Rules Mate
PlaybooksBottom-funnel persona playbook

Compliance playbook for retail and e-commerce businesses

Australian Consumer Law (consumer guarantees, misleading conduct s 18/29, country-of-origin labelling, unsolicited consumer agreements, gift card 3-year minimum), product safety (mandatory standards + bans), pricing display (multiple-pricing rule + component pricing), Privacy Act 2026 (ADM transparency from 10 Dec 2026), Spam Act consent + unsubscribe, Do Not Call Register, CDR (if banking / energy), Designs Act + IP, ePayments Code, BNPL ACL from 10 June 2025 if BNPL offered, GST + BAS + low-value imported goods GST under $1,000, allergen labelling for food, country-of-origin labelling — every obligation a retail or e-commerce operator faces.

21 obligations5 deadlines24 cross-linked articles

Key deadlines — next 12 months

  • 10 December 2026Privacy Act ADM transparency + Children's Code commence
  • 1 July 2026Payday Super starts (per-pay-event SG)
  • Within 30 daysNDB assessment of suspected breach
  • Within 2 daysMandatory product safety incident report (s 131)
  • Within 72 hoursRansomware payment report (Cyber Security Act 2024)
  • AnnualModern Slavery Statement (if revenue >$100M)

Does this apply to me?

Answer yes to any of the below and the obligations in this playbook are likely relevant.

  • 1Do you sell products or services to consumers in Australia (Australian Consumer Law applies to every sale, regardless of channel)?
  • 2Do you sell online — including via your own website, Shopify, marketplace platforms (Amazon, eBay, Kogan), or through social commerce (Instagram, TikTok Shop)?
  • 3Do you sell into Australia from offshore (low-value imported goods GST applies for goods under $1,000)?
  • 4Do you sell gift cards (3-year minimum expiry rule under ACL Pt 3-2 Div 4)?
  • 5Do you offer BNPL, store credit, layby, or other consumer credit (NCCP Act + BNPL reforms from 10 June 2025)?
  • 6Do you send marketing electronic messages or make telemarketing calls (Spam Act + Do Not Call Register)?
  • 7Is your annual turnover at or above AUD $3M (Privacy Act small business operator threshold)?

Plain English summary

Retail and e-commerce in Australia carry a compliance load that grew sharply between 2023 and 2026. The Australian Consumer Law (ACL) — Schedule 2 to the Competition and Consumer Act 2010 — sets the floor: consumer guarantees, misleading conduct prohibitions (s 18, s 29-34), pricing rules, unfair contract terms, product safety, unsolicited consumer agreements, gift card 3-year minimum (since 1 November 2019), and the unsolicited supply rules. Civil penalties for breaches were raised in November 2022 to the higher of $50M / 3× benefit / 30% turnover.

Online retail layers more obligations on top. The Spam Act 2003 catches commercial electronic messages (email, SMS, push notifications). The Do Not Call Register Act 2006 catches telemarketing. The Privacy Act 1988 applies above $3M turnover (and earlier on carve-in conditions) — and from 10 December 2026, ADM transparency in the APP 1 Privacy Policy + the Children's Online Privacy Code commence. Cross-border data flows (Stripe, AWS, Shopify) trigger APP 8.

Payment-side regulation is dense. The ePayments Code (ASIC) covers electronic payments and the rights of consumers in card disputes. BNPL providers operate under a modified credit licence regime under the NCCP Act + Low Cost Credit Contract rules from 10 June 2025. CDR applies if you operate in the banking / energy / non-bank-lending perimeter or accept CDR-shared consumer data from accredited providers.

This playbook lists every obligation a retail or e-commerce business faces today, the section of the Act it sits under, who is accountable, the cadence, the maximum penalty, and a regulator-direct source. Cross-link to the unfair contract terms checker and the Privacy Act 2026 readiness check.

Obligation checklist

Every obligation cites the Act and section. Source URLs link to the regulator's portal — Rules Mate does not republish statutory text.

  1. 1

    Australian Consumer Law (Sch 2, Competition and Consumer Act 2010), Pt 3-2 Div 1 — consumer guarantees

    Every supply of goods or services to a consumer (under $100K or for personal/domestic/household use) must comply with the consumer guarantees: acceptable quality, fit for disclosed purpose, match description/sample, supplied within reasonable time, free of undisclosed encumbrances, due care and skill (services). Major failure entitles refund + damages; minor failure entitles repair/replace.

    Who's responsible
    Operator / Owner + Customer Service
    Frequency
    Continuous; per sale
    Penalty
    Up to $50M / 3× benefit / 30% turnover (corporate) for false-or-misleading conduct around guarantees.
    Full obligation page →
  2. 2

    Australian Consumer Law, ss 18 + 29 — misleading or deceptive conduct + false representations

    Do not engage in conduct that is misleading or deceptive (or is likely to mislead or deceive) in trade or commerce. Do not make false or misleading representations about goods, services, country of origin, testimonials, sponsorship, price.

    Who's responsible
    Marketing + Operator
    Frequency
    Continuous
    Penalty
    Up to $50M / 3× benefit / 30% turnover (corporate); ACCC enforcement.
  3. 3

    Australian Consumer Law, Pt 3-1 Div 1 + Country of Origin Food Labelling Information Standard 2016

    Use country-of-origin labels truthfully and consistently with the safe-harbour rules. For Australian-grown / Australian-made / Product of Australia / Made in Australia: meet the substantial-transformation + cost-of-production tests.

    Who's responsible
    Buying / Marketing
    Frequency
    Continuous
    Penalty
    Same ACL penalty regime; ACCC enforcement.
    Full obligation page →
  4. 4

    Australian Consumer Law, Pt 3-3 — product safety mandatory standards + bans + recalls

    Comply with all mandatory product safety standards (e.g. button batteries, baby walkers, prams, basketball rings, water beads from 1 March 2024). Do not supply banned products. Report serious injury / death within 2 days under s 131. Cooperate with mandatory recalls.

    Who's responsible
    Operator + Buying + Compliance
    Frequency
    Continuous; mandatory reports event-driven
    Penalty
    Up to $50M / 3× benefit / 30% turnover (corporate); criminal offences for serious breaches.
    Full obligation page →
  5. 5

    Australian Consumer Law, s 47 — multiple pricing rule

    If a product is displayed with more than one price, the seller must charge no more than the lowest price (or withdraw the product from sale). Also: don't advertise a price unless the total price including all unavoidable charges (GST, surcharges) is also displayed (component pricing rule, s 48).

    Who's responsible
    Operator + Store / Web Manager
    Frequency
    Continuous
    Penalty
    Up to $50M / 3× benefit / 30% turnover (corporate); ACCC enforcement.
  6. 6

    Australian Consumer Law, Pt 2-3 — unfair contract terms (standard form)

    Standard-form consumer and small-business contracts must not contain unfair terms. From 9 November 2023, unfair terms attract civil penalties up to $50M (corporate). Common UCT risks in retail: unilateral variation, automatic renewal, limitation of liability, exclusive remedies, restrictive cancellation.

    Who's responsible
    GC / Operator
    Frequency
    Continuous; review on material change
    Penalty
    Civil penalty up to $50M / 3× benefit / 30% turnover per term.
  7. 7

    Australian Consumer Law, Pt 3-2 Div 4 — gift cards (3-year minimum expiry)

    Gift cards supplied at retail must be valid for at least 3 years from supply. Display expiry date prominently. Do not charge post-purchase fees that erode value (some exceptions for activation, foreign transaction, etc).

    Who's responsible
    Operator + Marketing
    Frequency
    Continuous
    Penalty
    Civil penalty up to $30,000 (corporate) per breach.
  8. 8

    Australian Consumer Law, Pt 3-2 Div 2 — unsolicited consumer agreements

    Unsolicited consumer agreements (door-to-door, telemarketing-initiated, party-plan) attract a 10-business-day cooling-off period and explicit disclosure rules. Most pure-online retail is not unsolicited — but outbound telesales, in-mall recruitment, social-DM-initiated sales can be.

    Who's responsible
    Sales + Operator
    Frequency
    Per sale
    Penalty
    Civil penalty + the agreement is unenforceable during cooling-off period.
  9. 9

    Spam Act 2003 (Cth), s 16

    Do not send commercial electronic messages without consent (express or inferred); include sender identification + a functional unsubscribe in every message. Applies to email, SMS, push notifications, in-app messages with commercial content.

    Who's responsible
    Marketing
    Frequency
    Every campaign
    Penalty
    Up to $2.355M per day for serious breaches; ACMA enforcement.
    Full obligation page →
  10. 10

    Do Not Call Register Act 2006 (Cth)

    Do not make unsolicited telemarketing calls to numbers on the Do Not Call Register. Wash lists at least every 30 days. Existing-customer relationship exemption is narrow — defaults are unlikely to cover cold outreach.

    Who's responsible
    Sales + Marketing
    Frequency
    Every campaign; register check at least every 30 days
    Penalty
    Up to $2.355M for serious repeated breaches; ACMA enforcement.
    Full obligation page →
  11. 11

    Privacy Act 1988 (Cth), Sch 1 — Australian Privacy Principles

    If turnover is at or above $3M (or you handle health information, contract to Government, or trade personal information), comply with all 13 APPs. Publish a Privacy Policy (APP 1) covering ADM from 10 December 2026; provide collection notices (APP 5); secure customer data (APP 11); apply APP 8 for offshore disclosure (Stripe, AWS, Shopify).

    Who's responsible
    Privacy Officer + CTO + Marketing
    Frequency
    Continuous
    Penalty
    Up to $50M / 3× benefit / 30% turnover for serious or repeated interferences.
    Full obligation page →
  12. 12

    Privacy Act 1988 (Cth), Pt IIIC — Notifiable Data Breach scheme

    Notify the OAIC and affected individuals of eligible data breaches likely to result in serious harm. Assessment within 30 days. Retail customer-database breaches (Optus, Medibank, ATO-style) are high-risk.

    Who's responsible
    Privacy Officer + Incident Response Lead
    Frequency
    Event-driven
    Penalty
    Up to $50M / 3× benefit / 30% turnover.
    Full obligation page →
  13. 13

    Privacy Act 2026 amendments — ADM transparency + Children's Online Privacy Code from 10 December 2026

    From 10 December 2026: where ADM is used to make decisions that significantly affect individuals (price personalisation, credit decisioning, fraud-block decisions), disclose in the APP 1 Privacy Policy. Children's Online Privacy Code applies if you target users under 16.

    Who's responsible
    Privacy Officer + CTO + Marketing
    Frequency
    From 10 December 2026; ongoing
    Penalty
    Same Privacy Act penalty regime; OAIC enforcement.
    Full obligation page →
  14. 14

    Competition and Consumer (Industry Codes — Consumer Data Right) Regulations + CDR Rules

    If operating in Banking, Energy, or Non-Bank Lending sectors as a data holder or accredited data recipient: comply with CDR Rules + 13 Privacy Safeguards. Most pure retail is out of scope — but retail BNPL providers, cash-back / open-banking apps, and energy retailers are captured.

    Who's responsible
    CTO + Compliance
    Frequency
    Continuous (if applicable)
    Penalty
    Civil penalty up to $50M / 3× benefit / 30% turnover.
    Full obligation page →
  15. 15

    ePayments Code (ASIC)

    Subscribers to the ePayments Code (most retailers issuing or accepting electronic payments via PCI-DSS providers) must comply with chargeback and unauthorised-transaction provisions. Investigate disputes within stipulated timeframes.

    Who's responsible
    Customer Service + Finance
    Frequency
    Per dispute
    Penalty
    Code is voluntary but breach can be a misleading-conduct contravention; ASIC enforcement.
  16. 16

    National Consumer Credit Protection Act 2009 (Cth) — BNPL from 10 June 2025

    If you offer Buy Now Pay Later directly (vs. embed Afterpay / Zip / Klarna): from 10 June 2025, operate under the BNPL modified credit licence regime + Low Cost Credit Contract rules. Lite responsible-lending obligations + hardship + dispute resolution + design and distribution.

    Who's responsible
    GC / Operator
    Frequency
    Continuous (if BNPL offered)
    Penalty
    Civil penalty up to $15.65M (individual); $156.5M (corporate); ASIC enforcement.
  17. 17

    Designs Act 2003 (Cth) + Trade Marks Act 1995 (Cth) — IP enforcement

    Don't infringe registered designs or trade marks. Use TMs for branded products; respect competitor designs. Monitor copy-cat product imports through ABF Notice of Objection scheme.

    Who's responsible
    GC + Buying
    Frequency
    Continuous
    Penalty
    Civil — damages, account of profits, injunctions; criminal under Trade Marks Act for counterfeiting.
  18. 18

    A New Tax System (Goods and Services Tax) Act 1999 + Treasury Laws Amendment (GST Low Value Goods) Act 2017

    Register for GST when annual turnover is or will be $75,000+. Collect GST on low-value imported goods (under $1,000) sold to Australian consumers if you are a non-resident merchant + GST turnover above $75,000 from Australian sales. Lodge BAS.

    Who's responsible
    Finance / Bookkeeper
    Frequency
    Quarterly (or monthly)
    Penalty
    Failure-to-lodge + General Interest Charge; ATO audit review.
  19. 19

    Food Standards Code, Standard 1.2.3 + PEAL labelling — allergens (if selling food)

    If selling food (packaged or unpackaged), declare all 10 nominated allergens (gluten, crustacea, egg, fish, milk, peanut, sesame, soy, tree nuts, lupin) per Standard 1.2.3 + Plain English Allergen Labelling rules.

    Who's responsible
    Buying + Compliance
    Frequency
    Continuous; per SKU launch
    Penalty
    Civil penalty under state Food Act; product recall.
    Full obligation page →
  20. 20

    Modern Slavery Act 2018 (Cth), s 5 — reporting entity

    Where consolidated revenue is AUD $100M or more: lodge an annual Modern Slavery Statement on the Modern Slavery Statements Register within 6 months of the end of the reporting period. Retail global supply chains (apparel, electronics, homewares) are high-risk and require deep diligence.

    Who's responsible
    CFO + Company Secretary
    Frequency
    Annual
    Penalty
    Public listing on register; civil penalties proposed under Modern Slavery Amendment Bill 2024.
    Full obligation page →
  21. 21

    Cyber Security Act 2024 (Cth) — ransomware payment reporting

    From 30 May 2025: entities with annual turnover above $3M (or critical-infrastructure entities) must report ransomware payments to the Department of Home Affairs within 72 hours of the payment.

    Who's responsible
    CISO + GC
    Frequency
    Event-driven
    Penalty
    Civil penalty (60 penalty units, ~$19,800).

Deadlines

Pulled from the Rules Mate compliance calendar. Click through for the full deadline page.

Forms and regulator portals

Direct links to the lodgement forms and regulator portals. Rules Mate does not host copies — we link to the official source.

  • ACCC — product safety reporting + recall portal

    Lodge mandatory product safety incident reports (s 131) and recall notifications.

    Open portal →

  • ACMA — Spam Act enforcement / complaints

    Report a spam breach or seek guidance on Spam Act compliance.

    Open portal →

  • Do Not Call Register — washer access

    Telemarketers must subscribe to the Register and wash lists at least every 30 days.

    Open portal →

  • OAIC — Notifiable Data Breach notification

    Report an eligible data breach involving customer information.

    Open portal →

  • Modern Slavery Statements Register — lodgement

    Lodgement portal for entities at or above the $100M consolidated revenue threshold.

    Open portal →

  • ATO — Business Activity Statement portal

    Lodge BAS, manage GST, PAYG, fuel tax credits.

    Open portal →

  • Australian Border Force — Notice of Objection (counterfeit goods)

    Register an IP notice to enable ABF seizure of counterfeit imports.

    Open portal →

Free tools that help

Interactive Rules Mate tools matched to this persona.

Unfair contract terms checker

Use tool →

Privacy Act 2026 readiness

Use tool →

NDB notification timer

Use tool →

Modern Slavery statement scaffold

Use tool →

Modern Slavery threshold

Use tool →

Compliance calendar builder

Use tool →

Penalty estimator

Use tool →

GST registration scope

Use tool →

Essential Eight maturity check

Use tool →

What changes 2025–2026

9 November 2023 — Unfair Contract Term civil penalties live

UCT contraventions attract civil penalties up to $50M / 3× benefit / 30% turnover (corporate). Audit standard-form terms (T&Cs, returns policies, subscription terms).

8 February 2024 — Plain English Allergen Labelling

PEAL labelling rules in Standard 1.2.3 became mandatory for food. Affects food retailers and grocers.

1 March 2024 — Water bead mandatory ban

ACCC introduced mandatory ban on supply of water beads + water-bead toys after multiple ingestion injuries.

10 June 2025 — BNPL modified credit licence regime live

BNPL providers operate under NCCP Act + Low Cost Credit Contract rules. Retailers offering direct BNPL are captured; embedded Afterpay/Zip/Klarna shifts the obligation to the provider.

30 May 2025 — Cyber Security Act ransomware reporting

Retailers above $3M turnover must report ransomware payments to Home Affairs within 72 hours.

1 July 2025 — SG to 12%

The Super Guarantee rate stepped up to 12% from 1 July 2025.

1 July 2026 — Payday Super starts

Super Guarantee shifts from quarterly to per-pay-event.

10 December 2026 — Privacy Act ADM transparency + Children's Online Privacy Code

APP 1 Privacy Policy must disclose ADM that significantly affects individuals. Children's Code applies to retail platforms targeting under-16s.

Ongoing — ACL review + ACCC enforcement priorities

ACCC enforcement priorities consistently feature: misleading environmental claims (greenwashing); subscription traps + auto-renewal; product safety; misleading discount claims (was-now pricing); unfair contract terms.

In-depth reading

24 Rules Mate articles tagged to this playbook.

Frequently asked

If a customer says the product is 'faulty', is the consumer guarantee always available?

Generally yes — but only if it's a 'consumer' supply (under $100K or for personal/domestic/household use) and the goods failed to be of acceptable quality, fit for purpose, etc. Major failure (substantial enough to refuse the supply) → refund + damages. Minor failure → seller's choice of repair, replace, or refund. The seller — not the manufacturer — is the consumer's first port of call.

Can we restrict consumer guarantees with our T&Cs?

No. Section 64 of the ACL voids any term purporting to exclude, restrict, or modify consumer guarantees. Many retail T&Cs include 'no refunds after 7 days' or 'final sale' — these are unenforceable to the extent they purport to restrict consumer guarantees, and risk being a misleading representation under s 29.

We're under $3M turnover — is the Privacy Act really out of scope?

Probably yes for now, but the carve-in conditions matter. The small-business exemption does not apply if you handle health information, sell personal-information lists, contract to Government, or are related body corporate of an APP entity. Several Privacy Act reform tranches under consideration would close or substantially narrow the SBE.

Do we have to display the price including GST?

Yes — s 48 ACL component-pricing rule. A price advertised to consumers must include the total of all unavoidable charges (GST, mandatory surcharges, mandatory delivery). Optional add-ons can be separately displayed.

Is the gift card 3-year rule different in different states?

No — the rule is in the ACL (Cth), applies nationally, and was introduced 1 November 2019. State Fair Trading agencies enforce on behalf of the ACCC.

Greenwashing — what's the line?

Sustainability and ESG claims must be specific, substantiated, and verifiable. The ACCC published guidance in December 2023 setting eight principles: be specific, use clear language, don't omit material information, show your work, only compare to relevant baselines, don't claim future aspirations as current performance, use clear visual elements, comply with mandatory standards. Misleading sustainability claims are misleading conduct under s 18.

BNPL — what changes for retailers who embed Afterpay / Zip / Klarna?

Embedded BNPL puts the credit-license + LCCC obligations on the BNPL provider, not the retailer. Retailer obligations focus on: not misrepresenting the BNPL terms (s 18/29 ACL); applying ACL anti-hawking rules; not inducing unsuitable BNPL purchases. Direct BNPL (retailer is the credit provider) requires the modified credit licence + LCCC compliance.

Free assessment

Get a personalised obligation list

2-minute structured check tailored to your business.

AI advisor (waitlist)

Ask any compliance question

Coming Phase 2 — grounded answers with citations.

Last verified: 9 June 2026

Rules Mate provides citation-first reference material, not legal advice. Always consult a qualified professional for specific obligations.