The new Privacy Principles – what you must do now to prepare for informed consent

Over the past two years, Australia has witnessed a major overhaul of its privacy laws. The most significant reforms to the Privacy Act 1988 in decades are now underway, bringing the Australian Privacy Principles (APPs) into line with global standards such as the European Union’s GDPR (General Data Protection Regulation), which is a comprehensive data protection and privacy law that came into effect on 25 May 2018 across all European Union (EU) member states. The GDPR is widely regarded as the most significant privacy regulation in the world and has influenced similar laws globally. 

For charities in Australia, changes to privacy law (which began in December 2024) will mean a fundamental rethink of how personal information — especially supporter and donor data — is collected, stored and used. Note that the law applies differently to nonprofits with an annual turnover of less than AUD $3 million versus a nonprofit with an annual turnover of more than AUD $3 million – I have dedicated a section to explain this at the end of this article.

At the heart of the reforms lies a new approach to consent. Gone are the days of vague privacy notices and pre-ticked boxes. Charities will be required to ensure that consent to fundraising and marketing is voluntary, informed, specific, current and unambiguous. This shift is not just a compliance issue. Done well, it is also an opportunity to build stronger trust with supporters and demonstrate that your organisation truly respects their choices.

What’s changing in the law

From December 2024 onward, several new obligations began to take effect, with further requirements (such as transparency in automated decision-making and children’s privacy codes) coming into force by 2026. The most immediate and pressing changes for charities include:

• Stricter definition of consent: Consent must be opt-in, not assumed. It must be specific to each channel (email, SMS, phone, post)
• Withdrawal of consent: Supporters must be able to withdraw their consent easily, and charities must act on that withdrawal promptly
• Fairness and transparency: Data collection practices must be clear and not misleading. Long, complex privacy policies will not be sufficient
• Right to erasure: Individuals will be able to request that their personal data is deleted

For charities that rely heavily on supporter databases, these changes are significant.

What’s wrong with the current approach

Consider this donation form:

It does not ask for informed consent to opt-in to any communications – either this charity plans to opt the donor in without consent, or it does not plan to further communicate with the donor (a missed opportunity). There is no option to:

• Opt in (or out) of fundraising or marketing communications
• Choose which type of communications the supporter wants to receive
• Choose what channel to receive communications on
• Understand, in simple terms, how their data will be used

In this instance, the charity’s Privacy Policy is not within the field of vision – it is buried in the footer of the website. There is a clause in the policy that says: “We may need to disclose your personal information to others in order to carry out our activities… we may provide your contact details to other like-minded organisations to contact you with information that may be of interest to you.” This approach fails the new Fairness and Transparency principle that data collection practices must be clear and not misleading.

Under the new Privacy Principles, this kind of approach will no longer be acceptable. At best, it creates ambiguity. At worst, it exposes the charity to legal risk and reputational damage if supporters feel they are being contacted without permission.

How charities should capture consent going forward

1. Make consent channel-specific

When capturing supporter details, charities must now give people the option to say yes or no by channel, such as:

• Email newsletters
• SMS fundraising appeals
• Phone calls from volunteers or telefundraising partners
• Postal mail

This can be managed with a simple set of tick boxes on every sign-up form, each unchecked by default.

2. Differentiate between types of content

Consent should not be bundled. A supporter may wish to receive a newsletter but not fundraising appeals, or may be happy to receive event invitations but not volunteer recruitment emails. Segmenting these options shows respect for preferences and reduces complaints.

3. Use plain language

Privacy collection notices must be rewritten in ‘Plain English’. Replace jargon with simple explanations:

• “We will use your email address to send you news about our programs.”
• “Tick here if you would like to receive invitations to fundraising events.”
• “You can change your preferences or unsubscribe at any time.”

What you should be doing right now to prepare

Charities interact with supporters across many touchpoints. Each is an opportunity to capture and refresh consent.

Web forms

Redesign forms to include clear, unticked checkboxes for each channel and purpose. Under the new stricter definition of consent, consent must be opt-in, NOT opt-out.

This example IS NOT compliant (the box should not be pre-ticked):

This example IS compliant (the supporter chooses to tick the box and it is clear that the newsletter will be an email communication):

Donation pages

Separate the act of donating from consent to future appeals. Donors must not be forced to opt-in in order to complete a donation.

This example below has a Yes/No option for ‘Send me updates from Example Charity’, however it does not specify the channel that those updates will be sent through. Under the stricter definition of consent, the information provided to the supporter at point of consent must be specific to each channel (email,post, SMS, phone etc).

Events

Use QR codes or tablets at events to allow attendees to sign up with preferences captured on the spot.

Volunteers

Ensure volunteer application forms include clear consent for ongoing volunteer communications separate from fundraising communications. In this example below the picklist has the options ‘Yes’ and ‘No’ to agreeing to the Confidentiality Agreement, as well as a clear opt-in for more communications by email, phone and SMS.

Contact Us forms

Ensure that all your forms capture consent to market/fundraise, including your general enquiry form.

Service users

Think about the registration forms you may have for service users (beneficiaries). Consider consent where you have one party applying for support on behalf of another party. Do they have the right to give consent on behalf of someone else?

Let’s go back to the form at the top of the page

Returning to the example form we started with at the top of this article, here’s what must change on the form to meet the new APP standards:

• Add unticked checkboxes for each channel (email, SMS, phone, post)
• Add options for content type (news, events, fundraising, volunteering)
• Provide a clear, one-sentence explanation of how each type of data will be used
• Include a link to a full, simple terms privacy notice, but keep the essential points on the form itself
• Ensure that consent preferences are stored in the CRM and can be updated at any time by the supporter

What the future might look like

This is an example of consent from Cancer Research UK. Here they give the user a choice of 4 communication options:

In Australia, we will need to go a step further – as well as providing the supporter with channel choice, we also need to provide options for what their email address/postal address/phone number will be used for – newsletters/fundraising appeals/invitations to events etc. So let’s look at how you can set your organisation up to implement this.

Preparing your charity

The reforms may feel daunting, but the path forward is clear. Charities should:

1. Audit current consent capture: Review every form, event registration and donation process
2. Update CRM fields: Ensure your system can record channel-specific, purpose-specific consent. Examples include fields that record date and time consent was captured, where it was captured (what particular form), what channel the consent applies to (email, address, SMS or phone) and consent status – subscribed or unsubscribed. Date and time of opt-out and opt-out reason can also be tracked as insightful information
3. Rewrite privacy policies: Replace jargon with simple, accessible language
4. Train staff and volunteers: Everyone who handles supporter data should understand the new requirements
5. Communicate proactively: Let your supporters know that you are making changes to respect their preferences

Let’s recap

The upcoming changes to the Australian Privacy Principles represent more than a compliance hurdle. They are a chance for charities to rebuild trust, improve data quality and strengthen relationships with supporters. By moving away from vague collection statements and toward genuine, informed consent, charities will not only avoid regulatory risk — they will demonstrate respect for the people whose generosity makes their work possible.

Consent is not a checkbox. It’s a commitment to transparency, respect and accountability. The charities that embrace this shift now will be the ones best placed to thrive in the new privacy era.

Please refer to this Government resource for a breakdown of how Privacy Law differs according to the $3 million financial threshold.

In essence:

Thresholds for applicability

• An organisation must have annual turnover of more than AUD $3 million for the Privacy Act to automatically apply under standard rules. For charities/NFPs below that threshold, they may not be required by law to comply with ALL aspects of the APPs. 
• Even if your turnover is less, there are special cases where you must comply:
  • If doing “health service” work;
  • If contracted with a Commonwealth government agency;
  • If you trade in personal information 
  • If you decide to “opt‑in” to the Privacy Law by choice. 

Good practice is expected regardless of financial threshold

• Even when the law doesn’t require all requirements (like informed consent, notice, retention, etc.), the updated guidance is clear that donors, volunteers and service users/beneficiaries expect good privacy practices. Trust, transparency, risk of reputational damage are all concerns. Charities below thresholds are strongly encouraged to follow the APPs to “future‑proof” themselves. 

About the author

Jessica Macpherson OAM is the founder of Blaze Your Trail, a Melbourne-based fundraising and technology consultancy with a social purpose. She offers training and expert advice for nonprofit leaders around the use of Salesforce, cybersecurity, fundraising, digital marketing and website design.  

Jessica came to Australia from New Zealand to set up Oyster Bay Wine, before founding the charity St Kilda Mums (Our Village) in 2009.   

She especially enjoys supporting leaders to use technology to do more good.