need to comply with the GDPR.

While not caught up by the APP, I had already chosen to comply with the guidelines and had a privacy policy in place that had been drafted by a lawyer.

The problem was that my policy was out of date and missed some of the areas now covered by the APP and the GDPR requirements. So, as my fabulous IT lawyer has now returned to the public rather than private practice (deep sigh of sadness here), I started to check out what templates (free and paid) were on the market.

I hoped to find one good supplier that I could send my clients to. I sunk the equivalent of a flight to NY into paid templates across a number of suppliers, only to find there was not one on the market that covered all basis.

To save you time and money in case you want to review your privacy policy, here’s a quick rundown of the best on the market. I won’t cover the ones that were rip-offs or scams, but only discuss the best options I tested.

Free Privacy Policy TemplatesFree-privacy-policy-templates

WordPress (Free)

For free options, the latest version of WordPress, version 4.9.6, now has a privacy page generator built in, with a basic template included. You still need to extensively add more information to the template, but it is a start. Remember, that the WordPress privacy policy is not fully compliant with the APP.

Here’s where to find it in your WordPress dashboard.

Victorian Government (Free)

Vic Business has a handy PDF template that is a good basic privacy policy. This works if your business is not covered by the APP or GDPR.

Legal Vision (Free)

This is another good basic privacy policy, but it doesn’t cover GDPR.

Lawpath (Free – sort of)

Lawpath is another site that you need to sign up for first. When you sign up, you get one free policy. Any future policies you need to pay for at a subscription of $59 per month. You also have to pay if you want to be able to copy or edit the policy and not have to retype the whole thing.

For a free policy, it was quite comprehensive but is not GDPR compliant. One of the best free options.

Paid-privacy-policy-templatesPaid Privacy Policy Templates

LawLive (Paid – Prices only available if you fill in your details)

This ancient website hides its prices behind a paywall (Currently $89.90). The questions that the policy generator asks shows that any policies are not GDPR or APP compliant. Save your money and pick up one of the free options.

Katie Horner’s “How to Get GDPR Compliant for US Based Bloggers & Solopreneurs Course ($50US)

I was referred to this course by a colleague as there were a stack of templates included with the videos and checklists.

Katie’s course was one of the most practical I did, and I ended up merging a lot of the material from her templates into my policies. Well worth the money and is one I will be recommending to my businesses!

TermsfeedAffiliate link: Which means if you purchase anything I will receive a small commission. Thanks for your support. (Paid – You buy the clauses you need. My privacy policy came to $100US. Affiliate link)

This was the standout winner for me. So much so that I ended up also buying their separate Terms and Conditions Policy, Cookies Policy and Disclaimer Policies (at additional cost).

Termsfeed were the first business that asked for feedback on their provisions, and rather than deflect they took the feedback on board.

Their policies were comprehensive, well written, nicely laid out, easy to tailor and covered things I hadn’t even considered.

Because they were so good, these are the policies I will be recommending to my businesses. After drafting my policies and discussing my feedback with them, I joined their affiliate program, so any purchases using the link above may generate a small commission back to my business. After all, I only want to recommend businesses to my clients that have a good product and are open to feedback.

Legal123 (Paid – $174.90)

These templates are the most heavily promoted in the Australian internet community, so I was hoping for good things. I stumped up my $174.90 for the full website package and ended up using approximately five paragraphs from 17 pages.

As they were only one of two businesses that requested feedback after purchase, I sent them the identical email that I sent to the other business.

They pointed me back to the OAIC guidelines, reminded me that their templates did not cover the GDPR, that no templates covered all businesses and offered a GDPR compliance review service at an additional fee.

They also suggested that the Termsfeed policies did not comply with APP guidelines. I have reviewed their policies against those by Termsfeed and can only see a few tiny paragraphs that were not included. That said, as I stated up front, I am not a lawyer, and if your business needs tailored policies you need to contact your lawyer.

While these were a good foundation, most of the businesses I work with will need more, so I don’t recommend them.

How did my policies end up?

No template meets all needs. My policies are founded on the TermsFeed and Katie Horner’s templates, with a dash of WordPress 4.9.6 and a smidge of Legal123 thrown in for good measure.

I will still run my final version past my lawyer for a final review, but these policies are good for now. Have a read over them to help you work out what you need to think about adding to your website privacy policy.

You can read our revised policies here:

Read more about Website Copyright notices here.


Ingrid Moyle

Ingrid Moyle (BA - Psych/Industrial Relations) is the Chief Web Wizard at Heart Harmony Communications. A self-confessed multipotentialite, Ingrid shamelessly blends her passions of human resources, psychology, web design and copywriting. When not hardwired to her computer, she quests for the perfect coffee while chasing virtual reality creatures across the backstreets of Brisbane.