If you ship an app or run an online store and any of your users are in Australia, you are inside Australia's digital-rules perimeter — even with no entity there. The privacy regime in particular reaches some overseas businesses that "carry on business in Australia." None of this needs a law firm to begin on; it does need knowing which areas to look at before you point Australian traffic at a launch.
This is a practical orientation, not a complete legal map. It walks through the four areas an indie app most often hits — the Privacy Act 1988 and the Australian Privacy Principles (APPs), the Australian Consumer Law (ACL), online safety and rules affecting children, and accessibility — and, for each, points to the LaunchTrust check that surfaces the related signal. It is deliberately non-exhaustive: depending on your product you may also face the Spam Act, sector rules, or state-level requirements not covered here.
The Privacy Act 1988 and the Australian Privacy Principles
Australia's core privacy law is the Privacy Act 1988, built around the Australian Privacy Principles (APPs) and overseen by the Office of the Australian Information Commissioner (OAIC). The APPs cover the life cycle of personal information: open and transparent handling (APP 1), notice at collection (APP 5), security (APP 11), and rights of access and correction (APPs 12–13). APP 1 specifically asks for a clearly expressed, up-to-date privacy policy available free of charge. And the Act can reach organisations outside Australia with an "Australian link" — broadly, carrying on business there and collecting personal information — so an app listing that reaches Australian users can pull you into scope.
For a launching indie, the two most visible signals are a reachable privacy policy and a route for users to access, correct, or delete their information.
- A reachable, linked policy maps to the privacy policy detector.
- An access- or deletion route maps to the account and data deletion detector.
- The APPs overlap substantially with the GDPR checklist for indie apps — notice, minimization, security, user rights — so that checklist is a useful starting point even though the regimes are separate.
A detected privacy policy is only a signal that a linked document exists. It does not confirm the policy covers the APP-expected content (what you hold, your purposes, overseas disclosure, how to complain) or that your handling matches what it says.
The Australian Consumer Law and selling online
If you sell to Australian consumers — paid apps, subscriptions, downloads, or physical goods — the Australian Consumer Law (ACL) in Schedule 2 of the Competition and Consumer Act 2010, administered by the ACCC, sets the rules. Two areas matter most for indies. First, the ACL prohibits misleading or deceptive conduct and false representations, so pricing, claims, and "free trial" framing must be accurate. Second, it provides automatic consumer guarantees (such as acceptable quality and fitness for purpose) you cannot contract out of, which can apply to digital products.
Subscriptions get particular attention: the price after any intro period, renewal terms, and how to cancel should be clear before purchase. Australia has no single fixed "cooling-off" model for digital sales, but unclear or hard-to-cancel subscriptions can raise misleading-conduct concerns, so transparency is the safe default.
- Cancellation and refund terms map to the refund and cancellation policy detector.
- Recurring-billing disclosures map to the subscription auto-renewal disclosure detector.
- Trader identity and contact details map to the contact and imprint detector.
Online safety and rules affecting children
Two threads matter here. First, Australia's Online Safety Act 2021, administered by the eSafety Commissioner, sets expectations for online services around harmful content and user safety, including industry codes and Basic Online Safety Expectations. Second, reforms to the Privacy Act have moved toward a Children's Online Privacy Code and stronger expectations for services likely to be accessed by children. Exact obligations depend on your service and continue to evolve, so treat this as an area to watch rather than a fixed checklist.
The practical first question is the one other child-protective regimes ask: is my service likely to be accessed by under-18s, and if so, do I know a user's age before applying adult-level data practices? That is where age assurance comes in.
- A visible age gate or age-assurance step maps to the age gate and assurance detector, which reports whether an age check appears present.
A detected age gate is only a starting signal. Whether assurance is needed, and how robust it must be, is a product-and-risk judgment — not something a scan can decide for you.
Accessibility
Australia has no single "web accessibility statute," but the Disability Discrimination Act 1992 (DDA) makes it unlawful to discriminate in providing goods, services, and facilities — long read to cover websites and apps. Guidance points to the Web Content Accessibility Guidelines (WCAG) as the practical standard, and government services are expected to meet WCAG levels. For a private indie app, treating WCAG as your target is the defensible approach.
Several WCAG basics are observable on a public page, which is where a scan can help.
- Text alternatives on informative images map to the image alt text detector.
- Associated labels on form fields map to the form input labels detector.
- A declared page language and a meaningful title map to the page language attribute detector and the page title accessibility detector.
These are entry-level signals. Full WCAG conformance also depends on keyboard operability, color contrast, and dynamic behavior a quick scan does not measure.
What LaunchTrust checks for Australia
LaunchTrust does not assess "Australian readiness" as a whole — no scanner can, and this overview is not legal advice. It fetches your public pages as an anonymous visitor and reports observable signals an Australia-minded reviewer would look for first: whether a privacy policy and a data access / deletion route appear present; whether refund/cancellation, subscription, and contact information is reachable; whether an age gate is visible; and whether accessibility basics — alt text, form labels, page language and title — are present.
Every result is a signal — detected, not detected, or unable to determine — never a verdict. "Detected" means the wording or markup is on the page; it does not confirm the item satisfies the APPs, the ACL, the DDA, or any other Australian rule for your specific product.
A concrete example
Here is the APP-1-relevant pattern a scan can flag. The footer claims a privacy policy, but the link is a placeholder that goes nowhere reachable:
<!-- footer references a policy... -->
<a href="#">Privacy Policy</a>
<!-- ...but the real document 404s or sits behind a login -->
<!-- GET /privacy -> 404 REDACTED -->A reviewer reads this as "privacy policy referenced, but not detected as reachable" — the gap APP 1 cares about, since the policy must be available free of charge. The fix is a live, logged-out-accessible policy at a stable URL.
How to address Australian requirements
- Publish a clear, linked privacy policy naming the kinds of personal information you collect, your purposes, any overseas disclosure, how users access or correct data, and how to complain. Confirm it is reachable for logged-out visitors.
- Offer an access- and deletion route users can find and use, and describe it in your policy.
- Keep consumer claims accurate — pricing, trial framing, and product representations should not mislead — and make subscription renewal and cancellation terms transparent before purchase.
- Assess whether children are likely to access your service. If so, plan age assurance and child-protective defaults proportionate to the risks, and track evolving online-safety obligations.
- Target WCAG — add alt text to informative images, label every form field, and set a page language and a meaningful title.
- Re-scan and verify each signal flips to detected, then check the behavior yourself in a logged-out session.
Check this in 30 seconds
Run your URL through LaunchTrust's free scanner. It reports whether your privacy policy, data-deletion route, refund and subscription terms, contact details, age gate, and accessibility basics are detected, not detected, or unable to determine — so you can spot a missing Australian trust signal before a user, the OAIC, the ACCC, or an app reviewer does. No signup, and it only reads the same public HTML your visitors already get.
FAQ
Do Australian rules apply to me if I'm based overseas? Often, yes. The Privacy Act can apply to organisations with an "Australian link" — broadly, carrying on business in Australia and collecting personal information there — and the ACL applies when you sell to Australian consumers. If Australian users can reach your app, these areas are commonly in scope. Confirm specifics with a qualified source.
Are the Australian Privacy Principles the same as GDPR? No — they are separate regimes with meaningful differences, though they share goals like transparency, security, and user rights. The practical groundwork overlaps, so the GDPR checklist for indie apps is a reasonable starting point, but treat the APPs and the Privacy Act 1988 as their own track.
My app isn't aimed at kids — do online-safety rules still matter? Possibly. Australia's online-safety framework and emerging children's-privacy expectations can reach services likely to be accessed by under-18s, not only those designed for them. The area is evolving, so whether it applies — and what age assurance is appropriate — is a product-and-risk judgment to keep monitoring.
Does a clean LaunchTrust scan mean my app meets Australian requirements? No. A scan surfaces observable signals on your public pages; it does not prove your app meets the Privacy Act, the APPs, the ACL, the DDA, or any other Australian rule. LaunchTrust reports signals — it is not legal advice or certification. For your specific situation, consult a qualified professional.
Compliance aid, not legal advice. LaunchTrust reports signals, not a verdict or certification.