Digital business in Australia: overview

A Q&A guide to digital business in Australia.

The Q&A gives a high level overview of matters relating to regulations and regulatory bodies for doing business online, setting up an online business, electronic contracts and signatures, data retention requirements, security of online transactions and personal data, licensing of domain names, jurisdiction and governing law, advertising, tax, liability for content online, insurance, and proposals for reform.

To compare answers across multiple jurisdictions, visit the Digital Business Country Q&A tool.

This Q&A is part of the global guide to digital business law. For a full list of jurisdictional Q&As visit


Regulatory overview

1. What are the relevant regulations for doing business online (for business-to-business and business-to-customer)?

Australia does not have in place legislation or regulations specifically governing the conduct of an online business. Online businesses are subject to common law principles and existing legislation that applies to businesses generally, including the following:

  • Corporations Act 2001 (Cth), which sets out, among other things, the requirements when registering a company (if this is the business model chosen), regulations for running a company and the obligations concerning business names.

  • A New Tax System (Goods and Services Tax) Act 1999 (Cth), which contains the obligation of a business to register for, impose, remit and claim input tax credit entitlements for, goods and services tax.

  • Competition and Consumer Act 2010 (Cth), which is designed to promote competition and fair trading between businesses and contains the key consumer protection regime, called the Australian Consumer Law.

  • Privacy Act 1988 (Cth), which regulates the collection, use, security and other handling of personal information and rights in respect of personal information.

  • Spam Act 2003 (Cth), which prohibits the sending of unsolicited commercial electronic messages and sets out the consent and other requirements for sending electronic messages.

  • Electronic Transactions Acts at the Commonwealth and State levels, which facilitate the use of electronic communications to formalise business and personal transactions online.

The laws above are also supplemented by regulations that contain details to assist the implementation of the legislation.

2. What legislative bodies are responsible for passing legislation in this area? What regulatory and industry bodies are responsible for passing regulations and codes in this area?

Legislation in Australia, including any legislation dealing with online business must be passed by the relevant Parliament (whether Federal or State Parliament). For example, Commonwealth laws can only be made, amended, repealed or replaced if a bill has been passed by both houses of Federal Parliament and has been given royal assent by the Governor-General.

A number of regulatory bodies also have the power to introduce industry codes, guidelines or standards, which may be enforceable or may rely on self-regulation. For example, the Communications Alliance, which acquired responsibility for the industry codes and core responsibilities of the Internet Industry Association in 2014, provides a forum for Australian communications industry participants to contribute to policy development and debate. The Communications Alliance, through industry review and seeking public comment, develops a range of:

  • Codes that define good industry practice, which are often enforceable by the relevant Australian government regulator.

  • Guidelines, with which compliance is voluntary.

  • Standards.

The role of regulatory bodies is to investigate possible breaches of the law and to enforce the relevant legislation (and, where applicable, any industry codes) that falls within the scope of its powers. By way of example:

  • The Privacy Act 1988 (Cth) is enforced by the Office of the Australian Information Commissioner.

  • The Spam Act 2003 (Cth) is enforced by the Australian Communications and Media Authority (ACMA).

If a regulator has an interest in a particular area, it can propose or advocate for legislative amendments or new legislation to deal with any concerns. Regulators are also given certain powers to develop, register and/or enforce industry standards and codes.


Setting up a business online

3. What are the common steps a company must take to set up an existing/new business online?

When starting an online business, the following steps must be taken:

  • Selecting and establishing the appropriate business model (such as incorporating a company or forming a partnership).

  • Obtaining registrations necessary for the business, whether specific to the industry in which the business will operate (for example, financial service providers require an Australian Financial Services Licence), or general registration requirements such as registration for goods and services tax, workers compensation polices and any payroll tax registrations (if applicable).

  • Protecting the business, (for example, through insurance cover, registering trade marks or implementing a data security system).

  • Acquiring assets to conduct the business, (such as, domain name licences, hosting agreements, any raw materials to be used in production and any stock to be sold by the business.

  • Establishing an accounting system and record keeping procedure to ensure compliance with applicable laws and to maintain a verifiable record of transactions.

  • Engaging support and assistance for establishing and maintaining the business, such as the services of employees or contractors to assist with the day-to-day operation of the business and legal and accounting services for advice in connection with all aspects of the business.

4. What are the relevant types of parties that an online business can expect to contract with?

Depending upon the nature of the business conducted, in its early stages, an online business can expect to contract with:

  • Web service providers, such as for the design, development and hosting of a website.

  • Content providers, where the content to be displayed on the relevant website is owned by a third party. Third-party content must be licensed.

  • Merchant facility providers and other online payment platforms, where the online business will be accepting payments online.

  • Landlords or licensors for the use of any premises.

  • Employees and contractors for services provided on behalf of the business.

  • Suppliers to the business, for stock or distribution of other goods.

  • Customers of the business.

If the online business intends to use a standard form consumer contract for its dealings with customers, the business must obtain advice to ensure the contract does not contain unfair terms. Under the Australian Consumer Law, an unfair term in a standard form consumer contract is void.

5. What are the procedures for developing and distributing an app?

To develop and distribute an app, an online business should:

  • Consider the desired design and functionality of the app.

  • Enlist the services and support required to build and deliver the app.

  • Ensure appropriate contracts are in place, both for the app developers and users of the app.

  • Review data collection processes and storage of personal information and the privacy policy of the business.

  • Determine the distribution channels for the app, such as whether the app is to be made available through a third party app store.

The key issues to consider when entering into an app developer agreement include:

  • Confidentiality.

  • Timing for delivery of the app and ongoing support.

  • Any third party content and/or software that is to be used (and obtaining appropriate licences).

  • Ownership of intellectual property rights in the app, including the source materials and any developer intellectual property rights.

  • Acceptance testing and assistance with obtaining the approval of any third party app store (if applicable).


Running a business online

Electronic contracts

6. Is it possible to form a contract electronically? If so, what are the requirements for electronic contract formation? Please comment on the enforceability of click-wrap, browse-wrap and shrink-wrap contracts.

Under the Commonwealth Electronic Transactions Act and the corresponding legislation in the States and Territories, a transaction is not invalid simply because it took place wholly or partly by means of electronic communications. In light of this, it is possible to form a contract electronically.

The requirements for electronic contract formation are the same as the requirements for hard copy contract formation:

  • A valid offer made by one party to another.

  • Unconditional acceptance of the offer by the other party.

  • An intention by all parties to be legally bound by the contract.

  • Valuable consideration for the promises made in the contract.

  • Certainty as to the terms of the contract.

If the formation of any click-wrap, browse-wrap or shrink-wrap contracts complies with the above requirements relating to hard copy contract formation, the click-wrap, browse-wrap or shrink-wrap contract will be valid and enforceable.

Where a cooling-off period applies to a particular type of contract, this period will be imposed regardless of how the contract is formed.

7. What laws govern contracting on the internet?

The Commonwealth Electronic Transactions Act and the corresponding legislation in the States and Territories govern electronic transactions and provide for contracts transacted electronically to be legally enforceable as written contracts.

8. Are there any limitations in relation to electronic contracts?

The contracts that must be in writing to be binding include:

  • Credit contracts and consumer leases, such as contracts supplying credit or consumer mortgages.

  • Contracts for the sale of land, or any interest in or concerning land.

  • Contracts for the sale of second hand motor vehicles by dealers.

  • Unsolicited consumer agreements, such as door-to-door sales.

Practical issues can also arise where formation of the contract requires signatures to be witnessed, which is the case with most deeds in New South Wales.

9. Are there any data retention requirements in relation to personal data collected and processed via electronic contracting?

Any personal data collected and processed via electronic contracting must be retained and handled in accordance with the Privacy Act 1988 (Cth). For example, Australian Privacy Principle 11 requires certain entities to take measures to ensure the security of personal information and to actively consider whether they are permitted to retain such personal information.

Under the Commonwealth Electronic Transactions Act (and the corresponding legislation in the States and Territories), if a written document (such as an electronic contract) is to be retained for a particular period, the requirement is taken to have been met if all of the following apply:

  • The method of generating the electronic contract provides a reliable means of assuring the maintenance of the integrity of the information contained in the document.

  • At the time of the generation of the electronic contracts, it was reasonable to expect that the information contained in it would be readily accessible so as to be usable for subsequent reference.

  • The electronic form of the document is retained on a particular kind of data storage device, if required by relevant regulations.

10. Are there any trusted site accreditations available?

Certification is available to Australian businesses in accordance with ISO 27001, an international Information Security Management System Standard. This specifies the requirements and processes for measuring, planning, implementing, maintaining, reviewing and improving an organisation's information security performance and management system. A number of consultancy services are available to assist businesses with meeting the requirements of ISO 27001.

Certain private organisations also provide trusted site accreditations based on verification procedures and the payment of a fee. The verification procedures are determined by the organisation and can include matters such as an assessment of business registration and location, communication channels and payment processes.

11. What remedies are available for breach of an electronic contract?

The remedies available for breach of a contract apply generally, and are determined by:

  • The nature of the contract.

  • Any remedies specified in the contract.

  • The nature of the breach.

The remedies sought by a party to the contract can include termination of the contract or damages in connection with the breach. These remedies are available regardless of whether the relevant contract was formed electronically or not.


12. Does the law recognise e-signatures? To what extent and when are e-signatures used in electronic contracting? Are they required in most transactions, or very few?

In Australia e-signatures are regarded as a subset of electronic signatures. While detailed e-signature legislation does not exist, e-signatures are a valid means of executing contracts. However, issues may arise if evidence is required to confirm the identity of the person signing and their intention to be bound by the content of contract.

If the document or transaction is subject to the laws of a jurisdiction in Australia, the Electronic Transactions Acts (ETAs) (that have been enacted as mirror legislation at the Commonwealth level and in each State and Territory) will recognise the e-signatures.

Applicable legislation

The ETAs are:

  • Commonwealth: Electronic Transactions Act 1999.

  • Australian Capital Territory: Electronic Transactions Act 2001.

  • New South Wales: Electronic Transactions Act 2000.

  • Northern Territory: Electronic Transactions (Northern Territory) Act.

  • Queensland: Electronic Transactions (Queensland) Act 2001.

  • South Australia: Electronic Transactions Act 2000.

  • Tasmania: Electronic Transactions Act 2000.

  • Victoria: Electronic Transactions (Victoria) Act 2000.

  • Western Australia: Electronic Transactions Act 2011.

Definition of e-signatures

The term "e-signature" is not defined in the ETAs. The legislation instead specifies the circumstances in which the requirement to obtain the signature of a person will be taken to have been met in relation to an electronic communication.

Format of e-signatures

Rather than prescribing the format of an e-signature, the person receiving the e-signature can consent to any method or format that identifies the signee and is reliable in the circumstances. The ETAs provide that where, under a law of the relevant jurisdiction, the signature of a person is required, the requirement is taken to have been met in relation to an electronic communication if all of the following applies:

  • Identity: a method is used to identify the person and to indicate the person's intention in respect of the information communicated.

  • Reliability: the method used is either reliable and appropriate for the purpose for which the electronic communication was generated or communicated, or fulfils the functions described in ''Identity'' above as proven by itself or together with further evidence.

  • Consent: the person to whom the signature is required to be given consents to that requirement being met by the use of the relevant method.

13. Are there any limitations on the use of e-signatures?

Even where use of an e-signature is permitted, practical limitations can arise where the:

  • Person to whom the signature is being given does not consent to the signature requirement being met, by the method used.

  • Execution of the document (particularly where the document is a deed) must be witnessed.

  • The Electronic Transactions Acts only operate to permit an e-signature and do not expressly apply to overcome or facilitate any requirement to have another party witness the signature.


Implications of running a business online


Cyber security/privacy protection/data protection

14. Are there any laws that regulate the collection or use of personal data? To whom do the data protection laws apply?

The Privacy Act 1988 (Privacy Act) is the key Australian legislation that regulates the collection, storage, use, disclosure, security and disposal of personal information, and the access to and correction of that information. The Privacy Act applies to the handling of personal information by most Australian Government agencies, private sector organisations with an annual turnover more than AUD$3 million and certain small business operators (that is, organisations with a turnover of AUD$3 million or less), such as health service providers, credit reporting bodies and businesses that have opted-in to the Privacy Act.

Privacy and data protection laws are also contained in other Commonwealth, State and Territory legislation and may apply depending on the type of:

  • Entity.

  • Business that is operated.

  • Information that is collected.

  • For example, ISPs and telephone service providers are also required to comply with the privacy protection provisions of the Telecommunications Act 1997 (Cth) and the Telecommunications (Interception) Act 1979 (Cth).

For further information on data protection laws in Australia, see Data Protection in Australia: overview.

15. What data is regulated?

The Privacy Act regulates the handling of "personal information". This is defined as any information or opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is:

  • True or not.

  • Recorded in a material form or not.

The Privacy Act does not regulate business data or any other information that does not identify an individual or from which an individual is not reasonably identifiable.

16. Are there any limitations on collecting or using personal data? Are there any specific limitations on storage of personal data in the cloud?

The Privacy Act contains 13 Australian Privacy Principles (APPs) that regulate the handling of personal information generally, including the collection and the use or disclosure of such information. When collecting personal data, an APP entity (as defined in the legislation) must:

  • Have a clearly expressed and up to date policy containing prescribed information.

  • Not collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related to, one or more of the entity's functions or activities (where the APP entity is an "agency" under the legislation).

  • Not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of the entity's functions or activities (where the APP entity is an "organisation" under the legislation).

  • Only collect personal information by lawful and fair means.

  • Only collect information about an individual from that individual, unless an exception applies.

  • Take such steps (if any) as are reasonable in the circumstances to notify the individual of certain matters, such as the:

    • identity and contact details of the APP entity;

    • purposes for which the information is collected; and

    • main consequences (if any) for the individual if all or some of the personal information is not collected.

Additional rules apply in relation to "sensitive information", which is information that is considered to be ''personal information'' and that also contains, without limitation:

  • Health information about an individual.

  • Information or an opinion about an individual's racial or ethnic origin.

  • Political opinions.

  • Religious beliefs or affiliations.

  • Sexual orientation or practices.

An APP entity must not collect sensitive information about an individual unless one of the following applies:

  • The individual consents.

  • The information is reasonably necessary for, or (in some cases) directly related to, one or more of the entity's functions or activities and certain other specified conditions apply.

The legislation does not contain specific limitations on the storage of personal data in the cloud. General security obligations apply, (regardless of where the information is stored), requiring the APP entity to take reasonable steps in the circumstances to protect the information from misuse, interference and loss, unauthorised access, modification or disclosure.

17. Is the use of cookies allowed? If so, what conditions apply to their use that impact system design?

The use of cookies is permitted in Australia. Australia does not currently have laws requiring specific consent to the use of cookies.

While cookies do not typically contain personal information, in the event that a cookie does contain personal information or can be combined with other information so that it could reasonably be used to identify an individual, the use of the cookie may be subject to compliance with the Privacy Act.

18. What measures must be taken by contracting companies or the internet providers to guarantee the security of internet transactions?

If an internet transaction involves the collection, disclosure or transfer of personal information by an APP entity (as defined in the Privacy Act 1988 (Cth)), Australian Privacy Principle 11 (see Question 16) will apply. This requires the APP entity to take reasonable steps in the circumstances to protect the information from:

  • Misuse.

  • Interference and loss.

  • Unauthorised access.

  • Modification.

  • Disclosure.

If the internet transaction involves accepting, processing, transmitting or storing cardholder data in connection with a debit or credit card transaction, the online business must comply with the Payment Card Industry Data Security Standards (PCI-DSS). PCI-DSS compliance is expected of all Australian business, regardless of their size.

19. Is the use of encryption required or prohibited in any circumstances?

The use of encryption is not mandatory for all online businesses. However, it may be required within a particular industry or as a pre-requisite to providing services to certain customers (such as Government bodies).

The Telecommunications Act requires carriage services providers (CSPs) (such as internet service providers), to be able to encrypt, format and decrypt communication passing over the CSP's network or facility, in accordance with an interception warrant under the Telecommunications (Interception) Act 1979. CSPs are not responsible for decrypting communications that have been encrypted by a user or by an over-the-top communications provider.

20. Can government bodies access or compel disclosure of personal data in certain circumstances?

A vast number of government bodies and regulators have the power to access or compel the disclosure of information related to its monitoring, regulation and/or enforcement activities. The rights of these government bodies and regulators are typically contained in legislation, setting out their roles, functions and powers. For example, under section 49(3) of the Australian Securities and Investments Commission Act 2001 (Cth), if the Australian Securities and Investments Commission (ASIC) reasonably suspects or believes that a person or business can give information relevant to a prosecution for an offence, the ASIC can order the individual or business to give all reasonable assistance (including the provision of personal information) in connection with the prosecution. Failure to comply with this notice is an offence.

In addition, the Australian Privacy Principles (APPs) contained in the Privacy Act provide that an APP entity (as defined in the Privacy Act 1988 (Cth)) can use or disclose personal information where it reasonably believes that the use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body. Under the Privacy Act, enforcement related activities include the prevention, detection, investigation and prosecution or punishment of criminal offences and intelligence gathering activities. A list of enforcement bodies is specified in the Act and includes government bodies that are responsible for policing, criminal investigations, and administering laws to protect the public revenue or to impose penalties or sanctions, such as the Australian Federal Police, Customs, the Immigration Department, and the Australian Securities and Investments Commission.

21. Are there any regulations in relation to electronic payments?

The ePayments Code (Code) regulates consumer electronic payments in Australia such as:

  • ATM.

  • EFTPOS and credit card transactions.

  • Online payments.

  • Internet and mobile banking.

  • BPAY.

The Code provides a consumer protection regime for payment facilities by requiring effective disclosure of information to enable consumers to make informed decisions about:

  • Electronic payment facilities.

  • Rules for allocating liability for unauthorised transactions.

  • A complaints resolution procedure.

  • Compliance reporting obligations for subscribers.

The Code is a voluntary code of practice monitored by the Australian Securities and Investments Commission but most banks, credit unions and building societies subscribe to it.

22. If the site is aimed at children, are there any specific rules or guidance that apply?

There are no specific rules or guidance that may apply generally if a site is aimed at children. However, there are laws that apply to determine the legal age which varies from state to state.



23. Are there any limitations on linking to a third party website and other practices such as framing, caching, spidering and the use of metatags?

Linking is generally acceptable and will not infringe copyright associated with the linked website or material. However, it is prudent to exercise care when deep-linking or framing to ensure that:

  • It is clear to a user that he is accessing third party content and third party material.

  • Any third party material is appropriately attributed.

  • Any notices or conditions applying to the third-party material are communicated to the user.

The Copyright Act does permit the copying or reproduction of copyright material for the purposes of caching or indexing, in limited circumstances, such as:

  • Allowing a temporary reproduction as part of the ''technical process of making or receiving a communication'' (sections 43A and 111A, Copyright Act).

  • Allowing a carriage service provider (or a system or network controlled or operated by it), to reproduce copyright material through an automatic process, in response to an action by a user to facilitate efficient access to that material by that user or other users (section 116AB, Copyright Act).

While the use of third party trade marks as part of a business' search engine optimisation strategy is an emerging area of law, early decisions of Australian courts indicate that trade mark infringement will not occur if a trade mark is used as a metatag.


Domain names

24. What regulations are there in relation to licensing of domain names?

.au Domain Administration Ltd (auDA) is the authority responsible for developing, administering and enforcing policies dealing with the registration of .au domain names and the operation of the Australian domain industry.

Under the current Domain Name Eligibility and Allocation Policy Rules for Open Second Level Domains (Policy Rules), domain name licences are allocated on a ''first come, first served'' basis. It is not possible to pre-register or reserve a domain name and registering a domain name for the sole purpose of resale or transfer to another entity is prohibited. The Policy Rules specify that the domain name licence period is fixed at two years. There are restrictions on the composition of domain names and a reserved list of names that cannot be licensed.

The eligibility and allocation rules that apply specifically to domain names include:

  • The registrant must be Australian (such as, an Australian registered company or a foreign company licensed to trade in Australia) or must be the owner or, or applicant for, an Australian registered trade mark.

  • The domain name must be an exact match, abbreviation or acronym of the registrant's name or trademark, or must otherwise be of ''close and substantial connection'' to the applicant.

25. Do domain names confer any additional rights (in relation to trade marks or passing off) beyond the rights that are vested in domain names?

The registration of a domain name does not confer proprietary rights in the domain name. Registration gives the licence holder the right to use that domain name for two years, subject to the applicable terms and conditions.

Registering a domain name also does not give any ownership rights over the name or words used in the domain name.

26. What restrictions apply to the selection of a business name, and what is the procedure for obtaining one?

In Australia, business names, company names and trade marks are used for different purposes and require different types of registration.

When registering a company, the entity is required to select a name. Provided the name is not identical to an existing company name and does not contain any restricted words (where the approval of a specified minister or government agency has not already been obtained), the name can be registered with the Australian Securities and Investments Commission (ASIC). It is also possible to reserve a company name prior to registering the company.

A trader (whether an individual, company or other business) should register a business name in Australia if it wishes to trade under a name that is not its own name. For example, a sole trader with the name Amy Sutton can trade using the name, "Amy Sutton", but must register a business name if she wishes to trade as, "Amy Sutton Consulting." Similarly, a company with the name Sutton & Co Consulting Pty Ltd can trade as, "Sutton & Co Consulting" but must register a business name if it wishes to trade using an abbreviation of the company name, "Sutton & Co".


Jurisdiction and governing law

27. What rules do the courts apply to determine the jurisdiction for internet transactions (or disputes)?

When determining the jurisdiction for internet transactions or disputes, the courts can have regard to a range of factors including, without limitation:

  • Whether the terms of any agreement giving effect to the transaction or giving rise to the dispute specify the governing laws and jurisdiction.

  • The location of the parties.

  • The jurisdiction in which the contract was formed or where the transaction, publication or alleged breach occurred.

An online business can nominate the jurisdiction for an internet transaction or dispute. However, Australian case law suggests that this will not always be enforceable as the courts will have regard to the location of the parties and where the publication of information pertaining to the dispute occurred. The landmark case, Dow Jones and Company Inc v Gutnick [2002] HCA 56, was the first time that an ultimate court of appeal anywhere in the world considered the issue of territoriality and the Internet as a general issue. The majority judgement of the High Court of Australia concluded that, in the context of defamation proceedings commenced by Mr Gutnick, the publication of defamatory material will be deemed to have taken place at every point at which the material is communicated to, or comprehended by, the recipient. As a result, Dow Jones' argument that Victoria was not the appropriate jurisdiction for the proceedings failed.

28. What rules do the courts apply to determine the governing law for internet transactions (or disputes)?

The courts can have regard to a range of factors when determining the governing law for internet transactions or disputes, such as:

  • Laws of the location of the parties.

  • Whether the parties have agreed to the governing law in any contract.

  • The location where the relevant dispute arose or the alleged breach occurred.

The principles applied when determining the governing law for internet transactions (or disputes) are the same as the principles that would be applied for transaction or disputes arising offline (such as contracts transactions concluded by post). For example, in circumstances where an entity is deemed to be carrying on business in Australia, it may be subject to the laws in place in Australia (whether at Commonwealth or State level), even if the entity does not have a physical presence in Australia. In ACCC v Chen [2002] FCA 1248 the Federal Court applied the provisions of the Trade Practices Act 1974, (which has since been replaced by the Australian Competition and Consumer Act 2010) to a website that had purported to be the official booking site of the Sydney Opera House. While the website (and associated sites) were hosted and operated overseas, the Federal Court was satisfied that it could assume jurisdiction as the misrepresentation and the basis for the cause of action occurred in Australia.

29. Are there any alternative dispute resolution/online dispute resolution (ADR/ODR) options available to online traders and their customers? What remedies are available from the ADR/ODR methods? Are there any requirements to notify customers of the availability of these methods?

Except in relation to domain name registration disputes (which, where the dispute relates to .au registrant eligibility are handled by the Australian Domain Name Administrator), Australia does not have in place a regime or ADR body that specifically deals with online traders and their customers.

Therefore, the alternative dispute resolution options and remedies that are available to online traders and their customers in Australia are the same as those available for offline transactions and disputes. A specialist dispute tribunal, or a small claims tribunal, is available in most States and Territories in order to resolve a wide range of everyday disputes. The following tribunals can be used by consumers to resolve disputes about the supply of goods and services ordered online:

  • The ACT Civil and Administrative Tribunal.

  • The New South Wales Civil and Administrative Tribunal.

  • Northern Territory Magistrates Court.

  • Queensland Civil and Administrative Tribunal.

  • South Australia Magistrates Court.

  • Magistrates Court of Tasmania.

  • Victorian Civil and Administrative Tribunal.

  • Magistrates Court of Western Australia.

When submitting an application to a tribunal, the applicant must nominate the type of orders sought from the tribunal. These orders can include payment of a monetary amount, the delivery of goods, or other orders which may be specified by the applicant.



30. What are the relevant rules on advertising goods/services online/via social media?

The rules applicable to advertising goods, services online and via social media, and conducting trade promotion lotteries online, are the same as those that apply offline. All advertising and promotions must comply with the Australian Consumer Law, which states that businesses (including online businesses) must not:

  • Engage in unconscionable conduct in relation to consumers.

  • Engage in conduct that is misleading, deceptive, or likely to mislead or deceive.

  • Make a false or misleading representation about the existence, exclusion or effect of any condition, warranty or guarantee of goods.

  • Incorrectly display or advertise the price, including by failing to give a single price where the minimum amount payable for the relevant goods or services (inclusive of all quantifiable taxes, fees and other amounts) is known to the trader.

  • Make false representations as to a range of matters including, without limitation, standards, quality, price, performance characteristics, sponsorship approval or affiliation or endorsements.

  • Make misleading or false claims about the country of origin of any goods.

The above list is not exhaustive and additional restrictions and prohibitions may apply.

If conducting a trade promotion lottery, whether on a business' own website or via social media, the business is responsible for obtaining any necessary permits and for otherwise ensuring that the promotion complies with the laws of the jurisdictions in which the promotion is being conducted.

When advertising online or via social media, it is of particular importance to ensure that any disclaimers, limitations or special terms and conditions are clearly communicated to consumers. Limitations on the size of an advertisement (such as a banner ad) or the number of available characters (such as in a tweet) will not remove or reduce the obligations that exist at law and may increase risk to the online trader.

31. Are there any types of services or products that are specifically regulated when advertised/sold online (for example, financial services or medications)? 

Regulations and guidelines apply to the advertising and sale of certain goods and services generally including, without limitation:

  • Financial products and services.

  • Certain health services.

  • Prescription medication.

  • Tobacco and alcohol.

Certain licensing and regulatory authorities also impose conditions on the advertising of certain goods and services, whether advertised online or offline. For example, in relation to the advertising of therapeutic goods (medicines and medical devices), advertisements must comply with the Therapeutic Goods Act 1989 (Cth), the Therapeutic Goods Regulations 1990 (Cth) and the Therapeutic Goods Advertising Code. These legislative instruments ensure, among other things, that prescription medicines are only advertised to health professionals. Only non-prescription medicines (such as over the counter and non-prescription complementary medicines) can be advertised to consumers.

Licensees, or online businesses that operate within a regulated industry, must check with the relevant licensing or regulatory authority prior to engaging in any advertising, marketing or transactions.

32. Are there any rules or limitations in relation to text messages/spam emails?

Unsolicited commercial electronic messages (such as text messages and e-mails) are prohibited. Commercial electronic messages must (Spam Act 2003 (Cth)):

  • Only be sent with the consent of the recipient (whether express or inferred).

  • Contain a functional unsubscribe facility that is presented in a clear and conspicuous way and remains functional for at least 30 days after the original message was sent.

  • Clearly and accurately identify the individual or organisation that authorised the sending of the message and provide accurate information about how the recipient can contact the sender.

33. Are there any language requirements in your jurisdiction for a website that targets your particular jurisdiction or whose target market includes your jurisdiction?

There are no specific language requirements in Australia for a website that targets Australian residents or whose target market includes Australia.



34. Are sales concluded online subject to taxation?

A broad-based consumption tax called the Goods and Services Tax (GST) is imposed on certain goods and services supplied in Australia.

Sales of goods and services concluded online often constitute a taxable supply and will be subject to taxation under the GST legislation, unless they are GST-free or input-taxed.

An online business makes a taxable supply if all of the following applies:

  • The sale is made for consideration, including payment of some kind.

  • The sale is made in the course of operating an enterprise that its carries on.

  • The sale is connected with Australia.

  • The business is registered, or required to be registered, for GST.

GST amounts collected by an online business must be remitted by the business to the Australian Taxation Office, subject to any input tax credit entitlements of the business.

35. Where and when must online companies register for VAT and other taxes? Which country's VAT rate will apply?

Any business that holds an Australian Business Number (ABN) can register for Goods and Services Tax (GST).

It is mandatory for an online business to register for GST if both of the following apply:

  • It carries on an ''enterprise'', as defined under A New Tax System (Goods and Services Tax) Act 1999 (Cth).

  • Its GST turnover meets the registration turnover threshold (currently AUD$75,000 or more for most businesses, and AUD$150,000 or more for non-profit organisations).

The GST turnover of a business is determined by calculating its gross business income excluding GST for either the 12 months leading up to the current month (current GST turnover) or the 12 months starting with the current month (projected GST turnover).

The online business must register for GST within 21 days of reaching the turnover threshold and must hold an ABN in order to register. Applications for an ABN and for GST registration are made to the Australian Taxation Office.


Protecting an online business

Liability for content online

36. What laws govern liability for website content?

A number of laws govern liability for website contents, including but not limited to:

  • The Copyright Act, in respect of any third-party content that is reproduced or other material that may constitute an infringement of copyright.

  • The Australian Consumer Law, for example, in respect of any misleading or deceptive conduct, or the failure to provide a total price.

Laws and regulations that apply in an offline environment will apply equally to a website and associated content.

37. What legal information must a website operator provide?

Under the Corporations Act, the name and the Australian Company Number (ACN) of a website operator must be included in all public documents (such as websites and e-mails) and eligible negotiable instruments. The ACN is a unique 9-digit identifier that is issued by the Australian Securities and Investments Commission (ASIC) when a company is incorporated. The ACN does not change throughout the company's life and remains the same even if the company name changes.

A company can use the Australian Business Number (ABN) (see Question 34) with the company name in place of the ACN, provided that the following applies:

  • The ABN includes the company's nine digit ACN.

  • The quotation of the ABN is effected in the same manner that the quotation of the ACN would normally occur.

Where a company or business is subject to the Privacy Act 1988, it must also provide a privacy policy (which must comply with the requirements of the Privacy Act).

38. Who is liable for the content a website displays (including mistakes)?

Generally, the operator of a website will be liable for the content displayed on that website, even where the content has been provided by a third party, such as through a blog or other facility. In light of this, it is prudent for a website operator to:

  • Display clear terms of use and appropriate disclaimers.

  • Actively monitor any content that is submitted by third parties.

  • Where possible, provide a function for users to report any content that may be obscene, defamatory, unlawful or otherwise inappropriate.

  • Promptly remove any content and/or suspend any user that is in breach of the terms of use.

39. Can an internet service provider (ISP) shut down a website, remove content, or disable linking due to the website's content and without permission?

The internet service provider (ISP) is not under any obligation to shut down a website, remove content, or disable linking due to the website's content without permission. However, these obligations can be provided for in the ISP's terms of service.

In early 2015, the Copyright Amendment (Online Infringement) Bill 2015 (Cth) was introduced to amend the Copyright Act 1968 (Cth). It enables a copyright owner to apply to the Federal Court for an injunction requiring a carriage service provider to take reasonable steps to block access to overseas websites that have the primary purpose of providing users with access to material which infringes copyright. However, this new mechanism is not available for websites in Australia, so potential applicants must assess whether their website is aimed at customers outside Australia.

Australian government agencies also have the power to compel ISPs to block certain websites where the Commonwealth government agency or the State or Territory government agency considers it reasonably necessary for the purpose of (section 313, Telecommunications Act 1997 (Cth)):

  • Enforcing the criminal law and laws imposing pecuniary penalties.

  • Assisting the enforcement of the criminal laws in force in a foreign country.

  • Protecting the public revenue.

  • Safeguarding national security.


Liability for products / services supplied online

40. Are there any rules that might apply to products or services supplied online?

While detailed legislation relating to products or services supplied online does not exist in Australia, all products that are supplied in Australia (whether online or not) must be safe and must meet the consumer guarantees under the Australian Consumer Law (ACL). The consumer guarantees are automatic guarantees for the benefit of a consumer whenever he or she purchases products or services.

Businesses must guarantee the products and services they sell, hire or lease where the value of those products or services is:

  • Under US$40,000.

  • Over US$40,000, if they are normally acquired for personal or household use.



41. How should an online business be insured?

Insurance requirements are determined by the type of business operated by the online business, which must obtain advice as to the kind and level of protection it requires based on its own business type and needs. Generally, insurance options available to businesses consist of:

  • Liability insurance, which may include options such as professional indemnity, product liability and public liability.

  • Asset and revenue insurances, which may include options such as business interruption, general property, portable and valuable items, electronic equipment, goods in transit theft and burglary and personal accident.

Certain forms of insurance are also mandatory. For example, if the online business employs any person in Australia, workers compensation obligations must be satisfied in accordance with the regulations in place in the State or Territory in which each person is employed.



42. Are there any proposals to reform digital business law in your jurisdiction?

Laws relating to digital business are in an active and regular period of reform. By way of example, reviews and reforms are currently being considered in relation to online copyright infringement and in September 2014, a report of the Australian Law Reform Commission, Serious Invasions of Privacy in the Digital Era (ALRC Report 123), was tabled, proposing that a new statutory cause of action be implemented in a new stand-alone Commonwealth Act.


Online resources


Description. ComLaw contains the full text of all Australian government legislation (Commonwealth) and associated instruments. Content is sourced from more than 70 separate agencies.


Description. These are the official Government websites for online publication of legislation in each State and Territory. Content is provided and maintained by the Parliamentary Counsel's Office for that State or Territory, or the equivalent authority.


Description. AustLII is an online free-access resource for Australian legal information. AustLII is a joint facility of the UTS and UNSW Faculties of Law.

Contributor profile

Bridget Edghill, Senior Associate

Bird & Bird

T +61 2 9226 9888
F +61 2 9226 9899

Professional qualifications. Supreme Court of New South Wales, Solicitor; High Court of Australia, Solicitor

Areas of practice. Commercial; corporate; technology; media and communications.

{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1248278771085", "objName" : "Digital Business in Australia overview", "userID" : "2", "objUrl" : "", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "2-3b01f5d1:15b13821225:723", "analyticsSessionCookie" : "2-3b01f5d1:15b13821225:724", "statisticSensorPath" : "" }