Australian small businesses are unwittingly exposing themselves to record penalties by running on outdated or poorly-drafted contracts and terms and conditions.
Fines as high as $100 million per breach now apply to consumer law breaches that cover every business with a website, a product or a customer contract. Yet many SMEs are still relying on terms and conditions cobbled together at startup, downloaded from a template site or – in a modern twist – generated by an AI tool. Breaching privacy laws can also prove costly, with penalties reaching $50 million.
While some business owners regard legal documents as set-and-forget, reality says a single non-compliant clause can trigger regulatory action, litigation and fines that would likely dwarf the cost of getting it right.
Scott Lambert, an Associate in the Commercial Litigation team at PCL Lawyers, acts regularly in contractual disputes with generic or out-of-date documents at the centre, and says SME owners must be aware of the high stakes. “Never before in the history of commerce has business or small business or any kind of business faced the threats that we currently face under the new regimes,” he says. “I cannot stress how serious this is.”
Every Business Needs Bespoke Legal Protection
Lambert says the new $100 million dollar penalty, introduced in March, is a clear signal from authorities that they won’t tolerate consumer law breaches, no matter how they come about. There’s a long list of possible contraventions: misleading advertising, unclear pricing, unlawful policies, unfair contract terms, defective disclaimers and customer terms that do not reflect current law.
He understands the temptation in small businesses to cut corners on legal documents when budgets are tight and legal fees feel like an expense that can wait. But, he says, that’s a common and costly mistake.
“In the startup phase, everything is very cheap and cheerful, like, ‘Let’s just get it done quickly and cheaply,’” he explains. “The problem is, as they grow and evolve, they never revisit these documents.”
That approach creates compounding risk. Lambert describes a recent case involving a business that had been operating for more than 30 years without updating its policies, and is now locked in a legal battle that fresh terms and conditions may have prevented.
The types of commercial documents every business needs will vary, but Lambert says there is a baseline list: a privacy policy, returns and refunds policy, shipping policy, Terms of Service, product and safety policy, and specific terms on quotations, purchase orders and invoices. Critically, none of these can be generic.
“It’d just be like trying to buy generic size clothing. It just doesn’t work,” Lambert points out. “Every single business will have its own needs in terms of what their policies, what their terms and conditions will be.”
He frames proper legal documents as protection, not paperwork. “This is like wearing a helmet when you ride a bicycle, or it’s like having a binding financial agreement or prenuptial before you go into marriage,” he says.
Privacy Threats Are The New Sleeping Giant
Authorities are also actively enforcing privacy laws, Lambert says. With penalties of up to $50 million for serious breaches, he considers privacy and data handling to be one of the largest risks now facing SMEs.
Many businesses collect and store personal information every day, including customer names, phone numbers, email addresses, physical addresses, payment details and employee records. A privacy failure can expose a business to investigation by regulators, remediation costs, reputational damage, customer complaints.
In severe cases, businesses may face whichever is greater of the following maximum penalties:
- $50 million;
- 3 times the value of the benefit obtained;
- Or, if the benefit cannot be determined, 30 per cent of adjusted turnover during the relevant period.
Lambert gives a hypothetical example where a small business uses a cloud service to store customer data and the cloud service gets hacked. “Even though it’s downstream and had nothing to do with you, you had no control over those services, and sometimes you didn’t even know they went through an independent third party, sorry – you’re in breach because the buck stops with you,” he says.
AI Can Complicate, Not Simplify, The Legal Process
The rise of AI-drafted legal documents has made compliance exposure worse, Lambert argues. He cites a recent case where a business used unverified AI to generate all of its terms, conditions and policies, with catastrophic results. “Almost every single policy was non-compliant, unlawful, and it actually got them into some very hot water. They were facing huge fines,” he recounts. “It required a national recall of a product, which cost them hundreds of thousands of dollars.”
Lambert says this was a clear example of false economy: “They skipped on paying, say, a few thousand dollars in the beginning, and now they’re up for this huge bill later down the track. SImply because they tried to do it on the cheap.” Legal bills for defending a matter like this could exceed $250,000, he notes, on top of fines and recall costs.
While acknowledging the potential benefits of AI elsewhere in a small business, for streamlining workflows and replacing repetitive tasks, Lambert says the technology isn’t suited to legal advice. “AI doesn’t actually know your business. It doesn’t know that the terms and conditions should be tailored to your business. You really need to get a professional to draft bespoke terms and conditions.”
A Legal Health Check That Starts With the Website
Lambert’s advice for SME owners is practical and immediate. The first step is a comprehensive review of every customer-facing document, treated like a routine visit to a GP.
“You want to get those regularly checked every few years, and you do that by going to speak to lawyers,” he says. The scope should cover terms and conditions, quotations, purchase orders, invoices, warranties, instruction manuals and the entire website, since regulators actively target websites for non-compliant claims. “Every single time that you sell a product or a service, there’s a contract, and so you are using that contract multiple times, if not hundreds of times a day, week, month, a year,” he explains. “So, you really want to make sure the contract you’re relying on is actually going to be suitable for your needs and up-to-date and lawful.”
The review should also extend to employment contracts, a renowned source of compliance stress for SMEs and an area Lambert has flagged as a common blind spot. “Employment law is an area of law that changes frequently. It’s constantly being updated, and employment contracts are so important when things go bad,” he says.
Simon Obee, Head of HR Advisory at Employment Hero, agrees the risk isn’t just in the drafting, but in the decay of documents over time. “With the constant stream of legislative updates – such as the ban on obligations to keep your pay secret, or restrictions on the length of fixed-term contracts – a contract that was perfectly compliant a few years ago could be a compliance minefield today. Ensuring your business uses verified, up-to-date templates and authenticated processes is no longer a luxury. It’s a necessary safeguard against the regulatory risks that are now part of doing business in Australia.”
While it’s common for owners to play many roles within SMEs, Lambert suggests they draw the line at DIY legal work on contracts. “These things protect you from disastrous and costly consequences, and so it’s highly recommended that every business out there gets them drafted properly.”
