display:none
12 Common Issues with Privacy Policies

12 Common Issues with Privacy Policies

12 Common Issues with Privacy Policies

1. Thinking a simple privacy policy template will do the job

For many small business owners, protecting the privacy of personal information just isn’t a priority. There are lots of reasons for that.

  • Not placing any value in a privacy policy or the protection of personal information
  • Not knowing what makes up personal information
  • Not realising when the business is collecting personal information
  • Not understanding what the business is doing with personal data after its collected
  • Thinking that publicly accessible data, like through Facebook or a website, means its ok to collect it
  • Not understanding the difference between privacy and confidentiality, or the importance of privacy
  • Having competing priorities – like the need to make money – that mean privacy always sits on the back burner

A template might work. It might not. If you never read it or attempt to understand it, it probably won’t help your business meet its legal obligations.

I have heard of a company that copied and pasted their privacy policy from a crematorium, without having read it. One of their customers pointed out to them that it was a little weird to read about burial when that wasn’t their business.

Are you prepared to put your credibility at risk?

If you don’t know what your obligations are, how do you know a simple template will protect your business?

2. Copying and pasting a policy from somewhere else

It is easy to check out a friend’s website or a competitor’s website and decide to simply copy and paste what they have done. A friend might even offer it. The problem with getting help from friends like that is that they probably don’t understand their own privacy policy or the legal impact it can have on your business.

I’ve even come across a business spruiking a service of theirs offering advertising through Facebook that simply linked the privacy policy of a random website they did not have any control over, not having read it, understood it or worried about the promises they were making by using that privacy policy and simply seeing it as a ‘hurdle’ to overcome to get their adds showing in as many feeds as possible.  That is potentially misleading and deceptive conduct offending both privacy law and consumer law.

If you haven’t read it or don’t understand it or are looking at a website from outside your country, don’t put your business at risk by copying and pasting a privacy policy from someone else’s website.

3. Thinking a cookie policy covers privacy obligations

Having a cookie policy or a cookie choice pop up on your website doesn’t meet your obligations to protect the privacy of personal information.

Cookies may not be classified as personal information. Cookies can be functional (you won’t get full use of the website without them), performance focused (like analytics), focused on personalisation (like advertising based on your search history), or marketing focused.

Cookies are little data packets that store enough information to identify you when you return to a site for the purpose of say, pre-filling your username or password, or adjusting the display of a website, or advertising to better reflect your preferences. Cookies have to be matched with other data before they can be used to identify you and the information stored is not generally available for inspection. Cookie data may be collated to create a picture of who you are.

There was a ‘horror’ story that went around some years ago about a pregnant teenager being discovered by her family because her search history meant her parents got served advertising for pregnancy help.  The cookies didn’t identify her, but enable her parents to put two and two together.

Personal information is information about an individual which by itself identifies that individual, or with other information can be used to identify an individual. Types of personal information can include:

  • photo
  • name or alias
  • postal, street or electronic address
  • enrolment in a course
  • testimonial
  • biological samples
  • genetic data

So, a cookie pop up by itself just won’t cut it.

4. Never reading your own privacy policy

If you don’t know what your privacy policy says, how can you possibly be implementing the protections necessary to protect the personal information you are collecting?

How many businesses do you know have a blank page when you click on the privacy policy link in the footer of their website? Clearly they missed checking what was supposed to be written on that page. Your web developer or tech person is not responsible for you meeting your privacy obligations. They probably know marginally more than you do about your privacy obligations, are not lawyers and shouldn’t be uploading just anything for you.

5. Not understanding your own privacy policy

Privacy obligations only apply to information about real people – whether in their personal or business capacity – but do not apply to companies or other entities. Depending on where you are in the world, privacy obligation may also be limited to people who are still alive, and not the deceased.

So, what do you do with the personal information you collect? Unless you use integrated technology, you probably have data about your clients and supplies in a variety of places:

  • your CRM
  • your finance software
  • your email marketing software
  • your email management system
  • a project management tool
  • other software used in your business

Whilst the problem of keeping information consistent across databases is widely acknowledged, the type of protections each of those systems offer, and how you use them, probably isn’t.

For many types of businesses, your privacy obligations mean that you can’t send data overseas without the consent of the person providing it. This is particularly so for financial or health data. Personal trainers, life coaches, psycho-therapy providers all collect health data and probably don’t realise that every email they send pushes personal information overseas.  

I’ve also gone to privacy policy links on websites that don’t cover privacy at all, and in fact display the e-commerce terms of that business instead, which perhaps a throwaway line saying “we respect your privacy and will never sell your personal information.” That is not a privacy policy.

6. Not considering any procedures to support your policy

When you run a small business, the people who work with you, employees or contractors, need to understand your priorities around personal information and what can and cannot be done with it.

Do you allow contractors to keep contact details on their mobile devices outside your systems?

What controls or oversight do you have over what they are doing with their mobile device each day?

How many times have you seen parents hand a mobile device to their child to keep them quiet or entertained? Do you know the personal data of others isn’t being accessed?

For businesses in Australia which are obliged to comply with the Privacy Act 1988, there are now also mandatory data reporting obligations so that if any data is lost or accessed, it needs to be reported. Leaving a device on public transport can be a reportable event if that device cannot be remotely locked and contains any personal information that is supposed to be controlled by your business.

7. Not knowing where you are collecting data or what you are doing it

We’ve spoken with many small business owners who simply don’t realise how often or in what way they are collecting data.

  • a form filled through a website
  • an email received
  • a video conference recorded
  • a note made of a telephone conversation
  • a voicemail received
  • video feedback recorded and sent by a client
  • patient notes written and yet to be filed

All these examples involve the collection of personal information. Does your business have protocols in place for the destruction of information that is no longer required for the purpose of your business? Privacy law generally requires that you only collect what is necessary, and destroy it after it is no longer required. Interestingly, many large organisations, like banks, appear to keep your information indefinitely.

The GDPR (regarding information about EU residents) now requires that you monitor what you collect, how you collect it, and how long you keep it.

We can help you put together policies to assist people in your workplace to manage how information is collected, stored, used and destroyed.

8. Not updated to match data practices

Laws are changing all the time. If you haven’t looked at your privacy policy for more than two years, it is probably time you did.

Not only that, but if you’ve changed the software or technology you are using recently, that should also prompt a review of not only your privacy policy, but also the privacy policy of your new software or technology provider.

You might be offering a new product or service that means you collect additional information from your clients, more than you did previously.

You might have started working with another business in a joint venture, which means they now have access to some of your personal information, and vice versa.

Take time to review your practices and procedures for managing personal information and privacy, as well as checking that you are legally compliant with your obligations.

9. Doesn’t address all the different people affected – customers, partners, developers, general users

You may or may not treat personal information from different relationships in the same way. By relationships, consider the different people you interact with in your business – your clients and customers, your suppliers, your employees and contractors, volunteers, etc.

Consider: if you still have a business that uses paper forms, you might have collected similar or only slightly different data on different forms. You might scan that information and store it electronically, but then what happens to the paper copy? Is it securely destroyed? Is it stuck in a filing cabinet somewhere? Is that filing cabinet locked? Is any member of staff able to access that filing cabinet?

Do you have forms to be filed sitting on someone’s desk without any security or privacy around that information?

Do you have phone numbers written on a white board that can be seen from outside your office? This happened on a morning TV cross to a bank financial data room.

You might have a list of supplier details stuck on a wall, or a piece of paper near the computer.

If you treat the personal information you collect about different groups of people differently, all those scenarios need to be covered.

10. Hiding the terms

If your business has privacy obligations, you should share how you meet those obligations with the people whose data you collect. So, if you have employees, you should have an employment policy around how you manage their personal information.

If you have customers, you should have a policy about how you manage their personal information and what you do with it.

The easiest way to share a privacy policy with customers and suppliers is through your website and the convention is to have a link to that policy in your website footer.

A link to a blank page is not helpful.

11. Wrong laws or no laws

A contract came across my desk the other day between two Queensland, Australia based small businesses. Goodness knows where they got it. The agreement was four years old and mentioned the laws of Ontario, Canada as the governing law. No, no, no, no. Not helpful at all!

If you copy and past a privacy policy from someone else there is a risk that you have inadvertently referred to laws that don’t even apply to your business. Like COPPA, the Children’s Online Privacy Protection Act which is law in the United States. Reference to that law in another country is likely to be inaccurate and potentially misleading, or create obligations in your business that never actually existed until you voluntarily assumed them.

If you’ve copied something from overseas, it is also possible that you’ve not complied with the laws that do apply to your business, putting your business at risk.

Although there are certainly some similarities in obligations in different countries, law is not universal and there are often inconsistencies within countries, particularly federated countries, as well as between countries.

Make sure you are undertaking to comply with the laws that apply to your business.

12. Hard to read – legalese or no whitespace

Lastly, don’t make your privacy policy so hard to understand that people don’t or won’t read it. If you write for the comprehension level of a child of around 12, then most people who read your privacy policy, whether customers, suppliers or staff, will understand it.

You shouldn’t need a post-graduate degree to make sense of what has been written. It doesn’t help your business or anyone else you deal with. Back in 2019 The New York Times did an article about readability and found that Facebook’s then privacy policy was more difficult to read than Stephen Hawking’s ‘A Brief History of Time’. Don’t be that business.

Simply headings like:

  • How we collect your personal information
  • What we do with your personal information
  • Where we store your personal information
  • Your rights regarding the personal information we have collected about you

All make it easier for someone reading your privacy policy to make sense of what it is you do to help protect them. Short sentences, simple words, easy to follow headings, pleading of white space, all aid understanding.

If you are not sure, get a child you know to read your privacy policy out loud and ask questions about anything they don’t understand. If they stumble over a sentence, or have loads of questions, go back to the drawing board.

How can Onyx Legal help you?

If you’d like help reviewing or updating your privacy policy, or perhaps having one tailored to fit your business and your business processes, sent an email to advice@onyx.legal with a link to your policy (if you have one) and let us know what you’d like to achieve.

Your Quick Legal and Cyber Check on Your Website

Your Quick Legal and Cyber Check on Your Website

Your Quick Legal and Cyber Check on Your Website

Start by completing our quick audit questionnaire to work out what are some legal issues when creating a website. Then read below…

Domain Name Legal Issues

Your domain name is like a post office box. You lease it, you don’t own it. Your registrar is like the post office. They will only talk the person who is authorised as the registrant of the domain name. That might not be you!

If you don’t know where your website is registered – GoDaddy is a commonly known registrant – this could be a problem if you want to sell your online business and cannot transfer the domain name. If you don’t ensure your registration fees are paid regularly, then you could lose your domain name and it is not easy to get them back.

When agencies first started building websites for businesses, a lot of companies registered the domain names to their agency rather than you, their client. This became a problem for people when their small web designer gave up their business, or their web designer held them to ransom, requiring a payment equivalent to purchase before releasing the domain name.

We’ve had a prospective client come to us running a business using a specific domain name, and no part of that domain name was protected by trade mark or copyright. For whatever reason, they let their registration lapse. Of course, the domain name was sold to someone else. That someone else happened to be a local competitor to them. They came to use 2 years after the domain name had lapsed and their competitor was using it and asked us to help them get it back. We told them we couldn’t help. There was no basis for them to claim exclusive ownership, it took them two years to take any action and the time, money and effort required to even attempt to get it back was more than they were willing to invest.

Trade marks are almost the only thing that can give you superior rights to anyone else for registration of a domain name, and even that won’t stop someone using the same domain name in a different industry from using your name. Just try searching ‘Onyx Australia’. We might be the only legal firm with that name, but we are not the only business with that name in the country.

ACTIONS:

  • Identify your registrar and make sure you have login details
  • Confirm the registrant name (hopefully not a company you since closed – it has happened)
  • Make sure you have auto-renewal and up-to-date payment details in place

Our team at Onyx Legal can help you find out who the registrant is and make sure you have control over your domain name.

Hosting & Backup Legal Issues

All of the information that people can watch and read on your website is stored and then accessed via the internet. You pay a hosting provider to store that content and make sure it is available when people look for it online. If you don’t know who your hosting provider is, who can you talk to if your website is ‘down’ and not visible? You might be working through an agency and contact them.

There is a lot of factors that can impact your website hosting including whether your website is on a shared server or an individual server. On a shared server, one website with malware can have every website on the server temporarily shut down. If you site is impacted by malware and taken down, it can impact your results in advertising or search results when clients are looking for you. The responsibility for those things may sit with you, or your agency, or your hosting provider. Check your terms and conditions of hosting.

The type and local of your hosting provider can also impact the speed of data upload to or download from your website. If you don’t have automatic payments set up on your hosting, you might find your website is down and if you don’t know where your website is hosted, any information you collect through your website, like personal data, may be going around the world before it comes to you – which could be an issue in managing your privacy obligations.

Backups are important in reducing your cyber risks.

There are lots of products that enable you to backup your website to the server where it is hosted. This might not be effective if you get hit with ransomware. If you have a separate backup on a system that you know works and can be reinstated quickly, then you have a better chance of a quick recovery from a ransomware attack. Always check that your backups work and your site can be quickly reinstated. Backup regularly.

Like backups, password protection and sensible username application can also make a huge difference in managing the cyber risks to your website and your business.

The team at Onyx Legal can help you find out who your hosting provider is and how to protect your content.

Website relationships and the terms and conditions to manage them

In a high street shop front, everyone is trained in the rules of what is considered appropriate behaviour in stores from a young age, so much so that we take it for granted. Things like – if you break something, you pay for it, if the shop is closed then you can’t come in, you have to pay for what you buy before you leave the store and so on. The common courtesies like don’t disturb other shoppers, if you are asked to leave then leave, and don’t steal are also taken for granted.

Online, you sometimes need to remind people of the rules. You can also set some rules to control your own online space.  Think about the big sites like eBay, Craigslist, Facebook, and Google. If you don’t follow their rules, they can stop you from using their services and there is almost nothing you can do about it.

You have the same ability to control how other people access and use your website and the information you provide. Every different interaction available on your website creates a different relationship that you may need to manage through terms and conditions.

You will normally find a link to terms of use in a website footer. Following that, convention is sensible if you want to argue that your terms and conditions are binding on your website visitors or users.

We’ve had a client who neglected to have terms and conditions on their website and had to pay a $125,000 claim for defective products because they failed to disclose that they were just the importing agent for the manufacturer and set any contractual terms around their supply.

If you are working in any sort of industry that is regulated, either by government or a professional organisation, a disclaimer may help limit the risks to your business. Disclaimers can also provide a great opportunity to remind your clients of their responsibilities

Onyx Legal can help you tailor terms and conditions that fit your business, your industry, and make sense to your customers.

Legal Issues with Website Content

What you publish on your website, whether you put it there or someone else did, is your responsibility. If you have been creative with the truth, copied something from someone else, used a form of software that allows you to ‘snip and spin’ other people’s content and publish it as your own (We were horrified! It was so obviously copyright infringement, and the client thought it was perfectly fine because they paid for the software and assumed the developer was doing the right thing around copyright. Wrong! It slowed their website development down a bit) then that’s on your head – no one elses.

You need to be aware of any regulations applicable to your industry (for example – health services in Australia can’t use testimonials about the health service), stay within the bounds of consumer protection legislation, not infringe the intellectual rights (trademark, copyright etc) of others and protect the privacy of visitors to your website.

Onyx Legal can help assess your level of compliance, where you might have risks and make some recommendations around improving your website from a legal perspective.

How can Onyx Legal help you?

If you scored badly on the website legal and cyber self-audit and would like us to carry out a more comprehensive audit and make some recommendations, make an appointment with the Onyx Legal team now..

How to Complete a Quick Legal Audit of Your Business

How to Complete a Quick Legal Audit of Your Business

How to Complete a Quick Legal Audit of Your Business

Running your own business can be a juggle. So how do you know if you are putting yourself at risk? Consider doing a quick legal audit of your business to find out whether there are any potential cracks that you may need to fix.

We’re going to focus on structure, relationships and risk management.

Start with your Business Structure

When was the last time you thought about what business structure you have and if it still works for you?

Many people start small businesses as sole traders and continue that way until something bad happens, like a threat of court action or an unexpectedly large tax bill. Other people set up multiple companies or trusts and then lose track of them. Some people change the style of delivery of their business and then need to review how everything is done.

Some recent examples for our clients have been:

  • A client selling a business discovered that the business trade mark was registered to a company they had forgotten about. They had moved and hadn’t updated their contact details with the company register. The company had ‘strike- off action in progress’ recorded against it in the register. The quick fix there was to pay outstanding invoices to the register and update contact details.
  • Another client set up a second company in the US and separated its business delivery by area, some under its Australian company and some under the US company. Customers are now able to choose their area before checkout. Taxes had to be accounted for in each different country and in Australia that meant the invoicing had to identify the Australian company and the GST paid, which initially it didn’t. A few technical tweaks in the delivery software fixed the problem.
  • A couple started a business as a hobby as a sole trader under the name of one of them. Twelve months later they came to us asking about asset protection. Initially, it appeared that the structure didn’t need to change because they hadn’t really started generating any income. A little further in the conversation disclosed that one of the partners held shares, an investment property and crypto-currency in their own name and it became clear that a different structure was needed to isolate those assets from any potential risks in the business.

Audit questions for you

  1. What legal structure do I use for my business? Can I find the documentation?
  2. When was the last time I reviewed that structure?
  3. Are my business contact details up to date with all regulators?
  4. Do I know my business identification number (in Australia it is an ABN)?
  5. Are my invoices correctly set out for compliance purposes?

Then Think About All Your Business Relationships

Mind mapping might help you identify all the different types of business relationships you have. Think about your business from the inside out, starting with you and ending with the general public.

You might have relationships with some or all of the following groups:

  • Business partners
  • Investors
  • Employees
  • Contractors
  • Suppliers
  • Affiliates
  • Sponsors
  • Advertisers
  • Joint venture partners
  • Clients
  • Customers
  • Subscribers
  • General public

Each different relationship potentially has different risks, obligations and responsibilities, and those things are much easier to keep track of if they are documented.

Lots of people who come to us have operated their businesses on verbal agreements or exchanges of emails successfully for years. There is nothing wrong with that, but if something goes wrong, your options are likely to be more limited than if you had a written agreement to refer back to when resolving the problem.

Most people can’t remember what they did a week ago. Don’t expect to be able to remember exactly what was agreed with someone months or years ago.

Some recent examples for our clients have been:

  • A business break-up. The parties had not documented their relationship or what would happen if the business came to an end. They had a meeting with their accountant to agree on how to close the business, but then one party decided not to follow that plan, and it hadn’t been documented and agreed in writing on the day, so became a dispute. The simple fix would have been to have a shareholder agreement in place within a short time before or after starting their business, whilst relationships were still good, and the parties were able to speak sensibly and logically to each other.
  • Another client had been operating their business without any hassles for years. The nature of their business meant that there was always a sponsor between them and their end customer. For the first time, a sponsor acted as gatekeeper and stopped the supply of products from our client to the end customer based on their assessment of the quality of the product. Each product was developed by our client’s labour, unique to the client, and our client could not be paid if the products were never put in front of their clients. Difficult situation. We prepare terms and conditions of service between our client and their sponsors to ensure that sponsors who behaved in that way would have to pay our client and amount equivalent to their lost income.

Consider whether you have anything in writing to help you manage all of the relationships in your business. Some examples are as follows:

Business Partners

A business partnership works well when both parties are on the ‘same page’. A clear and transparent agreement will help you quickly resolve any potential issues in the future, regardless of the structure you are using to operate.

Business relationships will be covered to a limited extent in founding documents, like constitutions or trust deeds, but those documents are designed more for setting out the rules of governance of an entity, than managing the relationships of the people involved. For older businesses, governing documents might be completely outdated and no longer compliant with changes in law.

Types of documents you may already have in place or like to have in place could include a partnership agreement, or a shareholder’s agreement, or a unitholders agreement. If you’re working with someone on a side gig, you might need a contractor’s agreement or a joint venture agreement.

Employees

Whenever you employ someone, you will have certain information you need to collect and compliance obligations you need to meet, before even considering whether you want to create company policies to help guide your workers.

Consider the following:

  • notices required under regulation (in Australia we are required to give a Fair Work Information Statement to employees before they start work)
  • information that needs to be securely collected and protected, like tax information
  • an employment agreement
  • a position description
  • health and safety information
  • company policies – social media policies and work from home have been important recently

Also think about any insurances you are legally required to have in place for your employees, in Australia that will be Workcover insurance.

Contractors

Engaging a contractor without a written agreement is not an ideal position to be in if something goes wrong. Even if you have a written agreement, sometimes it isn’t sufficiently clear.

The biggest issue we’ve managed for clients when contractor agreements have gone wrong is clearly identifying the required deliverables and whether they were met or not.

If you engage a contractor on their terms and cannot measure what was to be delivered by the end of the month before you pay them, then don’t be surprised if you don’t get what you expected. Be clear before you engage a contractor what you want them to deliver, and if you can’t, at least have the ability to set measurable results you expect on a weekly or monthly basis. If you don’t, make sure you can end the agreement at any time without penalty.

In some industries there are minimum legal requirements for contractor agreements which can include terms of payment including frequency.

Clients

Your clients are an integral part of your business, and it is essential that you have agreements in place with them appropriate to the type of business you operate.

There is an increasing level of awareness of what happens when you hand over personal information and an expectation that it should be protected. Platforms like Facebook and Google require advertisers to have a privacy policy before they can publish any adds. Most importantly, a privacy policy gives you the opportunity to show you clients how you care for their information. Do you have one? Is it on your website or otherwise easily available to your clients?

For online businesses, your agreements are usually contained in the terms and conditions you have published on your website or shopping cart.

If you’re delivering consulting, coaching, mentoring or similar services, you want something documented to ensure you get paid. We usually encourage an element of upfront payment for coaching or consulting services to ensure you don’t deliver services then have to chase to get paid.

Suppliers

If you have credit arrangements with any of your suppliers, you will be purchasing their goods or services under their contract terms. Often people don’t review those terms until they want to end the services and then check the terms to find out how to make that happen.

When was the last time you reviewed your supply agreements? Are you happy with your suppliers, and if not, have you told them? It is possible to change the terms of an agreement in writing between the parties, so that your business relationship can continue, but in a way you are satisfied with, rather than being an unhappy customer.

 

Audit questions for you

  1. Do we know where our founding/ governing documents the establish our business are kept? When did we last look at them?
  2. How many different business relationships do we have?
  3. Are those relationships documented in agreements?
  4. Do we know where our agreements and contracts are?
  5. Do we have written employment agreements or policies?
  6. Do we have a privacy policy on our website?
  7. Do we have a contract register so we know what agreements we have, with who, who on our team is responsible, when the agreements end and where they are?

Now Think About Your Risk Management

Have you thought about what the biggest risks might be for your business? COVID certainly surprised most people. Whilst some businesses were impacted by SARS and thought about adding in ‘pandemic’ as a risk factor in their risk management and business continuity, that was a very limited number of businesses. If you don’t stop occasionally and work out where the risks are to your business, you don’t give yourself the opportunity to lessen the potential impact on your business before they occur.

Even if you have a written business plan, and a written business continuity plan (a set of actions to be taken when events or circumstances have an adverse impact on the business), if you haven’t reviewed them for some time then they might not be relevant.

The key to risk management is thinking about what matters most in your business, how that might be threatened, and what you can put in place to reduce the impact of that potential threat happening.

A great example is considering cyber risk to your business and then having all staff complete training as a result. The training is a way of raising awareness of the potential problems and helping people understand what they can do to reduce the risk. 

If you have a business plan, that may help you identify the main areas of potential risk to your business. Consider –

  • Financials – processing payments; invoicing; paying employees, contractors, suppliers; tax changes; loss through theft or other means etc
  • People – what would happen if anyone in your team was gone for any reason?
  • Key Resources – physical, intellectual, human, network
  • Offering – competitors, changing environment, legal compliance
  • Key activities – what would impact your ability to deliver your product or service to your clients?

Once you’ve identified your risks, then consider the likely chance of it happening, and the likely impact, to calculate a risk score. Typically, businesses identify 4-5 levels of risk for likelihood and impact. So, the likelihood might be from ‘rare’ to ‘almost certain’ and the impact might be from ‘minor’ to ‘catastrophic’. For a large proportion of business, if they’d had the chance to do this exercise with knowledge that COVID was coming, would probably have assessed a pandemic as ‘rare’ and ‘catastrophic’. That may have given it a risk rating in the HIGH range and ensured that measures were in place (like the ability to work remotely) before COVID happened.

Hindsight is a wonderful thing.

 

Audit questions for you

  1. Have we ever considered risks to our business?
  2. Do we know whether we have compliance obligations in our industry?
  3. Do we understand risk management?
  4. Do we have a risk register?
  5. Do we have risk mitigation in place for identified risks?
  6. What insurances do we have in place?
  7. Have we scheduled staff training to help identify and manage risks?

Is it time for a refresh?

If you’ve read through the audit questions and think it sounds all to hard, consider the future of your business. If at any time you want to apply for finance, look for an investor or sell your business, all these things will need to be sorted out to get the best value.

If it seems overwhelming, consider working with us to help prioritise what is most important to support your future objectives, and then to work through the process with someone in your team to help you get organised and on top of everything.

Onyx Legal offers cost effective day rate services to help you get on top of big projects that support the future value of your business. Let us know if you’d like a hand with identifying and understanding your structure, contracts or risk management. Make an appointment now

How can Onyx Legal help you?

Book an appointment to talk with one of our team about your business structure and whether it is still the most appropriate structure for what you are doing and what you’d like to achieve.

The Right Business Structure to Protect Your Assets

The Right Business Structure to Protect Your Assets

The Right Business Structure to Protect Your Assets

Once you have made the decision to operate your own business, choosing the correct structure is the next step. Keep in mind that your business structure can change if your business grows in a direction that would suit a different structure. It makes sense to seek legal and financial advice before getting started, so you can tailor your business structure to your unique circumstances.

In Australia, your main options for establishing a business are:

  1. Sole trader
  2. Partnership
  3. Joint venture
  4. Company
  5. Trust

Getting a business name is not setting up a business, it is just registering a business name. We’ll discuss that a little more at the end, for clarity.

In deciding which option would best suit you and your business ideas, think about the following:

  • Your existing assets, income, tax and other ownership structures
  • The simplicity of the new structure and your initial set up costs
  • The type of business you would like to operate and the size of the business
  • The likelihood and speed of business growth and the requirements for investment
  • The tax impact upon the business and on you
  • The type of management and control levels required to operate successfully
  • The number of people involved in the management or ownership of the business
  • The degree of flexibility required to adapt as the business evolves and expands or moves in a new direction to first planned
  • The potential risk of the new structure failing and what impact that could have on you
  • The costs and ease of ending the business if it doesn’t turn out

Let’s have a look at potential business structures in light of the above factors.

1. Sole Trader

A sole trader is a very simple business structure and there are minimal set up costs involved for you as the business owner. You will need to register for an Australian Business Number (ABN) in your own name.

If trading under your own name eg. “Harper Lee Consulting” then you don’t need to register a business name. But if you want to trade under another name “Awesome Consulting” then you will need to register a business name. You are still the business, it just has a name that is not your name.

You will bear the responsibility over all of the business functions and will be completely personally liable for all of the debts that the business incurs.

If protection of your personal assets is important to you then this type of business structure might not be the most suitable for your needs. If you own a home or an investment property in your own name and someone sues the business, they are suing you and your property is on the line.

A sole trader business can have quite limited growth potential as it is heavily reliant on the owner and often can consume vast amounts of an owner’s time and resources. Even as a sole trader, you can employ other people, but the business is still intimately associated with you.

A sole trader business will pay tax at the personal tax rate applicable to the business owner.

It is relatively easy to end a sole trader business and cease trading, provided any debts of the business are paid in full.

A good example of a sole trader business could be a business consultant, a freelance writer, an at home hairdresser or a tradesman such as a painter.

2. Partnership

A partnership is similar to a sole trader, except it involves more than one owner. It trades under a registered business name and a partnership can comprise of owners with similar skills (eg. business brokers) or owners with complimentary skill-sets (eg. a graphic designer and a website developer).

Like sole trader businesses, partnerships are easy to establish. You simply register an ABN naming each of the partners in the application. It is also wise to have a partnership agreement prepared to protect the interests of everyone involved, while everyone is still friends and the business is working well. Partnership break ups without a written agreement are a bit like a divorce and can be messy and expensive.

Traditionally, law firms and accounting firms were structured as partnerships.

We’ve seen law firms dissolve without ever having had a partnership agreement and all the profits left in the business were spent on attempting to resolve disputes between the partners when it came to an end.

Partnerships are better for whole of business long term ventures between people. They are not really suited to short-term, part-time enterprises.  The number of partners can vary and can be comprised of individuals, or companies, or trusts.

Each owner pays tax at their own individual rates, depending on their share of the partnership profits. Partners don’t have to hold equal shares and can be split depending on the contributions of the partners. A partnership will require the agreement of all parties if the ownership structure or members are to change, and it is possible that a new ABN will be required if partners change.

When a partnership is working smoothly, it can be a great vehicle to operate a successful business. When a partnership is affected by personal differences between the owners, it can impact quite considerably on the successful business operation. Each partner is 100% liable for all the business debts and their own personal assets can be at risk if the partnership cannot repay its debts or taxes. This is the case even if the partner had nothing to do with incurring the debt in the first place.

We’ve seen partners in business lose their home because one of the other partners committed fraud through the partnership and went to jail, without being able to pay back the missing money. The people owed money were entitled to chase the other partners in the business to get paid, even though they knew nothing about the fraud.

3. Joint Venture

A joint venture is usually set up by a written joint venture agreement between the parties for a particular purpose or project. It is a good structure for operating a specific project instead of continuing indefinitely. It can vary how many entities are involved and can be comprised of individuals, or companies, or trusts.

It is best to seek legal advice before signing a joint venture agreement to ensure you understand your contribution to the venture, what happens when things change during the project and to ensure you are adequately protected if the joint venture is not successful.

A joint venture helps to grow your business through collaboration with other entities that have complementary skills or financial resources. The structure can vary depending on what you want to achieve, the governance type and obligations as well as the division of profits and losses to the parties. The agreement should also contain the process for disagreement or dispute resolution, if the parties’ relationships break down.

Each of the joint venture members are responsible for the profits, losses and costs involved in undertaking the joint venture project. The joint venture is a distinctly separate entity from the members other businesses and assets.

An example of a joint venture might be the combination of ride-share giant, Uber, with vehicle manufacturer, Volvo, for the purpose of producing driverless motor vehicles.

4. Company

A company is a separate legal entity to the business owners. It is a legal vehicle that can incur debts in its own name, can sue and be sued by other parties. It does not cease if an owner passes away but exists until it is wound up. The business owners are the shareholders and can often hold the position of director and secretary as well, particularly in a small business arrangement.

A director is responsible for the management and governance of the company and need not be a shareholder. A company secretary is responsible for ensuring that the reporting obligations of the company are met.

If you are considering setting up a company, you will need a company name, you will have to set up a governing structure with a constitution suitable to your business. The company must be registered with the Australian Securities and Investments Commission (ASIC) and will incur a yearly fee.

There are many complex parts to a company and essential for you to speak to your accountant or lawyer, or both, prior to setting up a company structure. It can have considerable set up costs compared to other entities and there are many legal obligations of the office-bearers. However, there are considerable benefits too.

It is an excellent vehicle to conduct business and ensure your personal assets, such as your home, are protected against legal action.

We had a client who, after audit, was required to repay some tax rebates received as R&D credits, together with penalties. The shareholders thought they had to sell their home to pay the company’s debt. They did not. The company remained responsible for its own debts and the shareholders got to keep their house.

Unless you give a personal guarantee for a business loan, then your private assets are protected. Since the company is a separate legal entity, it has a separate liability from the business owners. It can incur debts that are limited to the value of the company. If an aggrieved party sues the company for the outstanding debts, it is limited to the company itself and cannot sue the owners, unless they have given a personal guarantee, or fall within a category of liability where directors can be found personally liable – such as failing to pay superannuation.

There are other benefits with respect to taxation as well. The company pays tax at a company rate and can pay “fully franked” dividends to its shareholders, which can be very attractive to the business owners, depending on their individual circumstances.

Since November 2021 directors of companies (along with some other entities) now must be issued a Director Identification Number (DIN) which is issued by ASIC.

There are two types of companies – a privately owned company and a publicly owned company. So what is the difference between a private company and a public company in Australia?

4.1. Private Company

A private company is distinct from a public company because it is privately owned. It will often have “Pty Ltd” after its business name, and this means ‘proprietary limited’. This indicates it is privately owned, with limited liability.

A Pty Ltd or proprietary limited It is the most common structure for small businesses. It is incorporated, issues shares, will have a maximum of fifty shareholders, and each of the shareholders are not personally liable for the debts of the business. They will only be liable for any unpaid financial value of their shares. What this means if that if you purchase 10 x $1 shares but only pay the company $5 at that time of purchase, there will still be 50c owed against each of your 10 shares, and that must be paid if called by the company.

A private company is for protection of your personal assets. There are a large variety of share structuring options available, so it is definitely an option to discuss in greater depth with your accountant or lawyer.

4.2. Public Company

A public company is a company that can be listed on the stock exchange and is funded by investors, or a company to be limited by guarantee and operated as a charity or not-for-profit.

Not for profit means the members or shareholders are not entitled to a distribution of the profits of the business and the profits must be reinvested back into the business. In a for profit company, members or shareholders are entitled to receive a distribution of the profits if dividends are paid. Business is not sustainable if it does not generate a profit.

A public company often has “Ltd” or “limited” after its name to indicate that it has limited liability.

For profit public companies have a complex structure and are required to issue public documents when paying dividends or raising capital. Qantas is a public company. Any company you can purchase shares for on the Australian Stock Exchange is a public company.

A public company remains an option if you grow your business to the point where you would like to take it public and raise considerable share capital through a public offering.

A not-for-profit public company is an appropriate structure for a large charity.

5. Trusts

A trust can be an excellent asset protection structure, but you will need tailored legal and financial advice to correctly suit your personal circumstances. A trust is a vehicle that enables a trustee to act in the best interests and hold property or income for a particular purpose, for the benefit of the beneficiaries or trust members. The trustee can be an individual or a company.

Whilst there are many types of trusts available, there are two main types of trust used in small business. They are:

  1. Unit Trust
  2. Discretionary or Family Trust

The trust is set up with a formal trust deed that provides guidance on the way that the trust operates and the powers of the trustee.

There are other parties named in the trust deed – such as the settlor who won’t have any future involvement in the trust, but who is essential in its establishment.

Superannuation trusts are often established with limited investment categories, for example, an inability to invest in cryptocurrency.

The trustee is responsible for administering the trust. Provided that the trustee behaves appropriately, the trustee is usually entitled to be indemnified out of the trust fund for any liabilities incurred in association with the administration of the trust. If the trust is an individual trustee, their own personal assets can be at risk if the trustee is sued and a good reason to appoint a company as a trustee.

A trust may also be entitled to a 50% capital gains tax exemption, but a company is not. You should seek accounting advice when reviewing your tax obligations.

A discretionary trust is the most common structure in small business.

A unit trust is one of the most common structures for small property development. 

Unit trusts have certainty in proportionate interests, whereas a discretionary trust is variable depending upon the decisions of the trustee. Where a greater degree of certainty in financial dealings of trust property is required, the unit trust is more effective. Each unitholder of the trust holds a specified number of units and the trustee has no discretion to give unitholders distributions that are inconsistent with the rights of other unitholders. You can transfer a unit to another unitholder, just like shares in a company.

We normally recommend that people involved in a unit trust structure enter into a unitholder agreement, similar to a shareholder agreement, to better protect their interests.

How can Onyx Legal help you?

Book an appointment to talk with one of our team about your business structure and whether it is still the most appropriate structure for what you are doing and what you’d like to achieve.

Your Guide to Terms & Conditions

Your Guide to Terms & Conditions

Your Guide to Terms & Conditions

The last few years have seen lots of businesses pivot to make greater use of online tools and increase the opportunity for online sales.

As a business owner you should be considering the exposure of your online business and in particular, when you last updated your terms and conditions, your privacy policy and your disclaimer – or even if you have them to protect your business.

The post COVID-19 era has resulted in more important updates, changes and governmental compliance responsibilities than prior to the pandemic, and increased the complexity of navigating the online business world.

Your terms and conditions set out essential protections for your business including identifying which laws govern your website and business, reducing your chance of a dispute arising, giving you the freedom to remove unwanted people, and placing responsibilities on the user that are important to the way you do business.

Having terms and conditions can significantly reduce any future problems from arising, if you have taken the time to obtain appropriate legal coverage.

Services Online

If you sell a service and have any type of intellectual property, such as an education course or unique planning tool, you will want to ensure one of your terms and conditions include protection. As other businesses move online, they may copy some of your own website and design, so a copyright clause can at least alert visitors to your website that you intend to protect your intellectual property and caution them against copying it.

As a practical tipdo not copy someone else’s website content. It is copyright infringement. If you are checking out what your competitors are doing and want to create something similar, at least choose a competitor on the other side of the world who might have a totally different client base. Don’t copy your local competitor just down the road and expect them not to get upset!

Be innovative. Even if you sell hard products, you can use your online environment to create membership communities, offer education, host competitions etc.

Goods Online

If you manage a type of retail or goods-based business, necessary terms and conditions would include your refund and return policy. Ideally this would set out in very clear terms what the customer should expect in the event that they sought a refund or wanted to return their items.

Your customer must be aware of your terms and conditions before purchase for them to be binding. It saves a lot of hassles and time down the track if your terms of trade are clear and easy to access. It is worthwhile noting here that some terms and conditions cannot override Australian consumer guarantees. Any attempt to limit the Australian Consumer Laws (ACL), is invalid. Consumer guarantees now apply to products and services with a value up to $100,000, regardless of who the purchaser is. 

We can help you navigate your obligations under Australian Consumer Law.

Interesting Recent Cases

Consider the 2019 case of Australian Competition Consumer Commission (ACCC) v Jetstar.

Jetstar tried to present their air fares in a way that excluded any right to a refund for the cheaper air fares. The ACCC commenced proceedings against Jetstar for false and misleading representations, as well as breaching the automatic consumer guarantees that cannot be excluded, restricted or modified, no matter how cheap the air fare was for the consumer.

The Federal Court ordered Jetstar to pay a financial penalty of $1.95 million for the breaches as well as an undertaking to commit to amend its policies and practices to ensure they are consistent with the ACL. This undertaking was court-enforceable if they did not comply.

Another recent case that illustrates the importance of having express terms and conditions is the case of Hardingham v RP Data. Hardingham was a real estate photographer who had an exclusive licence with his business ‘Real Estate Marketing Australia Pty Ltd’ (REMA) for the copyright of his works. He had an ongoing informal oral agreement between him and the various real estate agencies for the use of his photographs and floor plan images for the agencies marketing campaigns. He did not have any express terms and conditions in place between him and the various agencies.

These agencies would then upload his work to Realestate.com.au for the marketing campaigns. In order to proceed with the upload of the photographs, the agency (often a subscriber) would need to agree to the terms and conditions on the website as set out by Realesate.com.au. The terms and conditions on the Realestate.com.au website contained a sub-license to “other persons” in a detailed form.

Realestate.com.au then sub-licensed to RP Data who then published the photographs on its websites and superimposed a logo on the images. RP Data is a subscriber-only database of real estate sales and rental history. After an appeal to the Full Court of the Federal Court of Australia, the court held by 2:1 majority, that the sub-licence to RP Data who then used and manipulated the photographs and images was an infringement of copyright.

The court held that the original owner of the copyright did not agree to the sub-licence when it verbally agreed to the various real estate agencies uploading the images to Realestate.com.au.

We have assisted professional real estate photographers to prepare appropriate terms and conditions for the use of their images to ensure they are paid for use.

This case is a good example where the copyright owner might have avoided going through the expensive and lengthy court process, and the subsequent need to appeal, to receive a judgement in his favour, if he had express terms and conditions that explicitly set out the use of the photographs and images.

Since he had only oral agreements between him and the real estate agencies, the court had to determine if the implied terms were so obvious and were necessary to give business efficacy to the contract. Thankfully the Full Court found that there was such an implied term in this instance.

COVID-19 Impact on Terms and Conditions

Consider another recent case that relied on terms and conditions under a contract that was affected by COVID-19 shutdowns is the case of Dyco Hotels Pty Ltd v Laundry Hotels (Quarry) Pty Ltd. This case concerned the sale of the Quarryman Hotel in Pyrmont, New South Wales (NSW). The contract was signed on 31 January 2020, with the date of settlement set for 27 March 2020.

The contract price was for $11,250,000 and included the associated hotel licence, the gaming machine entitlements and the hotel business itself. The deposit paid by the buyers was $562,500.

In the sale contract, there was an Additional Clause 50.1 which imposed various obligations upon the vendor, including the obligation to continue to operate the business “in the usual and ordinary course as regards to its nature, scope and manner”.

On the 23 March 2020, 4 days before settlement, public health orders issued shutting down the majority of hospitality services. This made it unlawful for the hotel to continue to operate, except for takeaway food and drinks, in accordance with the public health directions.

The buyers argued that the business sale was frustrated by the public health orders since the hotel was no longer able to operate in the “usual and ordinary course as regards to its nature, scope and manner”. They asked for return of the $562,500 deposit and claimed the value of the assets decreased by $1 million due to the public health orders.

The vendor disagreed.

The vendor’s position was that the hotel continued to trade as a going concern within the confines of the health orders and in accordance with the legal restrictions that had been imposed upon it. If the vendor had operated contrary to the public health orders, it would have placed the future operation of the business in jeopardy, including the hotel licence to operate. This would have damaged the goodwill of the hotel. The vendor also argued that they were entitled to terminate the contract, retain the deposit and seek damages for the loss of the bargain.

The NSW Supreme Court found in the vendor’s favour and held that the contract was not frustrated by COVID-19 public health orders. The vendor was entitled to keep the $562,500 deposit and recover damages as well for the loss of bargain. The court assessed the damages to be $900,000 and deducted the deposit of $562,500 from that amount.

Although the terms and conditions in this case were not online but contained in sale documents, it does demonstrate that carefully considered terms and conditions can make a big difference to the outcome of a dispute. 

The purchasers might have been better protected if there were any contractual warranties given by the vendor about the future financial performance of the hotel. Since there were no warranties given, the purchasers accepted the risks.  The purchasers were experienced in the Sydney hotel operations business and understood the various potential risks of legislative changes, despite not being familiar with the impact of a pandemic.

This is a good illustration of the impact of the COVID-19 pandemic on terms and conditions and contemplation of the risks associated with business operations. Following the lessons in this case, a vendor would be wise to include business conduct obligations under the contract that can be altered or changed to comply with public health emergencies. A buyer would be wise to include options to terminate the contract in the event where the value of the business has dramatically dropped due to unexpected circumstances.

Another COVID-19 impact on the operation of businesses can be seen in the recent case of Flight Centre Travel Group Limited Trading as Aunt Betty v Goel. Terms and conditions were online and agreed to by click wrap agreement – where the buyer has to check a box stating they agree to terms and conditions before being able to complete the purchase.

In the first hearing, Goel had been awarded a refund on the basis that the purchased flights hadn’t been received.

On the 5 November 2019, the customer (Goel) had made a booking online, for the return flights from Sydney to Delhi scheduled for flights during April 2020. The $2,336.30 flights were with Malaysia Airlines which cancelled the flights during March 2020, when COVID-19 public health orders restricted international travel.

The terms and conditions stated that Flight Centre was only agent and not responsible for delivery. If that were the case, Malaysian Airlines would have been liable to provide the refund, not Flight Centre.

The case we are referring to was an appeal by Flight Centre where it argued that the business Aunt Betty operated as an agent, and not the supplier of the service and therefore was not liable for actions by the airline in cancelling the flight. It would have set a damaging precedent for Flight Centre to be liable to refund all booking costs where it had not received the bulk of those funds, which had been passed on to the suppliers (like Malaysian Airlines) pending delivery.

The tribunal, on appeal, held that Goel would have been aware at the time of booking that he had booked the flights with an agent and not the actual airline carrier itself. It is interesting to note that the court decided that the booking could not have been made without the positive acknowledgement of the terms and conditions on the website. The court also decided that there was no breach of the consumer laws by the agent, and it was not liable to provide the refund.

Conclusion

In order to operate your business successfully, you need to be mindful of the ever-changing landscape that both COVID-19 public health emergencies create, and the increasing demands shaped by conducting more business in the online space.

The pass of change suggests you have your terms and conditions of trade reviewed and updated more frequently, with consideration of all aspects of a transaction.

If you are contemplating signing any contracts for business sales or purchases, it would also be advisable to ensure you are covered in the event that COVID-19 emergency public health order impacts adversely on the contract price and business valuation or operational requirements.

The new year is also a good time to evaluate your privacy policies and disclaimers, as well.

How can Onyx Legal help you?

We love reading and writing terms and conditions. Someone has to do it. It’s fun for us. If your terms and conditions are like a different language for you and you’d rather not think about them, let us help. Book a time to chat with one of our team about how we can help update your online terms sooner rather than later.