Rules Mate

Prepare for the proposed removal of the small business exemption

Removing the Privacy Act small business exemption (<$3M turnover) is proposed for a future reform tranche — agreed in principle, not yet law.

highupcomingongoing

Who must comply

Any business currently relying on the small business operator exemption (annual turnover under $3M).

What triggers it

Commencement of a future bill removing the small business exemption (not yet introduced to Parliament).

When due

Not yet legislated — proposed for a future privacy reform tranche.

Evidence required

Privacy Policy, collection notices, breach response plan, staff training records, data inventory.

Max penalty

The standard Privacy Act penalty regime (up to $50M / 3× benefit / 30% turnover for serious or repeated interferences) would apply if and when the exemption is removed.

Summary

Removing the Privacy Act's small business exemption (s 6D) — which currently exempts most businesses with annual turnover under $3M — was recommended in the Privacy Act Review and agreed in principle by the Government. It was NOT included in the first reform tranche (the Privacy and Other Legislation Amendment Act 2024). As of 2026 it remains proposed for a future ('second tranche') bill with no commencement date set. If enacted, roughly 2 million Australian SMBs would become 'APP entities' — requiring a Privacy Policy, lawful collection notices, NDB readiness, training, and access/correction processes. Businesses can prepare now, but no specific commencement date should be treated as fixed.

Enforced by

Source legislation

Topics

privacysmall-businessreform-2026

Related obligations

Frequently asked questions

Who must comply with for the proposed removal of the small business exemption?
Any business currently relying on the small business operator exemption (annual turnover under $3M).
What triggers for the proposed removal of the small business exemption?
Commencement of a future bill removing the small business exemption (not yet introduced to Parliament).
When is for the proposed removal of the small business exemption due?
Not yet legislated — proposed for a future privacy reform tranche.
What is the maximum penalty for for the proposed removal of the small business exemption?
The standard Privacy Act penalty regime (up to $50M / 3× benefit / 30% turnover for serious or repeated interferences) would apply if and when the exemption is removed.
What evidence is required for for the proposed removal of the small business exemption?
Privacy Policy, collection notices, breach response plan, staff training records, data inventory.

Source: https://oaic.gov.au/privacy/privacy-legislation/the-privacy-act/privacy-reforms. Rules Mate is not a law firm. Always verify against the live regulator source before acting.