If your retail shop collects customer information – names, email addresses, phone numbers, loyalty card data, or CCTV footage – you are likely covered by the Privacy Act 1988 (Cth).

From 2023 onwards, significant amendments have increased penalties and introduced a new statutory tort for serious invasions of privacy.

This article explains your obligations, how to write a compliant privacy policy, and how to avoid data breaches.

Does the Privacy Act Apply to Your Shop?

The Privacy Act applies to 'APP entities', which include:

  • Businesses with an annual turnover of more than $3 million (most medium and large retail chains).
  • All businesses that trade in personal information (e.g., selling customer lists).
  • All health service providers (including pharmacies and optometrists), regardless of turnover.
  • Franchisors and franchisees – each may be individually liable.

If your small shop (turnover under $3 million) does not sell data and is not a health service, you may be exempt.

However, it is best practice to comply anyway, as customers trust shops that respect privacy.

New penalties (2023 Amendment): For serious or repeated interferences with privacy, maximum penalties are now the greater of $50 million, three times the benefit gained, or 30% of adjusted turnover.

The 13 Australian Privacy Principles (APPs)

The APPs are the core of the Privacy Act. For a retail shop, the most relevant are:

  • APP 1 – Open and transparent management: You must have a clearly written privacy policy available free of charge (e.g., on your website or at the counter).
  • APP 3 – Collection of solicited personal information: Only collect information that is reasonably necessary for your retail functions (e.g., delivery address for online orders).
  • APP 5 – Notification of collection: At or before the time you collect information, tell the customer: why you need it, how it will be used, who else might see it, and where to find your privacy policy.
  • APP 6 – Use or disclosure: You can only use customer information for the purpose you collected it (e.g., processing an order). You cannot use it for unrelated marketing without consent.
  • APP 7 – Direct marketing: You can send marketing emails or SMS only if the customer has consented (opt-in) or if they would reasonably expect it (e.g., loyalty program members) and you provide an easy opt-out.
  • APP 11 – Security of personal information: You must take reasonable steps to protect data from misuse, interference, loss, unauthorised access, or disclosure.
  • APP 12 – Access to personal information: On request, you must give the customer access to their information (usually free or for a small fee).

Mandatory Privacy Policy Contents

Your privacy policy (written in plain English) must include:

  • Your business name, contact details, and ABN.
  • What kinds of personal information you collect (name, address, email, purchase history, CCTV).
  • How and when you collect it (online forms, in-store signups, returns).
  • The purposes for collection (fulfilling orders, sending newsletters, fraud prevention).
  • Who you share information with (delivery companies, payment processors, marketing platforms).
  • Whether you send data overseas (e.g., to cloud servers in the US or EU).
  • How customers can access or correct their data.
  • How to make a privacy complaint (internal process and external to OAIC).
  • Whether you use cookies or tracking on your website.

CCTV and Privacy – Special Rules

If your shop uses security cameras, you must:

  • Display clear signs at each entrance stating 'CCTV in operation for security purposes'.
  • Not install cameras in changing rooms or toilets.
  • Retain footage only as long as necessary (typically 30-60 days).
  • Provide footage to a customer if it contains their image (under APP 12).
  • Secure footage – password-protected DVR, restricted access.

Loyalty Programs and Email Marketing

Common retail practices that can breach the Privacy Act:

  • Adding customers to a newsletter list without their consent (opt-in required).
  • Sharing loyalty program data with a third-party advertiser without disclosure.
  • Collecting date of birth for 'birthday discounts' but then using it for other purposes.
  • Keeping credit card details for 'future purchases' without explicit authorisation.
Spam Act 2003: In addition to the Privacy Act, you must comply with the Spam Act. Every marketing email must have a functional 'unsubscribe' link, and you must action unsubscribes within 5 business days.

Data Breach Response Plan (Notifiable Data Breaches Scheme)

Since February 2018, all APP entities must comply with the Notifiable Data Breaches (NDB) scheme.

If there is a data breach (e.g., hacking, lost laptop with customer data, employee stealing data) that is likely to cause serious harm, you must:

  1. Take steps to contain the breach (change passwords, recover device).
  2. Assess the likely risk of serious harm to affected individuals.
  3. Notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable (within 30 days is recommended).
  4. Provide advice on steps affected individuals can take (e.g., change passwords, monitor bank accounts).

Failure to notify is a separate breach with penalties up to $2.2 million for individuals and $11 million for corporations.

Practical Steps for Retail Shop Owners

  • Conduct a privacy audit: what data do you collect, where is it stored, who has access?
  • Write a privacy policy (free templates available from OAIC). Display it at your counter and on your website.
  • Train staff to ask permission before collecting emails ('Would you like to join our loyalty program? You can opt out anytime').
  • Shred or securely delete paper records (receipts with customer details) after 6 months.

In summary, respecting customer privacy builds trust and avoids eye-watering penalties. Make privacy part of your brand, not an afterthought.