The biggest privacy reform in 35 years
Privacy Act 2026 hub
The statutory tort for serious invasions of privacy is already live. From 10 December 2026, automated decision-making transparency and the Children's Online Privacy Code commence. Removal of the small business exemption — which would bring ~2.3M SMBs into scope — is proposed for a future tranche, agreed in principle but not yet law.
⏰ ADM transparency + Children's Code: 10 December 2026
The Privacy and Other Legislation Amendment Act 2024 is the most significant reform to the Privacy Act 1988 since its enactment. Tranche 1 reforms commenced in stages from 10 June 2025 (statutory tort, doxxing offence, NDB scheme enhancements, civil penalty tiers), and from 10 December 2026 (Children's Online Privacy Code, automated decision-making transparency).
Removing the small business exemption — which currently shields businesses with annual revenue under $3M from APP compliance — was recommended in the Privacy Act Review and agreed in principle by the Government, but it was not part of the first reform tranche and has no commencement date yet. If enacted in a future tranche it would bring ~2.3M Australian small businesses into APP scope for the first time: privacy policy, notice on collection, secure handling, breach notification, individual access + correction rights.
On top: a private right of action for serious invasions of privacy (statutory tort, in force from 10 June 2025), the OAIC's first sector-specific privacy sweep, and Tranche 2 (information controllers / processors regime) in scoping.
Free tools
Key obligations
Privacy statutory tort (serious invasions of privacy)
From June 2025 — serious invasion of privacy actionable in tort.
Children's Online Privacy Code 2026
OAIC developing mandatory children's online privacy code (in force December 2026).
Automated Decision-Making transparency (Privacy Act 2024 reforms)
APP entities making decisions about individuals using ADM must disclose this in privacy policy from December 2026.
Regulator guidance
- Guidelines
Australian Privacy Principles (APP) Guidelines
OAIC's primary interpretive guide to all 13 APPs.
- Guidelines
Notifiable Data Breaches (NDB) scheme
Eligible data breach assessment + 72-hour notification.
- Guidance
Privacy Act 2024 reforms — implementation guidance
Statutory tort, Children's Code, ADM disclosure + proposed small business exemption removal.
- Guidance
Children's online privacy
OAIC mandatory Children's Code in force from 10 December 2026.
Regulators
FAQ
Is the small business exemption being removed?
It's proposed, not yet law. Businesses with annual turnover under $3M are currently exempt. Removing that exemption was recommended in the Privacy Act Review and agreed to in principle by the Government, but it was not part of the first reform tranche and has no commencement date. If enacted in a future tranche, ~2.3M small businesses would become APP entities — privacy policy required, notice on collection, secure handling, NDB notification, individual access + correction rights. Sole traders' purely personal records would remain out of scope.
What's the statutory tort for invasion of privacy?
From 10 June 2025, individuals can sue for serious invasions of privacy without needing to establish breach of an Australian Privacy Principle. Two limbs: intrusion upon seclusion + misuse of private information. Damages plus declaratory + injunctive relief. Defences include lawful authority, defamation defences, public interest.
What's the Children's Online Privacy Code?
Mandatory code from 10 December 2026 governing online services likely to be accessed by children. OAIC is consulting through 2026 on content (likely default privacy settings, age assurance, data minimisation, parental consent). Applies to any APP entity providing online services.
What automated decision-making must be disclosed?
From 10 December 2026, APP entities making decisions about individuals with legal or similarly significant effect using ADM must disclose this in their privacy policy. Examples: credit scoring, insurance pricing, employment screening, government benefit eligibility.
What are the new civil penalty tiers?
Tier 1 (most serious): up to $50M / 3x benefit / 30% adjusted turnover. Tier 2 (serious): up to $3.3M per contravention. Tier 3 (administrative): infringement notices up to $66K body corporate, $13.2K individual.
When must I notify a notifiable data breach?
As soon as practicable after becoming aware of an eligible data breach (likely to result in serious harm). Notify both the OAIC and affected individuals. Failure attracts civil penalties.
Free assessment
What compliance applies to my business?
2-minute structured check → personalised list of obligations.
AI advisor (waitlist)
Ask any compliance question
Coming Phase 2 — grounded answers with citations.