Prepare for the removal of the small business exemption
From 10 December 2026, businesses with <$3M turnover lose the Privacy Act exemption.
Who must comply
Any business currently relying on the small business operator exemption.
What triggers it
Effective from 10 December 2026.
When due
10 December 2026.
Evidence required
Privacy Policy, collection notices, breach response plan, staff training records, data inventory.
Max penalty
Same penalty regime applies once exemption is removed.
Effective from
10 December 2026
Summary
The Privacy and Other Legislation Amendment Act 2024 removes the small business exemption (s 6D) effective 10 December 2026. Approximately 2 million Australian SMBs become 'APP entities' overnight — requiring a Privacy Policy, lawful collection notices, NDB readiness, training, and access/correction processes. There is no exemption for sole traders, partnerships, or any size threshold once commenced.
Enforced by
Source legislation
Topics
Source: https://oaic.gov.au/privacy/privacy-legislation/the-privacy-act/privacy-reforms. Rules Mate is not a law firm. Always verify against the live regulator source before acting.