R

2.3M small businesses come into scope

Privacy Act 2026 hub

From 10 December 2026 the small business exemption ends. Every Australian business handling personal information becomes an APP entity. Statutory tort, Children's Code, ADM disclosure — the biggest privacy reform in 35 years.

Small business exemption removed 10 December 2026

The Privacy and Other Legislation Amendment Act 2024 is the most significant reform to the Privacy Act 1988 since its enactment. Tranche 1 reforms commenced in stages from 10 June 2025 (statutory tort, doxxing offence, NDB scheme enhancements, civil penalty tiers) and 10 December 2026 (Children's Online Privacy Code, automated decision-making transparency, small business exemption removed).

The small business exemption — which currently shields businesses with annual revenue under $3M from APP compliance — ends 10 December 2026. That brings ~2.3M Australian small businesses into APP scope for the first time: privacy policy, notice on collection, secure handling, breach notification, individual access + correction rights.

On top: a private right of action for serious invasions of privacy (statutory tort, in force from 10 June 2025), the OAIC's first sector-specific privacy sweep, and Tranche 2 (information controllers / processors regime) in scoping.

Free tools

privacy act 2026 readiness

Use tool →

ndb timer

Use tool →

compliance calendar

Use tool →

Key obligations

Regulator guidance

Regulators

OAICOffice of the Australian Information Commissioner

FAQ

Who loses the small business exemption?

Every business with annual revenue under $3M that holds personal information. From 10 December 2026 you become an APP entity — privacy policy required, notice on collection, secure handling, NDB notification, individual access + correction rights. Sole traders are still exempt for purely personal records.

What's the statutory tort for invasion of privacy?

From 10 June 2025, individuals can sue for serious invasions of privacy without needing to establish breach of an Australian Privacy Principle. Two limbs: intrusion upon seclusion + misuse of private information. Damages plus declaratory + injunctive relief. Defences include lawful authority, defamation defences, public interest.

What's the Children's Online Privacy Code?

Mandatory code from 10 December 2026 governing online services likely to be accessed by children. OAIC is consulting through 2026 on content (likely default privacy settings, age assurance, data minimisation, parental consent). Applies to any APP entity providing online services.

What automated decision-making must be disclosed?

From 10 December 2026, APP entities making decisions about individuals with legal or similarly significant effect using ADM must disclose this in their privacy policy. Examples: credit scoring, insurance pricing, employment screening, government benefit eligibility.

What are the new civil penalty tiers?

Tier 1 (most serious): up to $50M / 3x benefit / 30% adjusted turnover. Tier 2 (serious): up to $3.3M per contravention. Tier 3 (administrative): infringement notices up to $66K body corporate, $13.2K individual.

When must I notify a notifiable data breach?

As soon as practicable after becoming aware of an eligible data breach (likely to result in serious harm). Notify both the OAIC and affected individuals. Failure attracts civil penalties.

Free assessment

What compliance applies to my business?

2-minute structured check → personalised list of obligations.

AI advisor (waitlist)

Ask any compliance question

Coming Phase 2 — grounded answers with citations.

Related hubs

AML/CTF Tranche 2 hubDirector ID hub