Prepare for the proposed removal of the small business exemption
Removing the Privacy Act small business exemption (<$3M turnover) is proposed for a future reform tranche — agreed in principle, not yet law.
Who must comply
Any business currently relying on the small business operator exemption (annual turnover under $3M).
What triggers it
Commencement of a future bill removing the small business exemption (not yet introduced to Parliament).
When due
Not yet legislated — proposed for a future privacy reform tranche.
Evidence required
Privacy Policy, collection notices, breach response plan, staff training records, data inventory.
Max penalty
The standard Privacy Act penalty regime (up to $50M / 3× benefit / 30% turnover for serious or repeated interferences) would apply if and when the exemption is removed.
Summary
Removing the Privacy Act's small business exemption (s 6D) — which currently exempts most businesses with annual turnover under $3M — was recommended in the Privacy Act Review and agreed in principle by the Government. It was NOT included in the first reform tranche (the Privacy and Other Legislation Amendment Act 2024). As of 2026 it remains proposed for a future ('second tranche') bill with no commencement date set. If enacted, roughly 2 million Australian SMBs would become 'APP entities' — requiring a Privacy Policy, lawful collection notices, NDB readiness, training, and access/correction processes. Businesses can prepare now, but no specific commencement date should be treated as fixed.
Enforced by
Source legislation
Topics
Related obligations
- CWLTHNotifiable Data Breach (NDB) schemeUnder the NDB scheme, APP entities must notify the OAIC and affected individuals of an eligible data breach likely to cause serious harm — assessed within 30 days.
- CWLTHPublish a Privacy Policy compliant with APP 1Every APP entity needs a clearly-expressed Privacy Policy covering APP 1.4 requirements.
- CWLTHAutomated Decision-Making transparency under Privacy Act (phased)From a phased commencement, APP entities using ADM must disclose in Privacy Policy.
- CWLTHAPP 3 collection of sensitive informationAPP 3 bars collecting sensitive information — health, race, religion, sexual orientation and more — without consent. What counts as sensitive, the exceptions and penalties.
- CWLTHPrivacy Act Reform — information controllers regime (proposed Tranche 2)Tranche 2 reforms in scoping — information controllers + processors regime.
- CWLTHProvide an APP 5 collection notice at or before collectionAPP 5 requires notice of identity, purposes, recipients, consequences of not providing info, and where Privacy Policy lives.
Frequently asked questions
- Who must comply with for the proposed removal of the small business exemption?
- Any business currently relying on the small business operator exemption (annual turnover under $3M).
- What triggers for the proposed removal of the small business exemption?
- Commencement of a future bill removing the small business exemption (not yet introduced to Parliament).
- When is for the proposed removal of the small business exemption due?
- Not yet legislated — proposed for a future privacy reform tranche.
- What is the maximum penalty for for the proposed removal of the small business exemption?
- The standard Privacy Act penalty regime (up to $50M / 3× benefit / 30% turnover for serious or repeated interferences) would apply if and when the exemption is removed.
- What evidence is required for for the proposed removal of the small business exemption?
- Privacy Policy, collection notices, breach response plan, staff training records, data inventory.
Source: https://oaic.gov.au/privacy/privacy-legislation/the-privacy-act/privacy-reforms. Rules Mate is not a law firm. Always verify against the live regulator source before acting.