Privacy Act Reform 2026: New Rules for Australian Small Businesses

Australia's Privacy Act 1988 is undergoing its most significant overhaul since it was enacted. The Privacy and Other Legislation Amendment Act 2024 (POLA 2024), passed by parliament in November 2024, completed Phase 1 of a two-phase reform. Phase 2 — expected to reach parliament by 2026 — will remove the long-standing small business exemption that currently excludes businesses with annual turnover under $3 million from most obligations under the Act. If your business collects customer names, emails, phone numbers, purchase histories, or technical identifiers such as IP addresses, you will need to comply. Penalties for serious or repeated breaches now reach up to $50 million or 30% of annual domestic turnover. This guide explains exactly what changes, when it applies to you, and the practical steps to take before the new obligations take effect.

The Small Business Exemption Is Being Removed

Since the Act came into force, a "small business exemption" has excluded businesses with annual turnover of $3 million or less from most privacy obligations. The Attorney-General's Department's Privacy Act Review Report, published in February 2023, recommended abolishing this exemption entirely, on the grounds that it is no longer appropriate in an economy where even the smallest business routinely handles significant volumes of personal data.

The Australian Government accepted this recommendation in principle in its formal response to the Review. Phase 2 legislation — the package that will implement the remaining recommendations — is expected to be introduced to parliament by 2026, with a transition period for small businesses to adjust their practices.

Important exceptions already apply under current law. Businesses that trade in personal information, operate a residential tenancy database, or are related to a larger covered entity must comply regardless of their turnover. Health service providers are also covered regardless of size. If any of these descriptions apply to your business, your obligations are immediate and not deferred.

As the Bunnings facial recognition case illustrates, the Office of the Australian Information Commissioner (OAIC) is increasingly willing to scrutinise business data practices in detail — even where a legitimate operational rationale exists.

What Now Counts as Personal Information

The reforms significantly broaden the definition of "personal information" to reflect modern data practices. Under the updated framework, personal information encompasses far more than names and contact details. It now explicitly includes:

• Technical identifiers: IP addresses, device identifiers, cookie IDs, and mobile advertising IDs
• Location data: GPS coordinates, movement patterns, and check-in history derived from mobile devices
• Inferred data: information generated by combining multiple data points, even when no single point is individually identifying

This expansion has direct consequences for everyday small business tools. If your business runs a website with Google Analytics, uses a Meta Pixel for advertising, or operates a retargeting campaign, you are collecting personal information under the reformed Act — even if you never ask customers for their name. The same applies to email platforms that track open rates and click behaviour by device.

The reforms also strengthen protections around "sensitive information," a subcategory that includes health data, biometric data, racial or ethnic origin, religious beliefs, and political opinions. Handling sensitive information requires a higher standard of protection and, in most cases, explicit informed consent before collection. Businesses operating in health, wellness, or community services should pay particular attention to this distinction.

Key Obligations That Will Apply to Small Businesses

The Phase 2 reforms introduce several obligations that will be new to most small businesses. Understanding each one is essential for planning your compliance timeline.

Consent Must Become Active and Opt-In

Current practice in many small businesses allows for implied consent — a pre-ticked checkbox, or the assumption that continuing to browse a website means a customer agrees to data collection. The reformed Act requires opt-in consent: the customer must take a deliberate, positive action before you collect and use their personal information for anything beyond the immediate transaction.

The OAIC has made clear in its reform guidance that pre-checked boxes, bundled consent embedded in terms and conditions, and consent obtained as a condition of accessing a free service will not meet the new standard. If your business currently uses any of these mechanisms, updating them before Phase 2 comes into effect is one of your most urgent tasks.

Mandatory Breach Notification Within 72 Hours

The Notifiable Data Breaches (NDB) scheme currently applies only to businesses already covered by the Act. Phase 2 will extend it to all businesses. More significantly, the proposed breach notification timeframe is 72 hours — a dramatic reduction from the current "as soon as practicable" standard, which the OAIC has historically interpreted as up to 30 days in most cases.

Meeting a 72-hour window requires a pre-built incident response plan. The steps — identify, contain, assess, and notify — need to be documented and rehearsed before a breach occurs, not constructed in the hours after one is discovered.

Individual Rights: Erasure, Access, and Correction

The reforms introduce a statutory right to erasure, allowing customers to request deletion of their personal information in specified circumstances. Alongside existing rights to access and correct their data, businesses will need to:

1. Acknowledge erasure or access requests within 5 business days
2. Respond substantively within 30 calendar days
3. Maintain records of all requests received and how they were handled

Practical implication: if customer records are scattered across your CRM, email platform, accounting software, and paper files, you will need a data map before you can reliably fulfil an erasure request.

Privacy by Design in New Systems

Any new system, software, or process that handles personal information must incorporate privacy protections from the outset. When choosing a new point-of-sale system, booking platform, or CRM, assessing whether the vendor's data practices meet Australian privacy standards is a contractual and compliance obligation, not just a technical preference. Checking data residency (is data stored in Australia or overseas?) and what the vendor does with your customer data are now standard due diligence steps.

The Real Cost of Non-Compliance

Financial penalties for serious or repeated interference with privacy are now the greater of: $50 million, three times the value of any benefit obtained from the breach, or 30% of the entity's annual domestic turnover in the relevant period. For a small business with $2 million in annual revenue, a 30% turnover penalty equates to $600,000 — a figure that would end most small operations.

The OAIC has signalled publicly that it intends to pursue a wider range of businesses as the reforms take effect, including smaller operators who repeatedly fail to comply. Beyond fines, the regulator can require a business to undergo a privacy audit, publish a public notice about a breach, and submit a compliance program — reputational consequences that can be more damaging to a small business than the penalty itself.

The OAIC stated in its 2024 Annual Report that enforcement activity expanded across all business sizes, with regulators now empowered to investigate complaints without a formal threshold of "serious interference." Small businesses that assume they are too small to attract regulatory attention are taking a calculated risk that is not supported by the evidence.

A 90-Day Compliance Roadmap for Small Businesses

Compliance does not require a large budget or an in-house legal team. A structured 90-day approach covers the essentials before Phase 2 obligations come into effect.

Days 1–30: Audit and Map Your Data

1. List every category of customer data your business collects — names, emails, purchase history, device identifiers, location data
2. Identify where each type of data is stored: CRM, email marketing platform, accounting software, website analytics, paper records
3. Document who within your business has access to each category, and for what purpose
4. Assess whether your current consent mechanisms — sign-up forms, cookie banners, terms of service — would meet the new opt-in standard

Days 31–60: Update Policies and Controls

1. Rewrite your Privacy Policy using plain language aligned with OAIC guidance, available free at oaic.gov.au
2. Replace any pre-ticked consent boxes with active opt-in fields
3. Enable data access and erasure workflows within your CRM or customer database
4. Review third-party vendors for data residency: is customer data stored in Australia, or transferred overseas? If overseas, what country and under what safeguards?

Days 61–90: Test and Train

1. Simulate a data breach response: trace the steps from discovery to OAIC notification — can you complete them within 72 hours?
2. Train every staff member who touches customer data on the new obligations and your updated procedures
3. Set a recurring six-month review in your calendar to reassess compliance as Phase 2 regulations are finalised

For businesses without dedicated IT staff, the decision about data security architecture and vendor selection can be complex. Understanding which IT support model suits your small business is an important part of building a sustainable compliance foundation, rather than patching individual gaps as they appear.

What Good Privacy Practice Looks Like in Practice

Consider a small e-commerce business in Melbourne selling specialty food products. Currently, it collects customer names, delivery addresses, and email addresses for order fulfilment and a monthly newsletter. It also uses Google Analytics 4 and a Meta Pixel for advertising — both of which capture device identifiers and browsing behaviour from every visitor.

Under current law, with turnover under $3 million, this business is largely exempt. Under Phase 2, it will need to: obtain explicit opt-in consent before firing the Meta Pixel; add a data retention policy limiting how long customer order data is kept; respond to any customer's erasure request within 30 days; and notify the OAIC within 72 hours if a breach of customer data occurs.

None of these steps is technically complex. But each one requires planning, updated procedures, and at least basic staff training. The businesses caught out in the first enforcement wave will be those that assumed the reforms didn't apply to them or that the implementation date was "still a long way off."

Data that seems low-risk can also be the subject of unexpected privacy concerns — highlighting why the reforms treat technical identifiers as personal information deserving the same protections as names and contact details.

Key takeaway: The Privacy Act Reform 2026 is not a compliance box-ticking exercise. It is a substantive shift in how Australian law treats the relationship between businesses and the people whose data they hold. Small businesses that treat it as an opportunity to build genuine trust with their customers — rather than a burden to minimise — will be better positioned as consumers increasingly choose where to spend money based on how their data is handled.

Frequently Asked Questions About the Privacy Act Reform 2026

Will the small business exemption definitely be removed, and when?

The Australian Government accepted in principle the Privacy Act Review's recommendation to remove the exemption during its formal response in 2023. Phase 2 reforms are expected to be introduced to parliament in 2026, but the precise implementation date and any transition period have not yet been legislated. Monitor the OAIC website (oaic.gov.au) and the Attorney-General's Department for official updates. Do not wait for the legislation to be finalised before beginning your compliance work.

My business only collects email addresses for a newsletter. Do the reforms apply?

Yes. Email addresses are personal information under both the current and reformed Act. Once the small business exemption is removed, your newsletter signup process, email marketing practices, and data retention approach will all need to meet the new standards. Under the Spam Act 2003, you already need opt-in consent for commercial emails; the Privacy Act reforms strengthen and extend those requirements.

What is an "eligible data breach" under the Notifiable Data Breaches scheme?

An eligible data breach is one that is likely to result in serious harm to one or more individuals. Examples include: unauthorised access to a customer database by an external attacker; a staff member emailing a list of customer records to the wrong recipient; or a lost laptop containing unencrypted customer files. Not every breach requires notification — but you must assess each incident promptly to determine whether it meets the threshold, which is itself an obligation that requires a documented process.

What is the difference between a Privacy Policy and a Collection Statement?

A Privacy Policy is a standing document explaining how your business handles personal information generally — it must be available on your website. A Collection Statement (or "privacy notice") is a shorter, context-specific notice provided at the point of data collection — for example, on a sign-up form — explaining what specific data is being collected and why. The reforms require both to be clear, accurate, and accessible. The OAIC provides free templates for small businesses at oaic.gov.au.

Disclaimer: The information in this article is provided for general informational purposes only and does not constitute legal advice. Privacy legislation is subject to ongoing amendment as Phase 2 reforms progress through parliament. For advice specific to your business circumstances, consult a qualified privacy lawyer or contact the Office of the Australian Information Commissioner directly.