Website Terms and Conditions and Privacy Reform

Following the Optus and Medibank data breaches, the Australian privacy framework has been subject to increased scrutiny by victims of cyber-attacks in the online realm. Unsurprisingly, the Information and Privacy Commissioner has called for significant reform to the Privacy Act 1988 (Cth), which ultimately affects how Small and Mid-sized Enterprises (“SME“) prepare online privacy policies and website terms and conditions.

Take this article as a sign to wipe the dust off your website terms and conditions and undertake a compliance audit to ensure that the current provisions remain enforceable and adaptable to incoming change.

Terms and Conditions

Website Terms & Conditions act as an electronic contract that legally binds users of a website to provisions governing the access and use of the website.

Terms & Conditions are extremely important in ensuring that your website is legally compliant, providing protection from:

• non-compliant web-users who may conduct illegal activities on the website such as fraud or posting abusive materials;
• harmful embedded devices such as Flash Cookies;
• any unauthorised use or reproduction of your Intellectual Property rights;
• liability for any loss or damages that a web-user may suffer from your website; and
• any lack of compliance with the Australian Privacy Principles.

The Australian Consumer Law, enshrined in Schedule 2 of the Competition and Consumer Act 2010 (Cth) legally requires all Australian domains to incorporate website terms and conditions that addresses the consumer guarantees contained in that Act.

When deciding what to include in Website Terms & Conditions a quick internet search is not the answer. When drafting bespoke terms and conditions that are tailored to the operations, product offering and internal governance of your business we recommend a review of your website terms and conditions to ensure that the following provisions are properly drafted:

• Background;
• Product and Service Offering;
• Method of Processing Orders – e.g. create an online account;
• Price and Payment Methods;
• Warranties and Disclaimers;
• Notice of advertisements, sponsorships and referrals;
• Shipping and Delivery Information – e.g. turnaround times;
• Website security – e.g. measures to secure personal information;
• Indemnities and limitation of liability without impugning in the ACL;
• Return and Exchange Policy;
• Privacy Policy – e.g. use of cookies to collect and store data;
• Complaints Procedure and Resolution;
• Insurance – e.g. goods in transit;
• Governing Law – e.g. New South Wales; and
• Period of Notice to amend Terms & Conditions.

It is also important to note that any web-users must  be provided notice that use of the website is subject to Terms & Conditions that govern your website. This could be done through an active consent mechanism or a  a pop-up banner that users must tick in order to access the website.

Informed consent to website terms and conditions and collection of data will become a trending topic with the revamp of the Privacy Act 1988 (Cth).

Privacy Policy

Your privacy policy serves as an essential tool to mitigate cyber risk. In accordance with the Privacy Act 1988 (Cth), a privacy policy is mandated for any website that handles personal information and must include:

• the organisation name and contact details;
• types of personal information the organisation collects and stores;
• how the organisation collects the information and where it is stored;
• the primary purpose for collecting the information;
• how the information is used;
• when the information will be disclosed and released;
• how a web-user can retrieve and correct their personal information;
• how a web-user can lodge a complaint regarding misuse of their information;
• countries and entities that the information is likely to be disclosed to; and
• compliance with the 13 Australian Privacy Principles.

 Industry Specific Cyber Obligations

Your business may be subject to industry-specific security obligations that imposes an additional source of regulations requiring compliance. For example, Optus were subject to a variety of legislation, including the Security of Critical Infrastructure Act 2018 (Cth) , and the Telecommunications Sector Security Reforms , in addition to standard Australian privacy laws.

With the Privacy Commissioner confirming the introduction of severe financial penalties that mirror the civil penalty provisions in the Australian Consumer Law, it is important to ensure that your website terms and conditions account for a cross-section of applicable regulations.

Current Penalties and Impending Regulatory Reform

As it currently stands, the Privacy Act includes ‘civil penalty provisions’ where fines of up $2.2 million apply for ‘serious or repeated interference with privacy’ (s 13G) and breaches of other reporting requirements e.g. credit reporting, My Health Records Act 2012 (Cth).

Sections 25 and 25A of the Privacy Act also permits individuals to recover compensation and other remedies where a civil penalty order is made against an entity for a contravention of a civil penalty provision.

Following the recent data breaches of Medibank and Optus, a raft of new legislations and reforms have been proposed. The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 is currently being debated in Parliament and if passed, aims to increase enforcement powers and penalties in the cyber space, including:

• an increase in the maximum penalty for corporations that seriously or repeatedly interfere with privacy from $2.2 million to greater than $50 million; and
• greater information gathering powers afforded to the Office of the Australian Information Commissioner.

Contact our Workplace Law Team to discuss preparing bespoke website terms and conditions and an online privacy policy that aligns with your internal governance and workplace policies.