Small business owners: Why you needed a privacy policy yesterday
If you are a small business owner, you may not be aware that there have been some significant changes to the Privacy Act 1988 (Privacy Act), with more likely coming, that you should know about and act on.
You’re busy and unless you’re a privacy enthusiast, this topic can be a bit of a snooze fest. Stick with me though, because there are already changes in place that must be reflected in your business practices now and there are more changes on the horizon.
You might remember the data breaches that occurred in 2022. You may have been affected by those breaches. While small businesses like yours and mine aren’t an Optus or a Medibank, the new rules apply to small businesses too and the further prospective changes could also remove the current small business exemption under the Privacy Act altogether.
If you answer yes to any of the following, then read on for information about how to protect yourself, your clients and customers and your business, now.
Does your business:
Ask for birth dates, maybe for age restricted products or services or to send out birthday promos?
Collect medical histories, health care provider or medicare details, maybe as a physio, allied health specialist or other?
Save email addresses for future communication, to send tickets, promotions or to send product links to?
Collect identity validating information (e.g. law firm, accounting firm, or similar)?
Sell any products, either digital products or physical products, online?
Collect credit card or banking information for payment - either directly or through third party payment processors like Paypal or Stripe?
Collect residential or business addresses?
If your small business already has a privacy policy, you want to make sure it is up to date.
If your small business doesn’t have a privacy policy, you should get on the frontfoot and get one.
Read on to learn what a privacy policy is, what your small business privacy policy should already have included and what to know about the additional obligations and changes that are on their way.
What is a privacy policy?
As business owners we have a responsibility to protect the personal information of others from misuse, theft, interference, loss or disclosure. A privacy policy outlines the details of the information you collect, what you use that information for and importantly, how you protect it.
Every business should have a privacy policy and it should be easily accessible on your website and available to send to any organisation or person who requests it.
Protecting the data you collect in your business
Businesses need to collect information for all sorts of legitimate reasons. Sometimes, we don’t even realise how much information we collect. In your business you may need to verify a customer or client’s identity, banking or financial details, health care details, medical history, even marriage status.
You may collect information for the purposes of payment or perhaps you offer incentives like birthday discounts or sell products that mean you need to confirm your client is over 18 to access a product or service.
The new recommendations do not mean that you can not collect that data anymore, but rather it is a reminder that you need to do it in a mindful, intentional way, and consider what you do with it once it’s in your possession. Part of that is making it clear to your customers or clients that you have considered the collection of their information, what you will do with it and how it will be protected and/ or stored.
While collection of information is potentially an asset, to be used for a multitude of business purposes including customer insights, personalisation of your marketing and a range of other tools. It is important to note it is also a potential liability.
There were some significant changes made to the Privacy Act by the Enforcement and Other Measures Bill 2022. Some of those should already be reflected in your small business privacy policy, if you have one.
The 2022 changes include greater investigative powers given to the Office of the Australian Information Commissioner (OAIC), bigger penalties for breaches of data and a wider scope for the application of the Act, including to all businesses operating within Australia, even if data is not collected within Australia.
Despite the 2022 changes, the Privacy Act still has a small business exemption, for now. To be classed as a small business under the Privacy Act, a business must have an annual turnover of $3 million or less. You can find the OAIC small business checklist (current as at July 2023) here.
Further, even if you make $3 million or less annual turnover, you may still need to apply with the Privacy Act if you operate certain types of business, such as private sector health service providers (including gyms and child care centres), government contractors, credit providers or reporting bodies, residential tenancy database operators or businesses that sell or purchase private information.
Changes ahead
In the paragraph above, I mentioned the small business exemption may cover you “for now”. The reason for this is that in addition to the 2022 changes to the Privacy Act, the government commissioned a review of the current privacy law and has made 116 recommendations (the Report).
We anticipate that a large majority of the recommendations in the Report will be adopted, particularly in light of the increase in cyberhacking and privacy breaches. No matter how you currently collect and handle data, the changes will more than likely require at least some investigation and possible changes to your processes and policies.
Below I have set out the top four recommendations that we believe will be adopted that you should be prepared for.
1. Removal of the small business exemption
Up until now, while it has been advisable for small business owners to have a privacy policy in place, it has not been mandatory. One of the more significant recommended changes to the Privacy Act is for it to be a legal requirement for all small businesses (any business with an annual turnover of less than $3 million) to have a privacy policy.
While this is not yet in place, if you already have a privacy policy for your small business, then congratulations, you are ahead of the pack. And, given the consequence of any privacy breach, it is advisable that every business has one ASAP rather than waiting for this to be a legal requirement.
Remember, a privacy policy is only going to protect you in the event of a breach, if it is up to date. With the changes recently made and more coming, it is critical that you ensure your policy is inline with the current legislation.
2. Business to have an obligation to ensure data collection or use is “fair and reasonable”
Collecting private data that means your business can operate effectively is necessary. However, what is important to consider, especially under the new recommendations, is why and how you store that data.
If the personal information collected is needed only for the original transaction or delivery, such as credit card details or a postage address, then it may be worth considering whether certain pieces of information need to be kept past the moment it is used. For example, if you collect a copy of a driver's licence to verify identity, you may wish to delete it once that verification has taken place so you no longer have the risk of the data being compromised.
As a former customer of Optus, I was distressed to hear they still held my licence and identity verification documents, long after they legitimately needed them.
The recommendations are clear on their suggestion that data needs to be handled in a “fair and reasonable” manner. If data is being stored by your small business, consider the following questions:
What is the purpose for storing this information?
Do we really need to store each piece of information for later reference?
Is the information being stored securely?
Is the data on a third party server or database?
Is that information stored offshore or within a server in Australia?
Taking an audit of your own business practices around the collection and storage of client and customer data will shine a light on the practices currently in place that may not conform with the “fair and reasonable” test.
Using a tool, such as our Privacy Impact Assessment Checklist will help you review and identify where you might need to make small changes to better protect your clients’ and customers’ data, and ultimately protect your business.
3. More rights to individuals to control their personal information
The Report also recommended that individuals be given greater control over their data. As part of this, business practices, including small business practices, will need to be more transparent. This recommendation is modelled on the GDPR (General Data Protection Regulation) that covers all of Europe and has been in effect since 2018.
Consider how your clients and customers currently share their personal information. For example:
Can your customers anonymise their information?
Do you really need their birth date or address?
Could their signature be misused if you have collected a copy
Think about those emails you get from companies promoting products or services. Perhaps there are a handful that provide value but if your inbox looks anything like mine, then there are sure to be emails from companies you don’t even open.
While email marketing is a whole other topic I won’t cover here, what is important to know now, is that as part of any person being able to take control of their own data, your emails must include an ‘opt out’ or ‘unsubscribe’ option. This should also allow them to remove their email address from a database entirely.
This email example is just that, an example of the ways in which your customers and clients need to be able to take control of what information about them you store and use and what they hand over.
4. Trading of information for audience targeting and marketing purposes
Have you planned a holiday recently? Maybe you looked up a recipe or searched for a service or product. We have all had the experience of the advertisement that then continues to follow us around online. The hotel or hire car you clicked on is suddenly being fed to you as Facebook content, the product you ‘added to basket’ is suddenly appearing in your Instagram story advertising.
There is no doubt that this kind of marketing strategy is effective and many businesses do it, not just the big guys. So what changes might you need to consider for your policy to ensure it falls in line with the new recommendations?
We anticipate this recommendation will be adopted so businesses will need to provide the opportunity for individuals to opt out of this style of targeted or direct marketing. While there is nothing for you to do about this right now, it is something to consider in your planning if you currently use it, or plan to.
How would a change like this impact your business practices?
How can you adapt or put in place steps now to continue to make money while respecting the right to privacy?
The risks of not having a privacy policy for small business
For businesses of all kinds, there are risks of a privacy breach. The consequences can be far reaching and for small businesses, can be catastrophic.
The core issues include:
Suffering reputational damage;
Losing clients and customers;
Falling victim to threats or blackmail if data is stolen; and
Financial loss as a result of all of the above.
Imagine having to manage a privacy breach and all that comes with it, while trying to keep your business up and running. If you have an up to date privacy policy, at least you could refer to it when detailing what occurred. But without one? Well that would be even harder to explain.
Whether you are a small business or not, a privacy policy demonstrates to users of your site, your clients and customers, that they can be confident that you treat their information with confidentiality and security.
By having your privacy policy easily visible on your website, people will know how to enquire or make a complaint, as well as how you will address any complaints made. This is a helpful tool for you to have already in place, if a privacy breach ever affects your business. It also gives your clients or customers confidence that you take these matters, and their data, seriously!
What your privacy policy for small business should cover
To minimise the risk and fallout in the event of a privacy breach that affects your customers or clients, you should have a privacy policy (like our template) that covers the following:
Types of personal information that you may collect
Why your website collects personal information
How the information is collected and used
How information is stored
In what instances that information may be disclosed to third parties
How your website users can contact you to access their personal information, ask for a correction or lodge a complaint if they believe their information has been incorrectly used or distributed
How you will handle complaints
How information may be transferred overseas
Security of information transfer
Use of cookies and analytics tools
A disclaimer about third party website integrations (e.g. PayPal or Stripe) to protect you if your third party integrations are breached
Update your privacy policy for small business now, to protect your business for the future
Breaches of privacy and stealing of data is not just an issue for your customers and clients, but importantly for you and your business’ reputation as well. We all hear about it when the big companies get hit, but small businesses are regularly targeted and at risk of errors that breach the legislation too. With the amendments made in 2022 along with the new recommendations handed down in 2023, there are big changes coming that small businesses shouldn’t overlook or delay in acting on.
The best place to get started is to ensure you:
a) Take stock of what you do currently (take a look at our assessment checklist); and
b) Review your policy to make sure it covers the changes already in place for small businesses or get a privacy policy in place ASAP (like our templated version); and
Minimise the risk of the harsh penalties and reputational damage that your business would experience if a breach occurs. Remember, no business is immune from hackers or errors in disclosure of private information, including the third party tools we all use to collect and store customer information.
Related: The 7 Minute Online Business Audit - Make your next 12 months the best yet!
Disclaimers For Businesses With An Online Presence - what they are and why you need them
Take a look at our Privacy Policy Template and our Privacy Policy Bundle that includes Website Terms of Use (another important protection tool). Our templates are fully customisable to meet the needs of your specific business.
In reading this article from Ready to Boss Legal (Article), you have not asked us to provide legal advice to you and this Article should not be used in substitution for legal advice. This Article contains information only and Ready to Boss Legal is not acting as your lawyer in providing this Article or other information to you. You do not have a solicitor/client relationship with Ready to Boss Legal unless you choose to formally engage us in writing for customised legal services (excluding template purchase which is also legal information).