Australia has a well-developed legal framework for online businesses, spanning privacy, consumer protection, anti-spam, and accessibility. The key laws are the Privacy Act 1988 (and its Australian Privacy Principles), the Spam Act 2003, the Australian Consumer Law, and the Disability Discrimination Act 1992. Together, these establish the minimum legal infrastructure your website needs to operate compliantly in Australia.
Essential legal documents for Australian websites
Privacy Policy is legally required if your organisation is covered by the Privacy Act 1988. Coverage applies to: organisations with an annual turnover above AUD $3 million; all health service providers regardless of turnover; businesses that trade in personal information; contractors to federal government agencies; and operators of certain other specified services. If you are covered, your privacy policy must address all thirteen Australian Privacy Principles (APPs), including collection notice requirements, use and disclosure limitations, data quality, security obligations, and individual access rights. From 2025, reformed Privacy Act obligations also require a broader set of businesses to engage with new notification and transparency requirements.
Terms and Conditions must comply with the Australian Consumer Law (ACL), which prohibits unfair contract terms in standard form consumer contracts. Key restrictions: terms that allow you to vary the contract without notice, that exclude liability for consumer guarantees, or that are unreasonably broad in scope may be void. The ACCC has been active in challenging unfair terms in online business contracts.
Spam Compliance — the Spam Act 2003 requires that commercial electronic messages have the recipient's consent, clearly identify the sender, and include a functional unsubscribe mechanism. Like CASL, the Spam Act requires consent before sending in most circumstances (though the consent requirements are slightly broader than CASL's implied consent rules).
Accessibility Statement — while not mandated for private businesses by specific legislation, the Disability Discrimination Act 1992 creates potential liability for inaccessible websites. Publishing an accessibility statement and working toward WCAG 2.1 AA reduces this risk and aligns with expectations from the Australian Human Rights Commission (AHRC).
Consumer guarantees and refund policies
Australian Consumer Law provides non-excludable consumer guarantees on goods and services. For digital products and online services, this means consumers are entitled to remedies (repair, replacement, or refund) if the product or service does not meet consumer guarantee standards. You cannot contract out of these guarantees. Any refund policy on your website must be consistent with ACL requirements — stating "no refunds" where ACL consumer guarantees apply is misleading and may constitute a breach of consumer law.
Notifiable Data Breaches
Australian Privacy Act entities are subject to the Notifiable Data Breaches (NDB) scheme. If you experience a data breach that is likely to result in serious harm to affected individuals, you must notify both the Office of the Australian Information Commissioner (OAIC) and the affected individuals as soon as practicable. The 2025 Privacy Act reforms have strengthened these requirements and introduced new penalties of up to AUD $50 million for serious breaches.