From December 2026, every Australian business regardless of revenue must comply with the Privacy Act. The $3 million turnover exemption is being removed. Small businesses need to audit their data, update privacy policies, implement consent mechanisms, document automated decisions, and train staff before the deadline.
Since the Privacy Act 1988 was introduced, businesses with annual turnover under $3 million have been exempt from most privacy obligations. This exemption made sense when small businesses handled limited personal data. It does not make sense in 2026 when a five-person business might hold thousands of customer records, process payments, run email marketing, use AI tools, and collect website analytics.
The Attorney-General's Department proposed removing this exemption following the Privacy Act Review, and Parliament passed the amendments in early 2026. The changes take effect in December 2026, giving businesses roughly eight months from the announcement to comply.
This is not a minor regulatory update. It fundamentally changes the compliance landscape for an estimated 2.4 million Australian small businesses that were previously exempt.
March 2026
Privacy Act amendments passed by Parliament. Small business exemption removal confirmed with December 2026 effective date.
June 2026
OAIC publishes final guidance for small businesses on compliance requirements. Updated Australian Privacy Principles guidance released.
September 2026
Recommended deadline for having your privacy policy, consent mechanisms, and data inventory in place. Allows three months of buffer before enforcement begins.
December 2026
Small business exemption formally removed. All Australian Privacy Principles apply to every business. Mandatory data breach notification scheme extends to all businesses.
2027 onwards
OAIC begins active enforcement and auditing of previously-exempt businesses. The 12-month transition period ends and full penalty provisions apply.
These are not optional recommendations. They are the minimum requirements for compliance under the amended Privacy Act. Start now because several of these take weeks or months to implement properly.
You cannot protect data you do not know you have. The first step is a complete audit of every system, spreadsheet, email account, and physical filing cabinet that contains personal information.
Data Audit Checklist
Customer databases (CRM, accounting software, email lists)
Employee records (payroll, HR systems, performance reviews)
Website analytics and tracking (cookies, form submissions, chat logs)
Third-party tools that process personal data (AI tools, marketing platforms, payment processors)
Physical records (paper files, business cards, printed customer lists)
Backups and archives (old hard drives, cloud storage, email archives)
For each data source, document what personal information is collected, why it is collected, where it is stored, who has access, how long it is retained, and whether it is shared with third parties. This inventory becomes the foundation for everything else.
Most small businesses either do not have a privacy policy or have a generic template that does not reflect their actual data practices. Under the amended Act, your privacy policy must be specific, accurate, and written in plain language.
Your policy must cover: what personal information you collect and why, how you collect it (directly from individuals, from third parties, or through automated means), how you use and disclose it, how individuals can access and correct their information, how you handle complaints, whether you disclose information overseas, and how you secure the data.
If you use AI tools that process personal data, your privacy policy must disclose this. That includes using AI for customer profiling, automated communications, hiring decisions, or data analysis. The OAIC's AI guidance provides specific requirements for AI transparency in privacy policies.
Consent under the Privacy Act means informed, voluntary, current, and specific agreement. Pre-ticked boxes, buried terms and conditions, and implied consent through continued use of a website are not sufficient for most data collection purposes.
Practically, this means reviewing every point where you collect personal information and ensuring there is a clear, affirmative consent mechanism. This includes website forms, email sign-ups, customer onboarding processes, and any data collection that happens through third-party integrations.
You also need a mechanism for individuals to withdraw consent. If someone asks you to stop using their data, you need a process to action that request across all your systems, not just one database but every spreadsheet, backup, and third-party tool that holds their information.
This is the requirement that catches most businesses off guard. If you use any form of automation or AI to make decisions that affect individuals, you must document it and be transparent about it.
The scope is broader than most people realise. It includes automated email sequences that segment customers based on behaviour, AI-powered chatbots that handle customer enquiries, credit scoring or risk assessment tools, automated pricing based on customer profiles, AI tools used in hiring or performance reviews, and any algorithm that determines what content, products, or services a customer sees.
For Each Automated Decision, Document
What the automated system does and what decisions it makes
What personal data it uses as inputs
How the decision criteria work (in plain language)
How an individual can request human review of the decision
What safeguards are in place to prevent errors or bias
For a detailed breakdown of how automated decision-making requirements work in practice, see our guide on automated decision-making and the Privacy Act.
Privacy compliance is not a one-off project. It requires ongoing awareness across your team. Every employee who handles personal information needs to understand what they can and cannot do with it, how to respond to data access requests, and what constitutes a data breach.
Training does not need to be elaborate. For most small businesses, a two-hour session covering the basics, followed by quarterly reminders and updates, is sufficient. What matters is that your team understands the practical implications: do not email spreadsheets of customer data, do not paste personal information into AI tools without understanding the data handling, and report any suspected data breaches immediately.
Designate one person as your privacy contact. This does not need to be a dedicated role, but someone must be accountable for handling privacy enquiries, managing data access requests, and coordinating breach response if something goes wrong.
The 2026 amendments include specific provisions for automated decision-making and AI that go beyond general privacy obligations. If your business uses AI in any capacity, these apply to you.
You must tell individuals when AI is being used to make decisions about them. This applies to customer-facing AI (chatbots, personalised recommendations, automated responses) and back-office AI (credit decisions, risk scoring, automated approvals or rejections). The disclosure must be clear and specific, not buried in a 40-page terms and conditions document.
Individuals have the right to request that a human reviews any automated decision that significantly affects them. "Significantly affects" includes decisions about access to services, pricing, employment, creditworthiness, and similar outcomes. You need a process for receiving these requests, escalating them to a human decision-maker, and communicating the outcome.
For high-risk AI applications, the OAIC expects businesses to conduct privacy impact assessments before deployment. High-risk includes any AI that processes sensitive information, makes decisions about vulnerable populations, or operates at scale. The assessment should evaluate privacy risks, document mitigation strategies, and be reviewed regularly. Our AI governance framework guide walks through how to structure these assessments.
AI systems must not produce outcomes that discriminate on the basis of protected attributes (race, gender, age, disability, and others under Australian law). This is challenging because AI models can encode biases present in training data without the business being aware. Regular auditing of AI outputs for discriminatory patterns is not explicitly required but is strongly recommended by the OAIC and practically necessary to avoid complaints and penalties.
The amended Privacy Act significantly increased penalty provisions to align with international standards. The maximum penalty for a serious or repeated interference with privacy is the greater of:
$50 million
The base maximum penalty, applicable even to businesses with minimal revenue. This figure alone should get the attention of every small business owner.
Three times the benefit obtained
If the court can quantify the financial benefit gained from the privacy breach, the penalty can be up to three times that amount.
30% of adjusted turnover
For larger businesses, the penalty can scale to 30% of the business's adjusted turnover for the relevant period. This is the provision modelled on the GDPR approach.
In practice, the OAIC is more likely to take an education-first approach with newly-covered small businesses during the transition period. But do not rely on leniency. A data breach affecting customer records, even at a small business, can trigger mandatory notification requirements and regulatory scrutiny. The reputational damage alone can be devastating for a small business that depends on trust.
One of the most operationally significant changes is the extension of the Notifiable Data Breaches scheme to all businesses. Previously, small businesses under the $3 million threshold were exempt. From December 2026, if your business experiences a data breach that is likely to result in serious harm to any individual, you must:
Notify the OAIC as soon as practicable after becoming aware of the breach. Notify all affected individuals with details of the breach, what information was involved, and what steps they should take. Take reasonable steps to contain the breach and mitigate harm.
"Serious harm" includes financial loss, identity theft, damage to reputation, and physical harm. Given that most businesses hold financial information, contact details, and identification documents, the threshold for notification is lower than many business owners assume.
You need a data breach response plan before December 2026. The plan should cover how you detect breaches, who is responsible for assessment and response, your notification process, and your communication templates. Having this in place before a breach occurs is the difference between a controlled response and a chaotic one.
If your business uses AI, privacy compliance and AI governance overlap significantly. A structured AI governance framework addresses many Privacy Act requirements simultaneously.
An AI governance framework documents what AI systems you use, what data they process, what decisions they make, and what safeguards are in place. This documentation directly satisfies the automated decision-making transparency requirements under the amended Act.
It also establishes processes for impact assessments, regular audits, bias testing, and human oversight, all of which the OAIC expects from businesses using AI to process personal information. Rather than treating privacy compliance and AI governance as separate projects, smart businesses address them together.
For businesses that are starting from scratch, our AI governance framework guide provides a practical starting point that covers both AI best practice and Privacy Act compliance.
Eight months sounds like a lot of time. It is not, especially if you have never dealt with privacy compliance before. Here is a realistic timeline.
April to May: Data audit
Map every system that holds personal information. Document what data you have, where it lives, who can access it, and how long you keep it. This is the foundation for everything else.
June to July: Policy and process
Write your privacy policy based on the audit findings. Set up consent mechanisms on your website and customer touchpoints. Create your data breach response plan.
August to September: AI and automation documentation
Document all automated decision-making systems. Conduct impact assessments for high-risk AI. Implement human review processes.
October to November: Training and testing
Train your team on privacy obligations. Test your breach response plan. Review and refine your processes based on the OAIC's final guidance (published June 2026).
If this feels overwhelming, you are not alone. Most small businesses have never had to think about privacy compliance at this level. The good news is that the fundamentals are straightforward: know what data you have, be honest about how you use it, protect it properly, and be ready to respond when something goes wrong.
Our free AI Readiness Review includes a governance and compliance assessment. Find out where your business stands on AI governance, data handling, and Privacy Act preparedness in five minutes.
Take the AI Readiness Review