The Australian Privacy Act 1988 regulates how businesses collect, store, use, and disclose personal information. Historically, small businesses with turnover under $3 million were exempt — but proposed reforms may remove this exemption entirely. Here's what you need to know in 2026.
1. Who Must Comply Now?
Currently, the Privacy Act applies to your business if:
- Your annual turnover exceeds $3 million.
- You provide health services (doctors, dentists, physios, psychologists) — regardless of turnover.
- You trade in personal information (data brokers, marketing list providers).
- You are a contracted service provider for a Commonwealth government contract.
- You are a reporting entity under the Anti-Money Laundering Act.
- You have opted in to coverage voluntarily.
2. The Proposed Changes
The Attorney-General's Department has recommended removing the small business exemption. If enacted, all businesses — regardless of turnover — would need to comply with the Australian Privacy Principles (APPs). While implementation timelines are uncertain, preparing now is prudent.
3. The 13 Australian Privacy Principles (APPs)
The APPs cover the full lifecycle of personal information:
- APP 1: Have a privacy policy that explains how you handle personal information.
- APP 3: Only collect information that is reasonably necessary for your business.
- APP 5: Notify individuals about what information you're collecting and why.
- APP 6: Only use information for the purpose it was collected (or a related purpose).
- APP 8: Don't disclose personal information to overseas recipients unless they comply with equivalent privacy laws.
- APP 11: Take reasonable steps to protect information from misuse, loss, and unauthorised access.
- APP 12: Give individuals access to their personal information on request.
- APP 13: Correct information if it's inaccurate, out of date, or misleading.
4. Practical Steps for SMEs
- Create a privacy policy and publish it on your website. The OAIC provides free templates.
- Audit what data you collect: Customer names, emails, phone numbers, payment details, health records? Map where it's stored.
- Secure your data: Use strong passwords, two-factor authentication, encrypted storage, and regular backups.
- Train your staff: Ensure everyone who handles customer data understands their obligations.
- Have a data breach response plan: The Notifiable Data Breaches (NDB) scheme requires you to notify affected individuals and the OAIC if a serious breach occurs.
5. Penalties for Non-Compliance
Penalties for serious or repeated privacy breaches are severe:
- Individuals: Up to $2.5 million per contravention.
- Companies: The greater of $50 million, three times the benefit obtained, or 30% of adjusted domestic turnover.
Key Takeaways
- Businesses over $3M turnover, health providers, and data traders must comply now.
- The small business exemption may be removed — prepare regardless of your turnover.
- Publish a privacy policy, audit your data collection, and secure your systems.
- Have a data breach response plan — the NDB scheme requires notification.
- Penalties can reach $50 million for companies — privacy is not optional.