Privacy, Data & The AU Privacy Act

9 min · text · Beginner

Your customer fills in their email at checkout. They tick a box agreeing to your privacy policy. They pay. Three years later, that email is in your Klaviyo, your Stripe, your Shopify, your email backups, and your accountant's CSV exports. The Australian Privacy Act says your customer has rights over that data. The Australian Privacy Principles (APPs) say what you must disclose, how you must store, and what happens if there is a breach. Most AU dropshippers under A$3M revenue are technically below the formal Privacy Act threshold — but the ACCC and OAIC enforce the principles regardless of size when serious harm is at stake. Today: the privacy obligations every AU dropshipper has, and the policy that complies.

Who the Privacy Act applies to

The Australian Privacy Act 1988 applies to:

Businesses with annual turnover over A$3 million. Mandatory full compliance with all 13 APPs.
Businesses below A$3M handling sensitive information (health records, biometric, etc.). Also fully covered.
Businesses below A$3M doing direct marketing. Partial coverage — APPs 7 (direct marketing) applies.
All businesses subject to the Notifiable Data Breaches scheme if a breach is likely to cause serious harm.

For most AU dropshippers under A$3M with a standard Shopify store, formal Privacy Act coverage is partial. But the OAIC (privacy regulator) increasingly enforces APP principles even on smaller businesses when consumer harm is real, particularly around data breaches and direct marketing.

The realistic stance: comply with the Privacy Act fully regardless of size. The cost is low; the protection is real.

The 13 Australian Privacy Principles (APPs) — what matters for ecommerce

Of the 13 APPs, six matter most for an AU ecommerce store:

APP 1 — Open and transparent management. You must have a privacy policy that is publicly accessible.
APP 3 — Collection of solicited personal information. Only collect what you need; not more.
APP 5 — Notification of collection. Tell customers what data you collect, why, and what you'll do with it.
APP 6 — Use or disclosure. Only use data for the purposes disclosed in your collection notice.
APP 7 — Direct marketing. Customers must opt-in (or be given clear opt-out) for marketing communications. Compliance with the Spam Act 2003 also applies.
APP 11 — Security. Take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access.

The privacy policy on your store needs to describe how each of these is handled. Most Shopify-generated privacy policies cover this, but specifically for AU compliance, you should confirm.

What your privacy policy must disclose

A compliant AU privacy policy includes:

Identity and contact details of your business (Pty Ltd name, ABN, contact email).
Categories of personal information collected (name, email, address, phone, payment, browser data, etc.).
How you collect it (web form, Shopify checkout, email signup, third-party app).
Why you collect it (order processing, marketing, customer service, legal compliance).
Who you disclose it to (Shopify, payment processors, fulfilment partners, marketing platforms — name them).
Whether data goes overseas (typically yes — Shopify is US-based, AliExpress is China-based; disclose).
How customers can access or correct their data (process for opt-out, deletion, data export).
Complaints process (how to lodge a privacy complaint, OAIC contact details).
Last updated date.

A short, plain-language version should also be linked from your checkout flow (most Shopify checkouts now include this).

Notifiable Data Breaches scheme

If a data breach occurs that is likely to cause serious harm to affected individuals:

You must notify affected individuals as soon as practicable.
You must notify the OAIC (Office of the Australian Information Commissioner).
You must take reasonable steps to remediate (password resets, credit monitoring offers, etc.).

Failing to notify can result in significant penalties (up to A