(03) 8832 8005

Open your store’s privacy policy right now and read the first two paragraphs. If it mentions a business name you do not recognise, or talks about services you have never offered, you copied it from a template years ago and never looked again. You are not alone. Most Aussie Shopify stores treat the privacy policy as a box to tick at launch, then forget it exists.

That used to be a low-risk shortcut. It is not anymore. The Office of the Australian Information Commissioner (OAIC) recorded 1,113 data breach notifications in 2024, a 25% jump on the 893 reported in 2023, and another 532 in the first half of 2025 alone. The single fastest-growing cause is not hackers. It is human error, which accounted for 37% of breaches in early 2025. That is a spreadsheet emailed to the wrong person, a misconfigured app, an export left in a shared drive.

Here is why this matters for you specifically. The small business exemption that has kept most stores under the $3 million turnover line out of the Privacy Act is on the way out, and a new statutory tort means an individual can now take you to court for a serious invasion of privacy without proving they lost a cent. This playbook is the six-part system we walk through with founders who want to get ahead of it before it becomes a fire drill.

The three changes that just made privacy your problem

For years, the practical reality was simple. If your store turned over less than $3 million a year, the Privacy Act mostly left you alone. Three changes have quietly rewritten that deal, and none of them got the attention they deserved.

First, the small business exemption is being removed. The government has confirmed it is progressing a second tranche of reforms, and the change is expected to land across 2026 and 2027. When it does, roughly 2.3 million additional businesses come under the same 13 Australian Privacy Principles that currently apply to big companies and health providers. If you have never written a real privacy policy, you will need one, and it will need to be accurate.

Second, the statutory tort for serious invasions of privacy came into effect on 10 June 2025. This is the big one. An individual can now sue you directly, and they do not have to prove they suffered any loss. Damages for non-economic harm are capped at the greater of $478,550 or the defamation cap, and a court can award exemplary damages on top. The exemption status of your business does not shield you from this tort.

Third, from 10 December 2026, any business covered by the Act that uses personal information in automated decision-making with a significant effect on people must describe that in its privacy policy. If you run algorithmic fraud scoring, automated returns approvals, or AI-driven personalisation that gates pricing or access, that belongs in your policy. Sitting behind all of it is a penalty regime that tops out at $50 million, three times the benefit gained, or 30% of adjusted turnover for the most serious or repeated breaches.

The takeaway is not panic. It is timing. You have a window to do this properly and cheaply now, instead of scrambling when a customer complaint or a breach forces your hand.

Part 1: Map every piece of customer data you actually hold

You cannot protect or disclose data you have not catalogued. Most founders dramatically underestimate how much personal information their store touches, because it is scattered across a dozen connected tools that each quietly collect a slice.

Start with a one-page data map. List every system that holds customer data, what fields it stores, why you hold it, and how long you keep it. A typical Shopify store collects more than you think:

The Australian Privacy Principles are built on a simple idea: collect only what you need, for a stated purpose, and be honest about it. When you see your real data map on one page, two things usually jump out. You are collecting fields you never use, and you have no idea how long anything is kept. Both are easy wins, and both reduce your exposure if a breach ever happens.

Privacy data inventory dashboard showing customer data fields collected by each connected system
A simple data inventory turns scattered tools into one view: what you hold, where it lives, and where the exposure sits.

Part 2: Write a privacy policy that describes your real store

A generic template is worse than useless now. If your policy says you do one thing and your store does another, that gap is the evidence against you. The good news is that a clear, accurate policy is not hard to write once you have your data map from Part 1.

Australian Privacy Principle 1 requires an up-to-date policy that a normal person can understand. Yours should plainly answer five questions:

Write it in plain English. The OAIC’s own research shows three in five Australians do not understand what organisations do with their data, and 84% want more control. A policy a customer can actually read is not just compliance. It is a trust signal on the page where hesitation costs you sales.

Here is the gap that catches almost everyone. Your Meta Pixel, GA4 and TikTok scripts fire the instant a visitor lands, harvesting behavioural data before anyone has agreed to anything. For visitors in the EU and UK that is already a breach, and Australian expectations are catching up fast. Consent needs to be collected first, then tracking switched on.

Shopify gives you the plumbing for this through its Customer Privacy settings and the Privacy API, but the native banner is basic. For most stores the cleanest fix is a dedicated consent management app. Pandectes GDPR Compliance is the one we reach for most often. It holds a 5.0 rating across more than 2,900 reviews, has a free plan, and integrates with both the Shopify Privacy API and Google Consent Mode v2.

How to set up a working consent layer

Expect a small dip in tracked events once cookies fire only after consent. That is normal, and it is the point. You are trading a slice of measurement for data you are actually allowed to hold. The same declared, consented information powers better outcomes anyway, which is the whole argument behind a proper zero-party data strategy.

Shopify customer privacy consent settings with cookie banner preview and tracking scripts blocked until consent
Consent collected first, scripts released second. The banner and the blocked-script list are the two things to get right.

Part 4: Hold less, lock down the rest

Every record you store is a record you can lose. The breach statistics make the case better than any lecture: the average cyber incident in early 2025 exposed just over 10,000 individuals, and the OAIC has been clear it expects businesses to minimise what they keep. Data minimisation is the cheapest security control there is, because data you never collected cannot leak.

Work through three moves in order:

Email is its own exposure point, because a spoofed domain leaks trust and invites scams in your name. Getting your authentication right is a one-time job with lasting payoff, which we cover in the email authentication playbook. The pattern across all of this is the same: less data, fewer doors, stronger locks on the ones that remain.

Part 5: Build the breach response muscle before you need it

Under the Notifiable Data Breaches scheme, if a breach is likely to cause serious harm you must assess it within 30 days and notify both the OAIC and the affected individuals. The mistake founders make is treating this as something to figure out during the emergency. By then you are panicking, the clock is running, and every hour of silence makes the headline worse.

Write a one-page response plan now, while you are calm. It should name who decides, who contacts customers, and who talks to the regulator. It should list the systems most likely to be hit and where the backups live. And it should have a customer email already drafted, because the brands that recover from a breach are the ones that communicate fast and honestly.

The full step-by-step sits in our data breach response playbook, but the principle is short. A breach is survivable. A slow, evasive response to a breach is what kills brands. Optus and Medibank both suffered breaches affecting roughly 9.7 million Australians each in 2022, and it was the handling, not just the leak, that defined how the public judged them.

Six-part privacy compliance readiness tracker with consent opt-in trend and key Australian privacy law dates
Track the six parts as a single readiness score, and put the three legislative dates somewhere you will not forget them.

Part 6: Handle access requests and vet your vendors

Two obligations quietly become routine once the exemption lifts. People can ask to see, correct, or delete the data you hold on them, and you are responsible for the partners you hand their data to. Both are manageable if you build the habit early.

For requests, set up a single privacy@ inbox and a simple internal process: verify the person, pull their data from each system on your map, and respond inside a reasonable timeframe. Most stores get a handful of these a year, so this is about having a calm answer ready, not building infrastructure.

For vendors, remember that your customers’ data flowing into Klaviyo, your 3PL, your reviews app and your ad platforms is still your responsibility. Keep a short list of who processes customer data, confirm each has its own privacy commitments, and note which ones store data overseas, because cross-border disclosure is something your policy must address. This sits alongside your broader compliance posture, which overlaps with the Australian Consumer Law obligations every store already carries.

How the six parts compound into a trust advantage

Treat privacy as a one-off legal chore and it stays a cost. Run it as a system and it becomes an edge, because trust is now a buying factor, not a nice-to-have. Consider how the parts reinforce each other.

Your data map (Part 1) makes the policy (Part 2) accurate. The honest policy makes the consent layer (Part 3) believable instead of a dark pattern. Minimising data (Part 4) shrinks what a breach can expose, which makes your response plan (Part 5) easier to execute. And handling requests well (Part 6) turns a nervous customer into one who trusts you with repeat orders.

The numbers back the upside. The OAIC found 62% of Australians rate protecting their personal information as a major concern, and roughly nine in ten want businesses to do more. On a store doing $2 million a year, even a one or two point lift in checkout trust is tens of thousands in revenue. You are already paying the cost of weak privacy in abandoned carts and hesitation. This system flips that cost into a reason to buy.

Four mistakes that turn a small issue into a big one

Your 30-day privacy compliance rollout

You do not need a lawyer on retainer or a six-figure project. You need four focused weeks. Here is the order we use with founders.

Work that list and you will be ahead of the overwhelming majority of Australian stores well before the exemption disappears. Privacy stops being the thing you hope nobody asks about, and starts being something you can point to with confidence.

Inside eCommerce Circle, Protection is one of the ten pillars we work on with every member, because the founders who scale are the ones who are not one bad week away from a brand-ending headline. If you want a second opinion on where your store sits, let’s talk.

The Shopify Privacy Compliance Playbook: The 6-Part System Aussie DTC Founders Use to Get Ready Before the Small Business Exemption Disappears
Paul Warren

Written by

Paul Warren

Helping Shopify brand owners scale smarter through the eCommerce Circle coaching community.

Leave a Reply

Your email address will not be published. Required fields are marked *

Thank You

Your application for the eCommerce Circle was successfully submitted.
We’ll get back to you through your provided details shortly.

Thank You

Your enrolment was successfully submitted, and we’ve added you to the waitlist for your preferred cohort.

Not a Circle Member Yet?
Only members can join cohorts!
Join here.