If you run a small business in Australia, there is a good chance you have never had to think too hard about the Privacy Act. For most small businesses, a longstanding exemption since 2001 has meant the law simply didn't apply.
That is about to change and if your business handles customer data, the clock is ticking to get your house in order.
A quick recap: What is the privacy act?
The Privacy Act 1988 is Australia's primary law governing how businesses collect, store, use and share personal information. It is built around a set of rules called the Australian Privacy Principles (APPs), which cover everything from how you tell customers what data you are collecting, to how you keep it secure to what happens when something goes wrong.
For years, most businesses with an annual turnover under $3 million have been exempt from these obligations. That exemption covered roughly 95% of Australian businesses which is why so many owners and operators have never had to engage with the Privacy Act in any meaningful way.
That era is ending.
What is changing on 1 July 2026?
Here is the part most businesses don't see coming: the trigger isn't a direct change to the Privacy Act itself. It is a change to Australia's anti-money laundering laws.
From 1 July 2026, the Anti-Money Laundering and Counter-Terrorism Financing Act (AML-CTF Act) will expand to cover a much wider range of industries. Previously limited to the financial sector, it will now apply to:
- Accountants
- Lawyers and conveyancers
- Real estate professionals
- Dealers in high-value goods (jewellers, for example)
- And others in related professional services
Here is the catch: being regulated under the AML-CTF Act removes the small business exemption from the Privacy Act. So even if your turnover is well under $3 million, if your business falls into one of these newly regulated industries, you will be legally required to comply with the Privacy Act from 1 July whether you are ready or not.
The Office of the Australian Information Commissioner (OAIC) estimates this will bring more than 100,000 small businesses into scope for the first time.
What does compliance actually require?
The good news is that Privacy Act compliance isn't about ticking a single box. The bad news is that it does require a genuine look at how your business handles data and not just a boilerplate policy on your website.
In practice, here is what compliance looks like:
Know what data you hold: You need to be able to identify what personal information your business collects, where it is stored and who has access to it. For many businesses, that data is spread across email platforms, CRMs, booking systems, cloud storage and accounting software. Often with no clear map of where it all lives.
Have an accurate, up-to-date privacy policy: Vague, generic privacy statements won't meet the standard. Your policy needs to clearly reflect how your business actually collects and uses personal information including any third-party platforms you rely on.
Own your third-party risk: If you use cloud-based software to store or process customer data, as most modern businesses do, you are responsible for ensuring those providers meet the required standard. That means checking the privacy and security practices of your CRM, your booking platform, your cloud storage and any other tools that touch personal information.
Be ready to respond to customer requests: Under the Privacy Act, individuals have the right to access, correct and in some cases request deletion of their personal information. You need to have a process for handling these requests and the systems in place to actually action them.
Have real security measures in place: Recent reforms have clarified that "reasonable steps" to protect personal information must include technical measures and not just written policies. Access controls, encryption, multi-factor authentication and regular security reviews are now part of the compliance picture, not optional extras.
The AI angle: a second deadline
There is a second deadline you need to know: 11 December 2026.
By that date, any business covered by the Privacy Act must update their privacy policy to disclose when automated decision-making is being used to make decisions that could affect a customer's rights or interests.
Many business owners won't immediately recognise this as something that applies to them. But if your business uses email marketing automation, customer scoring tools, AI-generated responses or any workflow that makes decisions about customers without direct human input, this requirement may apply to you.
As AI tools become more embedded in everyday business operations, the line between productivity software and regulated decision-making is getting blurrier. Getting clear on how your business uses these tools and documenting it is no longer just good practice. From December 2026, for many businesses, it will be a legal requirement.
What are the risks of getting this wrong?
The Privacy Act now has real enforcement teeth.
The regulator can issue infringement notices of up to $66,000 per contravention, as well as compliance notices specifying exactly what needs to be fixed and by when. A second tranche of reforms, currently being progressed by the federal government, is expected to introduce penalties that could reach $50 million, or 30% of a business's adjusted turnover, for serious or repeated breaches.
Beyond the legal risk, customers now have the right to pursue civil claims for serious invasions of privacy. And in professional services sectors such as accounting, legal and real estate where client relationships are built on trust, the reputational cost of a privacy incident will almost always outweigh the legal cost.
What should you be doing now?
The businesses that act now won't be scrambling in June. Here is where to start:
- Audit your data. Map out what personal information your business collects, why you collect it, where it is stored and who can access it.
- Review your privacy policy. If it hasn't been updated recently, it almost certainly doesn't reflect how your business actually operates or what the law now expects.
- Check your vendors. Review the privacy and security practices of every third-party platform that handles your customer data.
- Tighten your security controls. Access management, multi-factor authentication and data retention policies are no longer just IT concerns, they are compliance requirements.
- Get clear on your AI usage. If your business uses any AI or automated tools that interact with customer data, document what they do and how decisions are made.
Don't wait until the last minute to get started or reach out to us if you need help.