Mind the GAPP: Why Creative Businesses Still Need a Privacy Policy

Used under a Creative Commons Licence

Mind the GAPP: Why Creative Businesses Still Need a Privacy Policy

If you’re a designer, illustrator, photographer, fashion label, or maker selling your work online, you may assume the Privacy Act doesn’t apply to you. And legally, you might be right.

In Australia, the Privacy Act 1988 (Cth) is the main law governing how personal information is collected, used, and disclosed. But it only applies to businesses with an annual turnover of more than $3 million, or certain types of businesses regardless of size – like health service providers, credit reporting bodies, or businesses that trade in personal information.

That means many creative businesses fall outside the Act’s scope. Think independent artists, sole trader designers, online jewellery stores, boutique fashion labels, footwear brands, and custom furniture makers. But just because you’re not legally required to comply with the Australian Privacy Principles (APPs), doesn’t mean you shouldn’t have something in place. In fact, it could be risky not to.

Creative Industries and Customer Expectations

Even if the law doesn’t require it, your customers do. The most recent Australian Community Attitudes to Privacy Survey found that over 84% of Australians care deeply about privacy. In fact, 69% of people said they’ve decided not to deal with a business because of concerns over how their personal information would be handled.

What does this mean for creatives?

Customers buying handmade clothing or commissioning a custom painting often provide personal details like names, addresses, and payment info – and in some cases, intimate preferences (like sizing, personal photos, or reference material). If you’re running an e-commerce store, you may also be collecting data through cookies, mailing lists, booking systems or third-party platforms.

In short: you’re handling data, even if you’re a “small” business.

The Role of GAPP: Generally Accepted Privacy Principles

That’s where the Generally Accepted Privacy Principles (GAPP) come in.

GAPP is a globally recognised framework designed to help organisations manage personal information responsibly, regardless of whether they’re legally bound by privacy laws. It offers a practical, common-sense approach to data governance that any business – including creative ones – can implement.

GAPP covers ten core areas:

• Management – assigning privacy responsibilities in the business
• Notice – telling people what data you’re collecting and why
• Choice and Consent – giving customers control over their information
• Collection Limitation – only collecting what’s necessary
• Use, Retention and Disposal – keeping data only as long as needed and disposing of it securely

… and five more, including access, third-party sharing, security, data integrity, and monitoring

For creative businesses, GAPP is especially helpful because it scales. Whether you’re a solo artist selling prints or a team running a fashion label, you can implement GAPP in a way that suits your size and operations.

Case Study: Creative Threads – A Boutique Fashion Label

Let’s imagine a small Australian business called Creative Threads, selling handmade clothing, footwear, and headwear online. With a turnover under $3 million, the business isn’t covered by the Privacy Act.

However, they collect customer names, emails, shipping details, and style preferences. They also use a mailing list for product launches and track customer behaviour on their website to improve the shopping experience.

Although they’re not required by law to follow the APPs, they want to show they take privacy seriously – both to build trust with customers and to prepare for future growth.

After consulting Sharon Givoni Consulting, Creative Threads adopted a GAPP-aligned privacy policy, introduced consent-based email opt-ins, and added a clear privacy notice to their website. They also created a basic data retention and disposal process.

The result? Their customers appreciated the transparency, and the business was able to secure a partnership with a larger online platform that required documented privacy practices.

How Sharon Givoni Consulting Can Help

Through our DesignWise platform, Sharon Givoni Consulting offers:

• Plain English privacy policy templates tailored for creatives
• 1:1 legal advice to determine whether the Privacy Act applies to you
• Help implementing the GAPP framework for practical, ethical data practices
• Support setting up opt-ins, cookie notices and data handling procedures

Whether you’re a ceramicist with an online shop, a digital illustrator offering commissions, or a small brand creating handmade kids wear, we can help you build privacy into your business in a way that fits.

Why Act Now?

Privacy laws in Australia are under review. One of the proposals in the Privacy Act Review Report is to extend privacy obligations to more small businesses.

For now, though, there is a gap (excuse the pun!). But consumers still expect businesses to respect and protect their privacy. Having even a simple, clear privacy framework in place can go a long way in showing customers that you take their information seriously.

If you wait until you’re legally required to act, it may be harder to catch up. By adopting GAPP and implementing a simple, easy-to-understand privacy policy now, you’re setting your creative business up for future compliance and success.

More importantly, you’re showing customers that you care – not because you have to, but because you should.

Want to Know More?

If you’re not sure where to start, reach out to us at DesignWise or contact Sharon Givoni Consulting directly. We make the law work for creatives – without the jargon.

Please note the above article is general in nature and does not constitute legal advice.

Please email us info@iplegal.com.au if you need legal advice about your brand or another legal matter in this area generally.