Rules Mate

The biggest privacy reform in 35 years

Privacy Act 2026 hub

The statutory tort for serious invasions of privacy is already live. From 10 December 2026, automated decision-making transparency and the Children's Online Privacy Code commence. Removal of the small business exemption — which would bring ~2.3M SMBs into scope — is proposed for a future tranche, agreed in principle but not yet law.

ADM transparency + Children's Code: 10 December 2026

The Privacy and Other Legislation Amendment Act 2024 is the most significant reform to the Privacy Act 1988 since its enactment. Tranche 1 reforms commenced in stages from 10 June 2025 (statutory tort, doxxing offence, NDB scheme enhancements, civil penalty tiers), and from 10 December 2026 (Children's Online Privacy Code, automated decision-making transparency).

Removing the small business exemption — which currently shields businesses with annual revenue under $3M from APP compliance — was recommended in the Privacy Act Review and agreed in principle by the Government, but it was not part of the first reform tranche and has no commencement date yet. If enacted in a future tranche it would bring ~2.3M Australian small businesses into APP scope for the first time: privacy policy, notice on collection, secure handling, breach notification, individual access + correction rights.

On top: a private right of action for serious invasions of privacy (statutory tort, in force from 10 June 2025), the OAIC's first sector-specific privacy sweep, and Tranche 2 (information controllers / processors regime) in scoping.

Free tools

Key obligations

Regulator guidance

Regulators

FAQ

Is the small business exemption being removed?

It's proposed, not yet law. Businesses with annual turnover under $3M are currently exempt. Removing that exemption was recommended in the Privacy Act Review and agreed to in principle by the Government, but it was not part of the first reform tranche and has no commencement date. If enacted in a future tranche, ~2.3M small businesses would become APP entities — privacy policy required, notice on collection, secure handling, NDB notification, individual access + correction rights. Sole traders' purely personal records would remain out of scope.

What's the statutory tort for invasion of privacy?

From 10 June 2025, individuals can sue for serious invasions of privacy without needing to establish breach of an Australian Privacy Principle. Two limbs: intrusion upon seclusion + misuse of private information. Damages plus declaratory + injunctive relief. Defences include lawful authority, defamation defences, public interest.

What's the Children's Online Privacy Code?

Mandatory code from 10 December 2026 governing online services likely to be accessed by children. OAIC is consulting through 2026 on content (likely default privacy settings, age assurance, data minimisation, parental consent). Applies to any APP entity providing online services.

What automated decision-making must be disclosed?

From 10 December 2026, APP entities making decisions about individuals with legal or similarly significant effect using ADM must disclose this in their privacy policy. Examples: credit scoring, insurance pricing, employment screening, government benefit eligibility.

What are the new civil penalty tiers?

Tier 1 (most serious): up to $50M / 3x benefit / 30% adjusted turnover. Tier 2 (serious): up to $3.3M per contravention. Tier 3 (administrative): infringement notices up to $66K body corporate, $13.2K individual.

When must I notify a notifiable data breach?

As soon as practicable after becoming aware of an eligible data breach (likely to result in serious harm). Notify both the OAIC and affected individuals. Failure attracts civil penalties.

Free assessment

What compliance applies to my business?

2-minute structured check → personalised list of obligations.

AI advisor (waitlist)

Ask any compliance question

Coming Phase 2 — grounded answers with citations.

Related hubs