Privacy Act 1988

Australian Business & Compliance

Also: Privacy Act · Australian Privacy Act

GovernsHow businesses handle personal information
Built onThe Australian Privacy Principles
Overseen byThe information regulator, the OAIC
Reform underwayObligations are tightening

Quick definition

The Privacy Act 1988 is the Australian law that governs how organisations collect, use, store and disclose personal information. It is built on the Australian Privacy Principles and overseen by the Office of the Australian Information Commissioner. It applies to most medium and larger businesses and to some smaller ones depending on what they do.

How it varies across Australia

Most Australian marketing stacks collect far more personal information than their privacy policy actually describes. The gap between what the pixels capture and what the policy discloses is where the real exposure sits, and it widens every time a new tool is bolted on without review.

See how data and tracking maturity vary across Australian industries

What it actually means

The Privacy Act 1988 sets the rules for how organisations handle personal information in Australia. Personal information is anything that identifies a person, which in a marketing context includes names, emails, phone numbers, and increasingly the device and behavioural data your tracking collects.

The Act works through the Australian Privacy Principles, a set of obligations covering how you collect information, what you tell people when you do, how you use it, how you keep it secure, and the rights people have to access and correct it. The through-line is consent and transparency. You should collect only what you need, say what you are collecting and why, and use it only for the purpose you disclosed.

It is overseen by the Office of the Australian Information Commissioner, and it connects to the Notifiable Data Breaches scheme, which forces you to report serious breaches.

For marketers the exposure is rarely the database. It is the gap between what the marketing stack quietly collects through pixels, tags and customer data platforms, and what the privacy policy actually says. Every new tool widens that gap unless someone updates the disclosure. The Act is being reformed to tighten these obligations further, so the trend is toward more disclosure and stronger consent, not less.

The Privacy Act is not asking what your tools can collect. It is asking whether you told people you were collecting it.

How it shows up

Exposure shows up as a privacy policy that has not kept pace with the tracking stack. Every pixel, tag and data platform collects something, and if the policy does not describe it, the disclosure is incomplete. The practical check is to list what the stack actually captures and compare it line by line against what the policy says.

The Australian context

The Privacy Act is the Australian regime and it differs from the European General Data Protection Regulation in scope and in some thresholds, which is why the two deserve a direct comparison rather than being treated as interchangeable. Historically the Act exempted many small businesses, but the reform program underway is narrowing exemptions and lifting obligations. Building to the stricter standard now is the safer bet than retrofitting later.

Where people get this wrong

Assuming the Privacy Act only covers the customer database.Personal information includes the device and behavioural data collected by pixels and tags. The marketing stack is often the largest and least documented collector in the business.
Letting the privacy policy fall behind the tooling.Every new tracking tool collects something. If the policy does not disclose it, the collection is undisclosed, which is exactly the gap the Act cares about.
Treating the Australian Act as the same as the European GDPR.They differ in scope, thresholds and some rights. A GDPR-compliant setup is a strong start but it is not automatically Privacy Act compliant, and the reverse is also true.

Related terms

Australian Privacy PrinciplesAustralian Business & CompliancePrivacy Act vs GDPRAustralian Business & ComplianceNotifiable Data Breaches schemeAustralian Business & ComplianceFirst-Party DataData & TrackingConsent ManagementData & Tracking

Common questions

What does the Privacy Act 1988 cover?

How organisations collect, use, store and disclose personal information. It works through the Australian Privacy Principles and is overseen by the Office of the Australian Information Commissioner. For marketers it covers customer data and the device and behavioural data captured by tracking tools.

Does the Privacy Act apply to my business?

It applies to most medium and larger organisations and to some smaller ones depending on what they do, such as handling health information or trading in personal data. The reform program underway is narrowing the small-business exemptions, so the safer assumption is that it applies.

Is the Privacy Act the same as GDPR?

No. The Australian Privacy Act and the European General Data Protection Regulation differ in scope, thresholds and some individual rights. Being compliant with one is a strong start but does not automatically make you compliant with the other.

What is the most common privacy mistake in marketing?

Letting the privacy policy fall behind the tracking stack. Every pixel, tag and data platform collects something, and if the policy does not disclose it, the collection is undisclosed. Keep the policy in step with the tools.

Keep exploring

About New Rebellion

New Rebellion is a marketing intelligence consultancy. We build tools, score Australian businesses on how their marketing actually performs, and publish Debrief every day. This dictionary is part of how we work in the open.

How we think →