Free tool
Privacy Act 2026 readiness
The Privacy Act reforms are landing in stages — the statutory tort is already live, and automated decision-making transparency plus the Children's Online Privacy Code commence on 10 December 2026. Removing the small-business exemption (which would bring ~2 million SMBs into scope) is proposed for a future tranche but not yet law. This tool scores your privacy program across 10 control areas and prioritises gaps by severity.
Readiness score
0/100
Band
Exposed — significant remediation required
Context
- You are an APP entity now. The 2024 amendments (statutory tort, enhanced penalties, doxxing offence) already apply.
Gaps to close
- highPrivacy Policy
Build a privacy policy — covers app 1.3 — open and transparent management of personal information.
- highData inventory / data map
Build a data inventory / data map — covers knowing what personal info you hold (foundational).
- highConsent management
Build a consent management — covers app 3 / app 6 — consent capture and renewal.
- highNDB breach response plan
Build a ndb breach response plan — covers part iiic — notifiable data breaches.
- highStaff privacy training
Build a staff privacy training — covers reasonable steps under app 11.1.
- highSecurity controls
Build a security controls — covers app 11.1 — reasonable steps to protect.
- highVendor data processing agreements
Build a vendor data processing agreements — covers app 8 — overseas disclosure.
- highAccess & correction process
Build a access & correction process — covers app 12 / app 13.
- highAutomated decision-making register & transparency
Build a automated decision-making register & transparency — covers 2026 adm transparency requirements.
- highPrivacy complaints process
Build a privacy complaints process — covers app 1 + complaint-handling expectations.
Sources
Reference tool — not legal advice. Further privacy reforms, including removal of the small-business exemption, remain proposed and are not yet law; this tool reflects the obligations now in force plus the reforms commencing 10 December 2026.
Related tools
Frequently asked questions
- What changes on 10 December 2026?
- Automated decision-making transparency obligations and the Children's Online Privacy Code commence on 10 December 2026 (two years after the Privacy and Other Legislation Amendment Act 2024 received assent). Removal of the small-business exemption is often discussed alongside these reforms, but it is not part of this commencement — it remains proposed for a future tranche and is not yet law.
- Does the small-business exemption still apply now?
- Yes. Businesses with annual turnover under $3M are exempt unless they fall into an existing carve-out (health service providers, businesses trading in personal information, credit reporting, etc.). Removing the exemption is proposed for a future reform tranche — it is not yet law and has no commencement date, so the exemption still applies today.
- What's the statutory tort for privacy?
- A new cause of action for serious invasions of privacy is already in force following the Privacy and Other Legislation Amendment Act 2024 — individuals can sue directly for serious privacy invasions, separate from OAIC enforcement.
- What are the maximum penalties?
- Up to $50M, or 3× the benefit obtained, or 30% of adjusted turnover during the breach period — whichever is greatest — for serious or repeated interferences with privacy.
Not sure which obligations apply to you?
Run the Compliance Fingerprint — a 2-minute structured assessment that maps your business to every obligation, deadline and regulator that triggers.
Build my Compliance Fingerprint →