Every B2B sales team in Australia uses data to find and engage prospects. Company names, business addresses, website information, industry classifications — this data powers prospecting, research, and outreach.
But the legal framework governing how you collect and use this data is more nuanced than most salespeople realise. Get it right, and you have a competitive advantage. Get it wrong, and you face regulatory risk that can be expensive and reputation-damaging.
Here is a practical guide to what Australian privacy law means for B2B sales teams in 2026.
The Privacy Act and the APPs
The Privacy Act 1988 is the primary piece of legislation governing data privacy in Australia. It is administered by the Office of the Australian Information Commissioner (OAIC) and applies to organisations with annual turnover above $3 million, along with certain smaller organisations in specific sectors.
The Act contains 13 Australian Privacy Principles (APPs) that regulate how personal information is collected, used, disclosed, and stored. Understanding these principles is essential for anyone working with data in a B2B context.
What counts as "personal information"?
This is where most B2B teams get confused. The Privacy Act defines personal information as information or an opinion about an identified individual, or an individual who is reasonably identifiable.
Business information — company names, ABN numbers, business addresses, industry classifications, publicly available website content, and registered business details — is generally not personal information under the Act.
Individual information — the name, email address, phone number, and job title of a specific person at that business — is personal information, even in a B2B context.
This distinction matters. Collecting and using business-level data (what a company does, where it is located, what technology it uses, what services it offers) is fundamentally different from collecting personal data about individuals at those companies.
The B2B data spectrum
In practice, B2B data falls on a spectrum:
Clearly business data (lower risk):
- Company name, ABN, registered address
- Industry classification and business category
- Publicly available website content
- Products and services listed on the company website
- Technology stack detected from public web presence
- Business reviews and ratings from public platforms
Mixed data (moderate risk):
- General business contact details (info@ email, main phone number)
- Business social media profiles
- Press releases naming individuals in their professional capacity
- Conference speaker bios and publicly available professional profiles
Clearly personal data (higher risk):
- Direct email addresses of individuals (firstname@company.com)
- Personal mobile numbers
- Personal social media profiles
- Information about individuals' personal opinions or activities
Most B2B prospecting tools operate across this entire spectrum, often without distinguishing between the categories. The compliant approach is to treat each category differently.
Practical implications for B2B sales teams
What you can do freely
Analyse publicly available business information. If a company publishes information on their website — their services, their technology stack, their case studies, their team page — that information is publicly available and can be collected and analysed without consent.
Use business registry data. ASIC and ABR data about registered businesses is public information. Company names, ABN numbers, registered addresses, and business classifications can be freely used for prospecting and research.
Aggregate business intelligence. Building profiles of businesses based on their public web presence, including products, services, pricing, technology, and market positioning, is lawful when the intelligence concerns the business entity rather than specific individuals.
Where you need to be careful
Collecting individual contact details. When you collect the direct email address or phone number of a specific person at a business, you are collecting personal information. The APPs require that you:
- Collect only what is reasonably necessary for your purpose
- Inform the individual about who you are and why you are collecting their information
- Provide access to your privacy policy
Email outreach and the Spam Act. The Spam Act 2003 is separate from the Privacy Act and governs commercial electronic messages. To send a commercial email legally in Australia, you need:
- Consent (express or inferred) from the recipient
- Clear identification of who is sending the message
- A functional unsubscribe mechanism
Inferred consent can exist in B2B contexts — for example, if someone publishes their email address on their company website in a sales or business development context, there is an argument for inferred consent to receive relevant business communications. But this is not unlimited, and the communication must be relevant to their published role.
Purchasing third-party data. If you buy contact lists from data brokers, you inherit the compliance obligations. If the data was collected without proper consent, using it puts your organisation at risk. Always verify the provenance and compliance of purchased data.
The 2024 Privacy Act reforms
The Australian government has been progressively reforming the Privacy Act, with significant changes introduced through 2024 and 2025. Key changes relevant to B2B teams:
Broader definition of personal information. The reforms expanded the definition to include technical data like IP addresses and device identifiers in some contexts. This affects web-based intelligence gathering.
Increased penalties. Maximum penalties for serious privacy breaches increased to the greater of $50 million, three times the value of the benefit obtained, or 30% of domestic turnover. These are serious numbers.
New rights for individuals. The reforms introduced stronger rights for individuals to access, correct, and request deletion of their personal information. B2B teams need processes to handle these requests.
Enhanced enforcement powers. The OAIC has been given broader investigation and enforcement powers, making compliance more important than ever.
Building a compliant B2B prospecting practice
Principle 1: Business intelligence over personal data
The safest approach for B2B prospecting is to focus on business-level intelligence rather than personal data. Understanding what a company does, how they position themselves, what technology they use, and whether they show growth signals does not require collecting personal information about individuals.
When you do need to contact a specific person, use publicly available professional contact information and ensure your outreach is relevant to their role and responsibilities.
Principle 2: Transparency in outreach
When you reach out to a prospect, be clear about who you are and how you found them. Reference specific business information you used to identify them as relevant. This is not just a legal requirement — it is better sales practice. Prospects respond better to transparent, well-researched outreach than to messages that appear to come from nowhere.
Principle 3: Respect opt-outs immediately
When someone asks you to stop contacting them, comply immediately and permanently. Under the Spam Act, you have five business days to process an unsubscribe request, but best practice is to action it within hours. Maintain a suppression list and check it before every outreach campaign.
Principle 4: Audit your data sources
Know where your prospecting data comes from. If you use a third-party data provider, understand their collection methods and verify their compliance. If they cannot explain how the data was collected and on what legal basis, that is a red flag.
Principle 5: Document your processes
The OAIC expects organisations to have documented privacy practices. For B2B teams, this means:
- A privacy policy that accurately describes your data practices
- Records of what data you collect and why
- Processes for handling access and deletion requests
- Regular review of data retention and accuracy
The competitive advantage of compliance
Privacy compliance is often framed as a burden. In practice, it creates a competitive advantage.
Teams that focus on business intelligence over personal data scraping tend to produce better prospecting outcomes. Understanding what a company actually does is more valuable for sales conversations than having a direct phone number.
Teams that are transparent about their outreach methods build trust faster. In Australia's tight professional networks, a reputation for respectful, relevant prospecting opens doors that aggressive tactics close permanently.
And as the regulatory environment continues to tighten, teams that invested early in compliant practices avoid the disruption and cost of scrambling to retrofit compliance onto existing processes.
Key takeaways
- Business data and personal data are different — the Privacy Act primarily regulates personal information, not business information
- Public business information can be freely analysed — website content, registry data, and publicly listed services are fair game
- Individual contact details are personal information — collecting and using them triggers Privacy Act obligations
- The Spam Act governs email outreach — you need consent, identification, and an unsubscribe mechanism
- Compliance is good business — it produces better outcomes and protects your reputation
Boosta focuses on business-level intelligence from publicly available sources. No personal data scraping. No purchased contact lists. Just deep intelligence on 1.5M+ Australian businesses. Start your compliant prospecting.