IndustriesWorkPlaybookHow it worksAboutBook a systems auditBring us your idea

What are the legal requirements for collecting customer data in Australia?

Straight answer

In Australia, collecting personal information is governed mainly by the Privacy Act and the Australian Privacy Principles. In plain terms: collect only what you need, tell people what you collect and why, keep it secure, let them access it, and use it only for the stated purpose. This is general information, not legal advice.

Information current as at 5 July 2026

The moment your app collects a name, an email or a payment, you are handling personal information, and in Australia that comes with obligations. This is not meant to scare you off; the principles are largely common sense and mostly about respect and care. This article is a plain-English map of the framework so you know what is expected. It is general information, not legal advice.

Plain English
Personal information
Information that identifies someone, like a name, email, phone number or address.
Privacy Act
The main Australian law governing how personal information is handled.
Australian Privacy Principles
The set of rules under the Privacy Act covering collection, use and security of data.
Consent
A person's informed agreement to your collecting or using their information.

The framework you are working within

In Australia, the handling of personal information is governed mainly by the Privacy Act and the set of rules it contains, the Australian Privacy Principles. Personal information means anything that identifies a person: a name, an email, a phone number, sometimes an address or other details. The framework is not a niche concern for big companies; it sets the baseline expectations for anyone collecting information about people. Whether every specific obligation applies to your particular business can depend on factors like turnover and what you do, which is why this is general information and not legal advice. But understanding the principles is the right starting point regardless, because they describe what good, lawful handling looks like.

Collect only what you need, and be open about it

Two of the core ideas are restraint and transparency. Restraint means collecting only the personal information you actually need for what you are doing, rather than hoovering up everything because you can. An email newsletter does not need someone's date of birth. Every extra field you collect is more data to secure and more that can leak. Transparency means telling people, clearly and before or at the point of collection, what you are collecting and why. This is where a privacy policy comes in: it is how you make that disclosure. People should not have to guess what happens to their details, and being upfront is both an obligation and a trust-builder.

No pressure
Show us what you built.

If you have made something and it needs to become real, send it over. We will tell you honestly what it needs to be live, safe and yours, whether that is a quick fix you can do or a proper build. No obligation.

Use it for the stated purpose, keep it secure, let people reach it

Once you have collected information, the principles shape what you may do with it. Use it for the purpose you collected it for, not quietly for something else the person did not agree to. Keep it secure, with reasonable steps to protect it from loss, misuse and unauthorised access, which for an app means the practical security this whole category is about: locked-down databases, hidden keys, protected logins. Give people a way to access the information you hold about them and to have it corrected. And do not keep it forever; when you no longer need it, there is an expectation you dispose of it responsibly. These are not exotic requirements, they are what careful custody of someone else's details looks like.

What this means for a small AI-built app

Translated into action, the framework asks a handful of practical things of your app. Have a genuine privacy policy that honestly describes what you collect and why. Collect the minimum. Secure what you hold, which loops straight back to the technical checks in this category, because a legal obligation to keep data secure is not met by an app with an open database or exposed keys. Be able to tell a customer what you have on them and delete it on request. And if something goes wrong and data is breached, be aware there can be obligations to notify affected people and the regulator in serious cases. None of this requires a legal team to begin taking seriously, but because your specific obligations depend on your circumstances, treat this as orientation and get proper advice for anything consequential. This is general information, not legal advice.

Common questions

Questions, answered

Does the Privacy Act apply to my small business?
It depends on your circumstances, including turnover and the kind of activity you do; some small businesses are covered and some are not. Rather than gamble on an exemption, it is wiser to follow the Australian Privacy Principles as good practice regardless. This is general information, not legal advice, so confirm your position for anything that matters.
What counts as personal information?
Anything that can identify a person: name, email, phone number, address, and often things like account details or, in context, an identifier tied to them. If you could work out who someone is from what you hold, it is likely personal information and deserves the care the principles describe. Treat identifying data as sensitive by default.
What is the practical minimum I should do?
Have an honest privacy policy, collect only what you need, secure what you hold with real technical measures, and be able to show a customer their data or delete it on request. That covers the spirit of the principles for most small apps. For anything high-stakes, get tailored legal advice rather than relying on a general overview.
What happens if data I hold is breached?
In serious cases there can be an obligation to notify the affected people and the regulator, so a breach is not something to quietly hope goes unnoticed. Having a plan for how you would respond is part of handling data responsibly. Our article on data breaches walks through the steps. This is general information, not legal advice.
No pressure
Show us what you built.

If you have made something and it needs to become real, send it over. We will tell you honestly what it needs to be live, safe and yours, whether that is a quick fix you can do or a proper build. No obligation.

Start here

Two doors. Same senior team.

Whether you can name exactly what you want built, or you just know something is leaking, the next step is the same conversation.