1300 688 648 Get In Touch
BackView All
View All Services

Can’t find what you’re looking for? Call 1300 688 648 for expert IT assistance

For decades, the Privacy Act 1988 (Cth) included a small business exemption that kept most Australian businesses with an annual turnover under $3 million outside the reach of federal privacy law. That exemption is being removed. From 10 December 2026, an estimated 2.5 million additional Australian businesses will come under the full scope of the Privacy Act and be required to comply with all 13 Australian Privacy Principles.

If your business has fewer than 20 staff, operates in professional services, trades, hospitality, retail, or virtually any other sector, and collects personal information about customers, clients, or employees, this change applies to you. The question is no longer whether you need to prepare. The question is whether you have enough time left to do it properly.

This guide explains what is changing, what the new obligations mean in practice, and what steps your business needs to take before December 2026.

What Is the Australian Privacy Act Small Business Exemption?

The Privacy Act 1988 has long required organisations with an annual turnover above $3 million to comply with the 13 Australian Privacy Principles. These principles govern how personal information is collected, used, stored, disclosed, and destroyed.

Small businesses below the $3 million threshold were largely exempt from these obligations. As a result, the majority of Australian businesses operated without a formal privacy policy, without data breach response plans, and without any structured approach to consent management.

The Privacy and Other Legislation Amendment Act 2024 removes this exemption. The legislative changes are phased, with the small business exemption removal commencing on 10 December 2026. That deadline gives businesses a finite window to build and embed a compliant privacy framework before the law takes full effect.

Why This Matters More Than You Think

2.5 Million Businesses Are Now in Scope

The scale of this change is significant. Approximately 2.5 million Australian businesses that previously had no formal obligations under the Privacy Act will become regulated entities from December 2026. Most of these are small businesses operating in sectors like real estate, healthcare, retail, trades, hospitality, and professional services.

This is not a technical compliance exercise designed for large enterprises. It directly affects small business owners, operators, and the IT systems they rely on every day.

The OAIC Is Already Enforcing

The Office of the Australian Information Commissioner (OAIC) is not waiting until December 2026 to signal its intent. The OAIC is currently running its first-ever compliance sweep, targeting approximately 60 organisations across real estate, healthcare, and retail sectors.

The focus of this sweep is whether organisations have adequate privacy policies and whether those policies are being followed in practice. This enforcement activity is a clear signal that the regulator is building its capability and appetite for action ahead of the broader expansion of Privacy Act coverage.

The Penalties Are Substantial

Non-compliance carries real financial consequences. For serious or repeated breaches of the Privacy Act, penalties can reach up to $50 million or 30 per cent of adjusted annual turnover, whichever is greater. For smaller contraventions, including operating with a privacy policy that does not comply with the Australian Privacy Principles, penalties of up to $66,000 per breach apply.

These are not figures reserved for large corporations. Once small businesses are covered by the Act, they are subject to the same penalty framework as everyone else.

What Changes on 10 December 2026

The 13 Australian Privacy Principles Apply in Full

From December 2026, newly covered small businesses must comply with all 13 Australian Privacy Principles. These principles cover every stage of the personal information lifecycle.

Collection (APPs 1 to 4)

Businesses must have an up-to-date privacy policy, only collect personal information that is reasonably necessary, notify individuals at the time of collection, and not collect sensitive information without explicit consent.

Use and Disclosure (APPs 5 to 7)

Personal information can only be used or disclosed for the primary purpose for which it was collected, or for secondary purposes with consent or in limited circumstances defined by law. Direct marketing has specific opt-out requirements under APP 7.

Data Quality and Security (APPs 10 to 11)

Businesses must take reasonable steps to keep personal information accurate and up to date, and must protect it from misuse, interference, loss, and unauthorised access or disclosure.

Access and Correction (APPs 12 and 13)

Individuals have the right to access the personal information a business holds about them and to request corrections. Businesses must have a documented process to handle these requests within reasonable timeframes.

The Notifiable Data Breaches Scheme Applies

The Notifiable Data Breaches (NDB) scheme, which already applies to large organisations, will extend to newly covered businesses from December 2026. Under the NDB scheme, if a data breach occurs that is likely to cause serious harm to one or more individuals, the business must notify both the OAIC and the affected individuals as soon as practicable.

This means small businesses need a documented data breach response plan before the deadline. Discovering a breach and then working out what to do is not an acceptable approach under the NDB scheme. The expectation is that you have already planned your response.

Automated Decision-Making Transparency Obligations

One of the most forward-looking changes commencing on 10 December 2026 is the introduction of automated decision-making (ADM) transparency obligations. Businesses that use artificial intelligence or algorithmic systems to make decisions about customers, such as pricing decisions, loan assessments, content personalisation, or eligibility determinations, will be required to disclose this in their privacy policies.

This is a direct response to the growing use of AI tools across Australian businesses. If your business uses any system that makes or significantly influences decisions about individuals, you will need to describe this clearly and in plain language in your privacy policy from December 2026.

Meaningful Consent Rules Are Tightening

The changes also address how businesses obtain consent from individuals. Pre-ticked boxes, bundled consent clauses buried in terms and conditions, and vague authorisations are no longer acceptable. Consent must be informed, specific, voluntary, and current.

Businesses that rely on default opt-ins or that lump privacy consent together with other agreements will need to redesign their consent flows before the December deadline. This applies to website forms, booking systems, email sign-ups, and any other touchpoint where you collect customer information.

What Your Business Needs to Do Before December 2026

The following nine steps represent the minimum compliance baseline for a small business preparing for Privacy Act coverage. Each step builds on the last, so working through them in order is the most efficient approach.

1. Conduct a Data Audit

Start by understanding what personal information your business actually holds. Map out what you collect, why you collect it, where it is stored, how long you keep it, and who can access it. This audit provides the foundation for every other compliance step. Without knowing what data you hold, you cannot manage it properly or protect it effectively.

2. Write or Update Your Privacy Policy

Your privacy policy must comply with all 13 Australian Privacy Principles. It needs to explain what information you collect, why you collect it, how you use and disclose it, whether you send it overseas, how individuals can access or correct their information, and how they can make a complaint.

If your current privacy policy is a generic template downloaded years ago, it almost certainly does not meet these requirements. A compliant privacy policy is specific to your business, reflects your actual data practices, and is written in plain language that your customers can actually understand.

3. Implement a Complaints and Access Process

Individuals have the right to request access to the personal information your business holds about them and to request corrections if that information is inaccurate. They also have the right to make a complaint if they believe your business has mishandled their data. Your business needs a documented process for handling these requests, including nominated contact details and reasonable timeframes for response.

4. Establish a Data Breach Response Plan

Under the NDB scheme, a reportable data breach requires prompt notification to both the OAIC and affected individuals. Your response plan should define what constitutes a reportable breach, who is responsible for assessing and containing it, how and when notifications will be issued, and how the incident will be documented for regulatory purposes.

A breach response plan that exists only in someone’s head is not a plan. It needs to be written, tested, and understood by everyone in the business who might be first to identify an incident.

5. Review Your Consent Mechanisms

Audit every point where your business collects consent from customers or prospects. This includes website forms, booking systems, email sign-ups, and any point-of-sale or onboarding process where personal information is gathered. Replace pre-ticked boxes with explicit opt-in mechanisms. Separate privacy consent from other terms where the two are currently bundled together. Document what people are consenting to and when.

6. Adopt Privacy by Design

Privacy by design means building privacy protections into your systems and processes from the start, rather than adding them as an afterthought. When you implement a new customer management system, update your website, or introduce a new service workflow, privacy considerations should be part of the design process from day one. This approach reduces the cost and complexity of compliance over time.

7. Review Third-Party Processors and Overseas Data Transfers

If your business shares personal information with third-party software providers, cloud services, or overseas contractors, APP 8 places obligations on you regarding those cross-border transfers. You need to understand where your data goes, what contractual protections are in place, and whether those arrangements meet the Privacy Act requirements. Many common business tools, including email platforms and cloud storage services, store data on overseas servers by default.

8. Implement Security Measures and Staff Training

Technical and organisational security is a core requirement under the Privacy Act. This includes access controls, encryption where appropriate, secure disposal of data that is no longer needed, and regular software updates. It also means making sure your staff understand their obligations under the Act. A well-intentioned employee who does not know the rules is still a compliance and reputational risk.

Our managed cybersecurity services are designed to help businesses like yours build the technical foundation for data security without needing an in-house IT team to manage it around the clock.

9. Add AI and Automated Decision-Making Disclosures

If your business uses any AI tools or algorithmic systems that make decisions about customers or individuals, you need to document this in your privacy policy before December 2026. This includes automated marketing tools that segment customers, pricing engines that adjust rates based on data profiles, and any workflow automation that influences individual outcomes. The disclosure must be written in plain language and must accurately describe how the technology is used.

The IT Dimension: Why Your Technology Choices Matter

Privacy compliance is not just a legal exercise. It is also an IT challenge. The way your business stores data, who can access it, how it is backed up, and how breaches are detected and contained all depend on the technology you use and how it is configured.

Small businesses that have grown organically often end up with personal data scattered across multiple systems: a CRM in one place, a shared inbox in another, spreadsheets on someone’s desktop, and cloud storage that was set up without much thought about access controls. Cleaning this up and implementing a coherent data management approach takes time and technical effort. Starting early is significantly less disruptive than rushing before a regulatory deadline.

Common IT issues that create Privacy Act exposure include:

  • Personal data stored in email inboxes rather than secure, auditable systems
  • Cloud services configured with overly broad access permissions
  • Customer databases without audit trails or access logging
  • No documented backup and recovery process in place
  • Software and devices that are not regularly patched or updated
  • Staff using personal devices to access business data without any controls
  • No process for securely disposing of data when it is no longer needed

Addressing these issues before December 2026 is not optional. If a data breach occurs and regulators find that basic security controls were not in place, the consequences are significantly more serious than if a reasonable security posture had been maintained.

Is Your Business Actually Covered? Key Questions to Ask

Not every business will be affected in exactly the same way, but the vast majority of small businesses that collect any kind of customer or employee information will be covered. Use these questions to understand your exposure.

  • Do you collect personal information? Personal information includes names, contact details, email addresses, payment details, health information, location data, photos, and any other information about an identifiable individual. If the answer is yes, which it is for almost every business, you will be covered from December 2026.
  • Do you have fewer than 20 staff? If you previously relied on the small business exemption, December 2026 is the date your full Privacy Act obligations begin.
  • Do you use AI tools in your operations? Automated decision-making disclosure obligations apply from the same date. Review all AI-assisted systems before the deadline and update your privacy policy accordingly.
  • Do you send customer data overseas? Many common business tools, including email platforms, CRMs, and cloud storage services, store data on overseas servers. This triggers APP 8 obligations that require you to take reasonable steps to ensure overseas recipients handle the data in accordance with Australian Privacy Principles.
  • Do you have a privacy policy? If not, you need one before December 2026. If you do have one, it almost certainly needs to be reviewed and updated to reflect the full requirements of all 13 APPs.

Frequently Asked Questions

When does the small business exemption removal take effect?

The small business exemption removal commences on 10 December 2026. From that date, businesses previously exempt under the $3 million turnover threshold will be required to comply with all 13 Australian Privacy Principles and the broader obligations of the Privacy Act 1988.

How many businesses will be affected by this change?

Approximately 2.5 million additional Australian businesses will come within the scope of the Privacy Act when the exemption is removed. This represents a substantial expansion of the regulated population under Australian privacy law.

What are the penalties for non-compliance?

For serious or repeated privacy breaches, penalties can reach up to $50 million or 30 per cent of adjusted annual turnover, whichever is greater. For less serious contraventions, including having a privacy policy that does not comply with the Australian Privacy Principles, penalties of up to $66,000 apply.

Do I need a privacy policy if I run a small business?

Yes. From December 2026, all businesses covered by the Privacy Act must have an APP-compliant privacy policy that is available to the public. This document must explain how the business collects, uses, stores, and discloses personal information, and how individuals can access their data or make a complaint.

What is the Notifiable Data Breaches scheme?

The NDB scheme requires businesses to notify both the OAIC and affected individuals when a data breach occurs that is likely to cause serious harm. This obligation will extend to newly covered small businesses from December 2026, meaning you need a breach response plan in place before that date.

What are automated decision-making transparency obligations?

From 10 December 2026, businesses that use AI or algorithmic systems to make or significantly influence decisions about individuals must disclose this practice in their privacy policies. This applies to tools that automate pricing, eligibility assessments, content recommendations, marketing segmentation, and similar functions.

What are meaningful consent requirements?

Meaningful consent means that individuals must actively and explicitly agree to the collection and use of their personal information. Pre-ticked boxes, bundled consent buried in terms and conditions, and vague opt-in language are no longer sufficient. Consent must be informed, specific, voluntary, and easy to withdraw.

How can Otto IT help my business prepare?

Otto IT works with small and medium businesses across Australia to build secure, compliant IT environments. Our managed cybersecurity services include data security controls, access management, and breach detection that directly support Privacy Act compliance. You can also get in touch with our team to discuss your specific situation and what preparation looks like for your business.

Start Preparing Now

December 2026 is closer than it looks. Businesses that leave compliance preparation to the final months will face rushed decisions, higher costs, and greater risk of getting it wrong. The OAIC’s current enforcement sweep is a direct signal that the regulator is watching the sector closely and building its capability to take action when businesses fall short.

The good news is that Privacy Act compliance, approached methodically and with the right support, is achievable for businesses of any size. The key is to start the data audit, engage the right expertise, and build the framework before the deadline arrives rather than scrambling in its final weeks.

If you want to understand what Privacy Act compliance means for your specific business and IT environment, book a conversation with our team. We will walk through your current setup, identify the gaps, and help you build a practical plan that fits your business and your budget.

Book a Privacy Compliance Consultation

managed it support articles

Related Blog Articles

Discover more insights to optimise your business with the latest IT trends and best practices. Stay ahead of the curve by learning how to leverage cutting-edge technology for success. Explore expert advice and valuable guidance to navigate the evolving world of IT solutions

Learn More