If you run a small or medium business in Australia, the Privacy Act is about to matter to you in ways it never has before. For over two decades, most businesses turning over less than $3 million were exempt from federal privacy law. That exemption is being dismantled — not in one hit, but through a series of reforms that are already underway.
The first tranche of changes passed Parliament in December 2024 and most provisions are already in force. A second tranche targeting the blanket small business exemption is being progressed by the Attorney General’s department. And from 1 July 2026, a separate set of anti-money laundering reforms will drag more than 100,000 small businesses under the Privacy Act for the first time — regardless of whether the broader exemption has been formally removed yet.
The direction is unmistakable. If your business collects personal information from customers, staff, or suppliers, you need to understand what has changed, what is coming, and what you should be doing about it now.
The Privacy and Other Legislation Amendment Act 2024 received Royal Assent on 10 December 2024. It represents the most substantial change to Australian privacy law since the Act was introduced in 1988. The key reforms already in effect include:
A statutory tort for serious invasions of privacy. Since June 2025, individuals can sue for serious privacy breaches — directly, through the courts. This is not a complaint to the regulator. It is a civil cause of action where plaintiffs can seek damages for emotional harm. Consent, authorisation by law, and public interest are defences, but the bar for what constitutes a “serious” invasion is lower than many business owners expect.
Enhanced enforcement powers for the OAIC. The Office of the Australian Information Commissioner can now issue infringement notices of up to $66,000 per contravention for failures like not maintaining a compliant privacy policy. The regulator has also gained new search, seizure, and compliance notice powers. Privacy Commissioner Carly Kind has been explicit: enforcement activity is ramping up.
Higher penalties across the board. For serious or repeated breaches, penalties can reach $50 million, three times the benefit obtained from the breach, or 30 per cent of adjusted turnover — whichever is highest. These are not theoretical numbers. They are designed to make non-compliance genuinely painful for businesses of any size.
Stronger security expectations. The Act now explicitly states that “reasonable steps” to protect personal information must include both technical and organisational measures. A firewall alone does not cut it. You need documented policies, staff training, access controls, and incident response procedures. If your cybersecurity posture is not up to scratch, that is now a quantifiable legal risk, not just an operational one.
Two separate deadlines are converging this year, and both affect small businesses.
Anti-money laundering reforms (1 July 2026). Tranche 2 of Australia’s AML/CTF regime extends reporting obligations to real estate agents, lawyers, accountants, conveyancers, trust and company service providers, and dealers in precious metals and stones. If your business provides any of these designated services, you become a “reporting entity” under the AML/CTF Act — and the Privacy Act will apply to your handling of personal information for those purposes, even if you turn over less than $3 million. The OAIC estimates more than 100,000 small businesses will be affected by this change alone.
Automated decision-making transparency (10 December 2026). If your business uses software to make decisions that could significantly affect individuals — think AI-powered screening tools, automated credit checks, algorithmic pricing, or even chatbot triage systems — you will need to disclose this in your privacy policy. You will need to explain what personal information feeds into those systems and what kinds of decisions they make. If you are using AI tools in your business (and most are by now), this one is directly relevant.
Children’s Online Privacy Code (10 December 2026). A new code setting out obligations for services likely to be accessed by children is being developed by the OAIC. If your business runs a website, app, or platform that minors could reasonably access, you may be caught by additional requirements around data collection and consent.
This is where most of the confusion sits, so here is the honest answer.
The blanket $3 million turnover exemption has not been formally repealed yet. That change is expected in the second tranche of Privacy Act reforms. In February 2026, Attorney General Michelle Rowland confirmed the government is “progressing” a second tranche but did not provide a timeline for introducing the Bill.
However, the practical reality is that the exemption is already being eroded from multiple directions:
The AML/CTF reforms bring 100,000+ small businesses under the Act from July 2026. The statutory tort for serious privacy invasions applies regardless of whether you are formally covered by the Privacy Act — meaning individuals can sue any entity for serious invasions of privacy, exemption or not. And the OAIC has stated publicly that it views the small business exemption as “no longer appropriate in light of the privacy risks posed by entities of all sizes.”
Waiting for the formal repeal to start thinking about compliance is like waiting for the fire truck before you install smoke detectors. The risk is here now.
Some small businesses face higher immediate risk than others. You should be treating privacy compliance as urgent if your business:
Handles sensitive information. Health records, financial data, biometric data, or information about ethnicity, political opinions, or sexual orientation. Health service providers were already caught by the Act regardless of turnover — but many do not realise the full extent of their obligations.
Falls under the AML/CTF expansion. Real estate agents, lawyers, accountants, conveyancers, and precious metals dealers will be subject to the Privacy Act from 1 July 2026 for their AML/CTF data handling. If this is you, preparation should already be underway.
Collects personal data at scale. Running a mailing list of 10,000 contacts, operating a customer portal, or using a CRM full of client data means the consequences of a breach are significant — regardless of your turnover.
Uses AI or automated decision-making tools. If you are running AI tools that process customer data, the December 2026 transparency requirements apply. This includes tools like AI-powered chatbots, automated lead scoring, and even some features within platforms like HubSpot, Salesforce, or Microsoft 365.
Trades in personal information. If your business model involves collecting personal information for the purpose of selling, sharing, or using it for direct marketing, the exemption has never applied to you — but enforcement is now much sharper.
Run a personal information audit. Map every piece of personal information your business collects, where it is stored, who has access, and how long you keep it. Include everything: CRM records, email lists, HR files, CCTV footage, website analytics, cloud backups. You cannot protect what you cannot see.
Get a compliant privacy policy in place. The OAIC can now issue $66,000 infringement notices for failing to maintain a compliant privacy policy. Your policy needs to accurately describe what you collect, why, who you share it with, and how individuals can access or correct their data. If you are using automated decision-making systems, you will need to disclose that too by December 2026.
Tighten your cybersecurity. The Privacy Act now explicitly requires “technical and organisational measures” to protect personal information. At a minimum, that means multi-factor authentication, endpoint detection and response, encrypted backups, access controls based on least privilege, and a documented incident response plan. If you are not sure where your gaps are, the SMB1001 framework provides a structured, tiered approach to getting your security baseline right — and it maps directly to the kinds of controls the OAIC expects to see.
Prepare a data breach response plan. If you experience a breach that is likely to result in serious harm, you are required to notify the OAIC and affected individuals. Waiting until a breach happens to work out your response is a guaranteed way to make it worse. Build the plan now, test it with your team, and make sure everyone knows their role.
Talk to your IT provider. If your managed IT provider cannot explain how your data is being protected, where your backups are stored, or how access controls are configured, that is a gap you need to close. Your IT partner should be helping you meet these obligations, not leaving you to figure it out alone.
It depends on your industry and activities. If you provide designated services under the AML/CTF regime (real estate, legal, accounting, conveyancing), the Privacy Act will apply to your AML/CTF data handling from 1 July 2026. If you handle health information, trade in personal data, or are a government contractor, you are already covered regardless of turnover. The blanket removal of the $3 million small business exemption is expected in a future reform tranche but has not yet been legislated.
Penalties for serious or repeated breaches can reach $50 million, three times the benefit obtained, or 30 per cent of adjusted turnover — whichever is highest. The OAIC can also issue infringement notices of up to $66,000 per contravention for lower-level failures like not maintaining a compliant privacy policy. Additionally, individuals can now sue directly for serious invasions of privacy.
Since June 2025, individuals have a personal right to sue another party for serious invasions of privacy through the courts. The invasion must be intentional or reckless, and the individual must have had a reasonable expectation of privacy. Plaintiffs can seek damages including for emotional harm. This right applies broadly and is not limited by the small business exemption.
By 10 December 2026, businesses covered by the Privacy Act must update their privacy policies to disclose when they use computer systems to make decisions that could significantly affect individuals. This includes disclosing the types of personal information used and the kinds of decisions made. If your business uses AI tools, chatbots, automated screening, or algorithmic decision-making, you will need to audit those systems and update your documentation.
Start with a personal information audit to map what you collect and where it is stored. Get a compliant privacy policy in place. Strengthen your cybersecurity with measures like multi-factor authentication and endpoint protection. Build a data breach response plan. Review any automated decision-making tools your business uses. Frameworks like SMB1001 can help you structure your approach. If you need help, talk to your IT provider or book a free security assessment.
At Epic IT, our specialists focus on long-term solutions for your business.
Our 90-day guarantee is simple: if you’re not satisfied, we’ll refund your onboarding fee and give you $5K. Contact us today!
Call Us
1300 EPIC IT
Email Us
info@epicit.com.au
Perth HQ
HQ – Unit 2, 62 Angove Street North Perth WA
Queensland Office
12 The Cct, Brisbane Airport QLD
Sydney Office
Unit 3, 104 Anglesea Street, Bondi NSW
Want to know more? Find our Privacy Policy and Terms of Use.
