Rules Mate
PlaybooksBottom-funnel persona playbook

Compliance playbook for Australian tech and SaaS startups

Privacy Act 2026 (the $3M threshold + reform timeline), Spam Act + Do Not Call Register, Australian Consumer Law guarantees + misleading conduct, ASRS climate-disclosure tier (when applicable), Modern Slavery Act 2018 threshold, payroll tax + super guarantee + STP Phase 2, R&D Tax Incentive, APP 8 cross-border data, Consumer Data Right (if Banking / Energy / non-bank lender), employee equity (Division 1A of Part 7.12 of the Corporations Act), BNPL ACL changes from 10 June 2025, and Cyber Security Act ransomware reporting (if SOCI critical infrastructure).

22 obligations4 deadlines24 cross-linked articles

Key deadlines — next 12 months

  • 1 July 2026Payday Super commences (per-pay-event SG)
  • 1 July 2026ASRS Group 2 Year-1 reporting
  • 10 December 2026Privacy Act ADM transparency + Children's Code
  • 14 July annuallySTP Phase 2 finalisation declaration
  • Within 30 daysNDB assessment after suspected breach

Does this apply to me?

Answer yes to any of the below and the obligations in this playbook are likely relevant.

  • 1Is your business's annual turnover approaching or above AUD $3M (Privacy Act small business operator threshold)?
  • 2Do you send commercial electronic messages or make unsolicited telemarketing calls (Spam Act 2003 + Do Not Call Register Act 2006)?
  • 3Do you sell SaaS / digital services to Australian consumers (Australian Consumer Law guarantees apply)?
  • 4Do you host customer data offshore — AWS US, Azure EU, GCP elsewhere (APP 8 cross-border disclosure)?
  • 5Do you provide BNPL, accept consumer credit, or operate in the Consumer Data Right banking / energy / non-bank lender perimeter?
  • 6Do you grant employee equity (ESOP, RSUs, options) — Division 1A of Part 7.12 of the Corporations Act and ATO ESS reporting?
  • 7Do you fall within the SOCI critical-infrastructure perimeter (data storage and processing class) — and have you done ASRS Group-1/2/3 self-assessment for FY26?

Plain English summary

Australian tech startups carry a heavier compliance load than the founder-stereotype suggests. The Privacy Act 1988 (Cth) bites at the $3M turnover threshold — and earlier where the startup handles health information, sells personal-information lists, contracts with Australian Government agencies, or is a related body corporate of an APP entity. Most growth-stage SaaS businesses become APP entities well before the $3M threshold for at least one carve-in reason.

The Spam Act 2003 and the Do Not Call Register Act 2006 are operational from day one — every customer email, every marketing SMS, every cold call. ACMA's enforcement pattern has been graduated but consistent: penalty units stack ($2.355M maximum for serious breaches). The Australian Consumer Law applies to every SaaS sale to a consumer, including the consumer guarantees (acceptable quality, fit for purpose) and the misleading conduct prohibition in s 18 of Schedule 2 of the Competition and Consumer Act 2010.

Climate disclosure (ASRS) commenced 1 January 2025 for Group 1 entities. Most tech startups sit below the Group 1, 2 and 3 thresholds for now — but a unicorn scale-up will eventually trip Group 2 (Year 1: 1 July 2026 commencement) and Group 3 (Year 1: 1 July 2027). Modern Slavery (Cth) applies at $100M consolidated revenue. R&D Tax Incentive returns require contemporaneous documentation and registration with AusIndustry by 10 months after year-end.

This playbook lists every obligation a growth-stage Australian SaaS startup needs to think about, the section of the Act it sits under, who in the company is accountable, the cadence, the maximum penalty, and a regulator-direct source. Cross-link to the Privacy Act 2026 readiness check and the NDB notification timer.

Obligation checklist

Every obligation cites the Act and section. Source URLs link to the regulator's portal — Rules Mate does not republish statutory text.

  1. 1

    Privacy Act 1988 (Cth), Sch 1 — Australian Privacy Principles

    Where turnover is at or above $3M, or where a carve-in condition applies (health information, trading in personal information, contracted Government service provider, related body corporate of an APP entity), comply with all 13 APPs.

    Who's responsible
    Privacy Officer / Company Secretary / CTO
    Frequency
    Continuous
    Penalty
    Up to $50M / 3× benefit / 30% turnover for serious or repeated interferences.
    Full obligation page →
  2. 2

    Privacy Act 1988 (Cth), Pt IIIC — Notifiable Data Breach scheme

    Notify the OAIC and affected individuals of eligible data breaches. Assessment must be completed within 30 days of becoming aware. SaaS data breaches affecting customer personal information are the highest-frequency notification scenario.

    Who's responsible
    Privacy Officer / Incident Response Lead
    Frequency
    Event-driven
    Penalty
    Up to $50M / 3× benefit / 30% turnover.
    Full obligation page →
  3. 3

    Privacy Act 1988 (Cth), APP 8 (cross-border disclosure)

    Before disclosing personal information overseas (US-hosted cloud, EU subprocessors, parent-company access), take reasonable steps to ensure the overseas recipient does not breach the APPs. Section 16C makes the disclosing entity liable for some overseas-recipient acts.

    Who's responsible
    Privacy Officer + Procurement / Vendor management
    Frequency
    On vendor onboarding + ongoing
    Penalty
    Up to $50M / 3× benefit / 30% turnover.
    Full obligation page →
  4. 4

    Privacy Act 1988 (Cth), APP 11 + APP 5 + APP 1

    Publish a clearly expressed and current Privacy Policy (APP 1); provide collection notices at every collection point (APP 5); take reasonable steps to secure personal information including ICT controls, access management, encryption, patching and logging (APP 11).

    Who's responsible
    Privacy Officer + CTO
    Frequency
    Continuous
    Penalty
    Same penalty regime; NDB triggers if breach occurs.
  5. 5

    Spam Act 2003 (Cth), s 16

    Do not send commercial electronic messages without consent (express or inferred); include functional one-click unsubscribe; identify the sender. Applies to email, SMS, instant message, push notifications and messaging APIs.

    Who's responsible
    Marketing + Product
    Frequency
    Every campaign
    Penalty
    Up to $2.355M per day for serious breaches (ACMA enforcement).
  6. 6

    Do Not Call Register Act 2006 (Cth)

    Do not make unsolicited telemarketing calls or send unsolicited marketing faxes to numbers listed on the Do Not Call Register. Check at least every 30 days. Exemptions for charities, political parties, and existing-customer relationships.

    Who's responsible
    Sales + Marketing
    Frequency
    Every campaign; register check at least every 30 days
    Penalty
    Up to $2.355M for serious repeated breaches; ACMA enforcement.
  7. 7

    Australian Consumer Law (Sch 2, Competition and Consumer Act 2010), Pt 3-2 Div 1 — consumer guarantees

    Services to consumers must be supplied with due care and skill, be fit for the disclosed purpose, and be supplied within a reasonable time. SaaS subscriptions sold to consumers (and most small businesses) are covered by the consumer guarantees.

    Who's responsible
    Founder / GC / Customer Success
    Frequency
    Continuous
    Penalty
    Up to $50M / 3× benefit / 30% turnover (corporate) for serious breaches.
  8. 8

    Australian Consumer Law, s 18 (Sch 2) — misleading or deceptive conduct

    Do not engage in conduct that is misleading or deceptive or is likely to mislead or deceive in trade or commerce. Applies to all marketing claims, sales pitches, demos and feature representations.

    Who's responsible
    Marketing + Sales + Founder
    Frequency
    Continuous
    Penalty
    Civil penalty up to $50M / 3× benefit / 30% turnover (corporate); ACCC enforcement.
  9. 9

    Australian Consumer Law, Pt 2-3 — unfair contract terms

    Standard-form consumer contracts and small-business contracts must not contain unfair terms. From 9 November 2023, unfair contract terms attract civil penalties up to $50M (corporate). SaaS click-through terms are standard-form.

    Who's responsible
    GC / Founder
    Frequency
    Continuous; review on every material contract change
    Penalty
    Civil penalty up to $50M / 3× benefit / 30% turnover per term.
  10. 10

    Modern Slavery Act 2018 (Cth), s 5 — reporting entity

    Where consolidated revenue is AUD $100M or more: lodge an annual Modern Slavery Statement on the Modern Slavery Statements Register within 6 months of the end of the reporting period. Most early-stage SaaS startups are below threshold; high-growth unicorns can trip it.

    Who's responsible
    CFO + Company Secretary
    Frequency
    Annual
    Penalty
    Public listing on register; civil penalties proposed under Modern Slavery Amendment Bill 2024.
    Full obligation page →
  11. 11

    Corporations Act 2001 (Cth), Ch 2M (climate-related financial disclosure / ASRS)

    If you meet two of three of the Group 1 thresholds (assets ≥$1B; revenue ≥$500M; employees ≥500) — comply with AASB S2 from 1 January 2025. Group 2 ($200M revenue / $500M assets / 250 employees): from 1 July 2026. Group 3 ($50M revenue / $25M assets / 100 employees): from 1 July 2027.

    Who's responsible
    CFO + ESG Lead
    Frequency
    Annual sustainability report
    Penalty
    Civil penalty for false or misleading disclosure up to $1.575M (individual); enforcement by ASIC.
  12. 12

    Income Tax Assessment Act 1997, Div 355 — R&D Tax Incentive

    Register R&D activities with AusIndustry within 10 months of year-end. Claim R&D tax offset (refundable for entities <$20M aggregated turnover; non-refundable for larger entities) via tax return. Document core + supporting activities contemporaneously.

    Who's responsible
    CFO + R&D Lead
    Frequency
    Annual
    Penalty
    ATO repayment + interest + administrative penalty; AusIndustry review.
  13. 13

    Superannuation Guarantee (Administration) Act 1992, s 16

    Pay Super Guarantee on Ordinary Time Earnings at the prescribed rate (12% from 1 July 2025) to each employee's choice super fund. From 1 July 2026: 'Payday super' — SG payable on each pay event, no longer quarterly.

    Who's responsible
    Founder / Head of People + payroll
    Frequency
    Per pay event from 1 July 2026 (was quarterly until 30 June 2026)
    Penalty
    Super Guarantee Charge — shortfall + interest + administration component; not tax-deductible.
    Full obligation page →
  14. 14

    Taxation Administration Act 1953, Sch 1, Pt 2-5 — Single Touch Payroll Phase 2

    Report payroll information per pay event in STP Phase 2 format (income type, country code, tax treatment code, child-support amounts, lump-sum reasons). Year-end finalisation declaration by 14 July.

    Who's responsible
    Payroll + Finance
    Frequency
    Per pay event + annual finalisation
    Penalty
    Failure to report penalty unit-based; non-finalisation flagged in employee tax returns.
    Full obligation page →
  15. 15

    State Payroll Tax Acts (NSW PTA 2007 / VIC PTA 2007 / QLD PTA 1971 / WA PTA Assessment Act 2002 / state equivalents)

    Register for payroll tax where total Australian wages exceed the relevant state threshold (NSW $1.2M; VIC $0.9M; QLD $1.3M; WA $1M; thresholds vary). Lodge monthly returns + annual reconciliation.

    Who's responsible
    Finance
    Frequency
    Monthly + annual reconciliation
    Penalty
    Interest + penalty tax (state Revenue Office enforcement).
  16. 16

    Corporations Act 2001 (Cth), Pt 7.12 Div 1A — Employee Share Scheme regime

    Granting employee equity (options, shares, RSUs) requires reliance on a Div 1A disclosure-relief or other exemption. From 1 October 2022 reforms: monetary limit raised, broader exemptions for unlisted companies, simplified disclosure for small-scale offers.

    Who's responsible
    GC / Founder + CFO
    Frequency
    Per scheme
    Penalty
    Civil penalty for unauthorised offers; disclosure-relief lost.
  17. 17

    ATO — Employee Share Scheme (ESS) annual reporting

    Provide ESS statements to employees by 14 July and ESS annual report to ATO by 14 August for each year in which a taxing point occurred.

    Who's responsible
    Finance + Payroll
    Frequency
    Annual
    Penalty
    Failure-to-lodge penalty + administrative review.
  18. 18

    Competition and Consumer (Industry Codes — Consumer Data Right) Regulations + CDR Rules (Banking, Energy, Non-Bank Lenders)

    If operating in the CDR perimeter (Banking, Energy, Non-Bank Lending): become accredited data recipient or data holder per CDR Rules; comply with privacy safeguards 1-13; certify to ACCC.

    Who's responsible
    CTO + Compliance
    Frequency
    Continuous
    Penalty
    Civil penalty up to $50M / 3× benefit / 30% turnover.
    Full obligation page →
  19. 19

    National Consumer Credit Protection Act 2009 (Cth) — BNPL from 10 June 2025

    From 10 June 2025: BNPL providers operate under a modified credit licence regime under the NCCP Act + Low Cost Credit Contract rules. Lite responsible-lending obligations + modified hardship + dispute resolution + design and distribution obligations.

    Who's responsible
    Founder / GC
    Frequency
    Continuous (if applicable)
    Penalty
    Civil penalty up to $15.65M (individual); $156.5M (corporate); ASIC enforcement.
  20. 20

    Security of Critical Infrastructure Act 2018 (Cth) — data storage / processing class

    If the business operates a 'data storage or processing system' that processes 'business critical data' for a critical infrastructure asset owner — SOCI applies: registration, Critical Infrastructure Risk Management Program, mandatory cyber-incident reporting (12 hours significant / 72 hours other).

    Who's responsible
    CISO + Compliance
    Frequency
    Continuous (if applicable)
    Penalty
    Civil penalty up to ~$1.565M (corporate) per breach.
    Full obligation page →
  21. 21

    Cyber Security Act 2024 (Cth) — ransomware payment reporting

    From 30 May 2025: where an entity with annual turnover above $3M (or a critical-infrastructure entity) makes a ransomware payment, report to the Department of Home Affairs within 72 hours of the payment.

    Who's responsible
    CISO + GC
    Frequency
    Event-driven (if applicable)
    Penalty
    Civil penalty (60 penalty units, ~$19,800).
  22. 22

    Fair Work Act 2009 + National Employment Standards

    Comply with NES (annual leave, personal leave, public holidays, redundancy, parental leave). Comply with applicable Modern Awards or Enterprise Agreement. Right to disconnect from 26 August 2024 (small business: 26 August 2025).

    Who's responsible
    Founder / Head of People
    Frequency
    Continuous
    Penalty
    Civil penalties; Fair Work Ombudsman enforcement; underpayment criminalised under Closing Loopholes from 1 January 2025.

Deadlines

Pulled from the Rules Mate compliance calendar. Click through for the full deadline page.

Forms and regulator portals

Direct links to the lodgement forms and regulator portals. Rules Mate does not host copies — we link to the official source.

  • OAIC Notifiable Data Breach notification

    Lodge an NDB notification for an eligible breach.

    Open portal →

  • ACMA Spam Act enforcement / complaints

    Report a spam breach or seek guidance on Spam Act compliance.

    Open portal →

  • Do Not Call Register — washer access

    Telemarketers must subscribe to the Register and wash their lists at least every 30 days.

    Open portal →

  • AusIndustry R&D Tax Incentive — application portal

    Register R&D activities within 10 months of year-end.

    Open portal →

  • Modern Slavery Statements Register — lodgement

    Lodgement portal for entities at or above the $100M consolidated revenue threshold.

    Open portal →

  • Department of Home Affairs — ransomware payment reporting

    Lodge ransomware payment notification within 72 hours under the Cyber Security Act 2024.

    Open portal →

Free tools that help

Interactive Rules Mate tools matched to this persona.

Privacy Act 2026 readiness

Use tool →

NDB notification timer

Use tool →

Modern Slavery threshold

Use tool →

Climate reporting tier

Use tool →

Payday Super readiness

Use tool →

Compliance calendar builder

Use tool →

Penalty estimator

Use tool →

Essential Eight maturity check

Use tool →

Cyber incident notifications

Use tool →

Unfair contract terms checker

Use tool →

What changes 2025–2026

10 June 2025 — Privacy Act statutory tort live

The new statutory tort for serious invasion of privacy commenced — actionable in the Federal Court for intrusion upon seclusion and misuse of private information.

30 May 2025 — Cyber Security Act ransomware reporting

Entities with turnover >$3M (and all critical-infrastructure entities) must report ransomware payments to Home Affairs within 72 hours.

1 July 2025 — SG rate to 12%

The Super Guarantee rate stepped up to 12% from 1 July 2025 — the final scheduled increase.

1 July 2026 — Payday Super

Super Guarantee shifts from quarterly to per-pay-event. Material payroll-process change.

1 July 2026 — ASRS Group 2 commences

Year-1 ASRS reporting begins for Group 2 entities (broadly, $200M revenue / $500M assets / 250 employees — two of three).

10 December 2026 — ADM transparency + Children's Online Privacy Code

APP entities using automated decision-making must disclose in APP 1 Privacy Policy. Children's Online Privacy Code commences.

1 July 2027 — ASRS Group 3 commences

Year-1 ASRS reporting begins for Group 3 entities — captures many Series B / Series C SaaS scale-ups.

Proposed (future tranche) — Small business exemption removal + 'fair and reasonable' test + direct right of action

The Privacy Act Review recommendations not included in the 2024 reforms remain on the policy register. Watch for further tranches.

In-depth reading

24 Rules Mate articles tagged to this playbook.

Frequently asked

We're at $2.5M turnover — when does the Privacy Act bite?

Not at turnover alone — but it likely already applies. The carve-in conditions in s 6D(4) catch: health information, contracting to Australian Government agencies, trading in personal information (selling marketing lists), or being a related body corporate of an APP entity. Most growth-stage SaaS startups cross at least one. The clean signal is at $3M turnover, but expect to be subject earlier on the carve-in route.

Are our standard Stripe + AWS US data-flows captured by APP 8?

Yes. Hosting customer personal information on AWS US, or using Stripe (US parent) for payment data, is disclosure to an overseas recipient. APP 8 requires reasonable steps. Stripe's DPA + standard contractual clauses + AWS Sub-Processor disclosure are 'reasonable steps' for most SaaS startups; document the assessment, name the recipients in your Privacy Policy.

Does the s 16C 'liability for overseas recipient' really apply?

Yes, but narrowly. If you have NOT taken reasonable steps under APP 8, AND the overseas recipient does something that would be an APP breach if done in Australia, you are treated as having done that act yourself. The 'reasonable steps' threshold means a robust vendor-management program substantially mitigates s 16C exposure.

Is the Spam Act seriously enforced for B2B sales emails?

Yes. ACMA has handed out infringement notices to B2B-focused senders. The 'consent' rules apply — express consent or inferred consent. Inferred consent from a published business email address is narrower than founders think: it must be the recipient's role-relevant address, and the offer must be related to the role. Outreach scraped from LinkedIn typically does not meet inferred-consent.

When do we trigger ASRS reporting?

Group 1 (commenced 1 January 2025): two of three of $500M revenue / $1B assets / 500 employees. Group 2 (1 July 2026): $200M revenue / $500M assets / 250 employees. Group 3 (1 July 2027): $50M revenue / $25M assets / 100 employees. Group 3 captures many Series B/C SaaS startups; plan the climate-data architecture 12-18 months before first reporting period.

We use AI to make hiring or pricing decisions — does the ADM transparency obligation apply now?

Not yet. The Privacy Act ADM transparency obligation commences 10 December 2026 for APP entities making decisions that significantly affect individuals. The obligation is disclosure in the APP 1 Privacy Policy — not consent or human review. Begin updating Privacy Policy in advance.

How does the Cyber Security Act 2024 sit with SOCI and NDB?

Three separate regimes. NDB: notify OAIC + individuals of data breaches likely to cause serious harm. SOCI: critical-infrastructure entities (incl. some SaaS in data storage class) report cyber incidents to ASD ACSC (12 hours significant / 72 hours other). Cyber Security Act 2024: entities above $3M turnover (and CI entities) report ransomware payments to Home Affairs within 72 hours of payment. Three different regulators, three different forms, three different timelines.

Free assessment

Get a personalised obligation list

2-minute structured check tailored to your business.

AI advisor (waitlist)

Ask any compliance question

Coming Phase 2 — grounded answers with citations.

Last verified: 9 June 2026

Rules Mate provides citation-first reference material, not legal advice. Always consult a qualified professional for specific obligations.