Does Your Small Business Need a Privacy Policy? Australia’s 2026 Privacy Act Changes Explained

Last updated: 8 June 2026

Does your small business need a privacy policy in Australia? Our answer is almost always yes, even though most small operators assume the law lets them off the hook. If your business turns over less than $3 million a year, the Privacy Act’s small-business exemption may mean the Act doesn’t strictly require you to have a privacy policy.

But it’s the wrong thing to fixate on, because in practice you almost certainly need one anyway. The moment you send marketing emails, run Google or Meta ads, load Google Analytics or a tracking pixel, or take online payments, the platforms you rely on contractually require a privacy policy.

Would you actually be prosecuted for not having one while you’re under $3 million? Probably not, today. But “unlikely to be prosecuted” is a long way from “fine to operate without one.” And the era of assuming you’re exempt is ending, with most owners unaware it’s happening.

Australia was once ahead of the world on privacy. We are now reforming in a hurry, and small business is about to feel the consequences. Here is what changed, what is coming, and what you should actually do about it.

---

Click on any of the questions above to jump to that section of this guide.

---

Australia Was Once a Privacy Pioneer (Then We Stalled)

In 1988, Australia did something quietly forward-thinking. We passed the Privacy Act, built on the OECD’s 1980 data guidelines, at a time when most of the world hadn’t bothered. We were near the front of the pack. Then we sat on that lead for three and a half decades while the rest of the world sprinted past.

The 1988 Act was principles-based and flexible, which sounds lovely until you realise “flexible” often means “toothless.” Europe’s GDPR landed in 2018 with prescriptive rules and fines that could bring a company to its knees. Australia kept a soft-enforcement record and that gaping small-business carve-out. We didn’t fall behind by accident. We chose a low-friction regime that suited business and assumed nothing would go badly wrong. Two mega-breaches later, that assumption looks naive.

---

What Actually Changed in the Privacy Act

The reckoning arrived in late 2022, when Optus lost the personal details of 9.5 million customers, and Medibank watched hackers publish the health records of millions more. The result is the Privacy and Other Legislation Amendment Act 2024, which received Royal Assent on 10 December 2024. It is the most significant change to our privacy regime since the original Act, and it is more than a tweak around the edges:

• You can now be sued for serious invasions of privacy. A statutory tort commenced around 10 June 2025. Individuals no longer need to prove they suffered damage, just that the intrusion was serious and they had a reasonable expectation of privacy.
• Doxxing is now a crime. New anti-doxxing offences carry up to seven years’ jail.
• You will have to disclose your AI. From 10 December 2026, organisations must disclose when they use automated systems to make decisions about people.
• The penalties are serious. The maximum penalty for serious breaches now sits at $50 million.
• The regulator is using its teeth. Australian Clinical Labs paid a $5.8 million penalty, the first civil penalty under the Act, while the cases against Optus and Medibank grind through the courts.

---

The Qantas Breach: Why “Too Small to Matter” Is a Myth

In mid-2025, Qantas lost the records of around 5.7 million customers after attackers reached a third-party customer service platform used by an overseas call centre. The stolen data, names, email addresses, phone numbers, dates of birth and home addresses, was later published on the dark web when a ransom deadline passed.

Note what that is: not credit cards, not passwords, just the ordinary contact details every business holds. If an airline with a serious security budget can be breached through a supplier, the corner physio clinic has no business assuming it is safe. Attackers don’t check your revenue before phishing your staff. A plumbing firm or a physio clinic holds names, addresses, Medicare numbers and payment details, the same data the hackers wanted from Optus and Qantas, just in smaller piles that are easier to breach.

---

Does Your Small Business Need a Privacy Policy?

A privacy policy for small business in Australia is fast becoming table stakes for any business that collects customer data, whatever its size. Even where the exemption still technically applies, a clear privacy policy builds trust, is often required by payment providers and platforms, and protects you if a complaint or breach lands on your desk.

Is my business currently exempt from the Privacy Act?

Possibly, but check carefully. If your business turns over less than $3 million a year and you don’t provide a “designated service” (real estate agents, dealers in precious metals, lawyers, accountants and some other professional services), you may still fall under the small business exemption today. That is changing fast. From 1 July 2026, separate anti-money-laundering reforms drag more than 100,000 small businesses, including those operating a “designated service”, under the Privacy Act regardless of turnover. If you provide a designated service, the $3 million shield won’t save you.

Is the small business exemption being abolished?

That is the direction. The promised “second tranche” of reforms would scrap the exemption entirely, pulling an estimated 2.3 million additional businesses under the Act for the first time. As of mid-2026, the government still hasn’t locked in a firm commencement date, likely 2026 or 2027, and tranche two also carries heavier reforms: a “fair and reasonable” test for how data is handled, tougher consent rules, and a broader definition of personal information. “Uncertain” is not the same as “not yet,” and it is certainly not a strategy.

What should a small business privacy policy include?

At a minimum, a compliant privacy policy should cover:

• What personal information you collect and why
• How you store and secure that information
• Who you share it with, including overseas recipients and third-party platforms
• How customers can access, correct, or complain about their information
• From 10 December 2026, whether you use automated or AI-driven decision-making

It needs to reflect the Australian Privacy Principles and Australian law, not a generic overseas template copied from another website.

---

The Australian Privacy Principles Explained

At the centre of the Privacy Act sit the 13 Australian Privacy Principles (the APPs). They govern how organisations collect, use, store, secure, and disclose personal information, and they are the standard your business will be measured against. For years, the APPs were lightly policed. The 2024 reforms change that in two ways: they put real penalties behind the principles and widen the pool of businesses to which the principles apply. Understanding the APPs is no longer a compliance nicety for big corporates. For a growing number of small businesses, it is about to become the rulebook.

---

What Small Business Owners Should Do Now

Best practice isn’t complicated, it’s just unglamorous:

• Collect less. If you don’t need a customer’s date of birth, don’t ask for it, and bin the data you’re hoarding “just in case.”
• Know where personal information lives across your systems.
• Turn on multi-factor authentication and encrypt what matters.
• Write down what you’d do in the first 24 hours of a breach before you’re living through one.
• Update your privacy policy, especially if you use any automated or AI-driven decision-making.

None of this requires a six-figure consultant. It requires deciding that data is a liability, not just an asset. We were once ahead because we acted before disaster. Don’t wait for your own Optus moment.

---

The Privacy Act Changes at a Glance

Already locked in

• AML reforms override the exemption from 1 July 2026. Designated services (real estate agents, dealers in precious metals, lawyers, accountants and some other professional services) are covered regardless of turnover.
• Anyone can now sue for serious privacy invasions since around 10 June 2025, with no need to prove damage.
• Doxxing is a criminal offence carrying up to 7 years’ jail.

Coming (likely 2026-2027)

• The small business exemption is being abolished, pulling an estimated 2.3 million businesses under the Act.
• A “fair and reasonable” test for how you collect and use data.
• Stronger consent rules and a broader definition of personal information.

Obligations once you’re covered

• “Reasonable steps” now means real security: MFA, encryption, access controls and a written incident response plan.
• Automated decision-making disclosure from 10 December 2026.
• Penalties up to $50 million for serious breaches.

If you still have a question after reading this guide, get in touch, we’d love to add it.

---

Get a Privacy Policy Template Built for Australian Law

Don’t wait for the exemption to close. Our Website Privacy Policy Template is drafted by Australian-qualified lawyers, reflects the latest legislation, and is ready to tailor to your business in minutes. For full coverage, see the Terms & Conditions + Privacy Policy package.

About the Author: Vanessa Emilio

Vanessa Emilio (BA Hons, LLB, ACIS, AGIA) is the Founder and CEO of Legal123.com.au and Practice Director of Legal123 Pty Ltd. Vanessa is a qualified Australian lawyer with 20+ years experience in corporate, banking and trust law. Click for full bio of Vanessa Emilio or follow on LinkedIn.

Disclaimer: We hope you found this article helpful, but please be aware that any information, comments or recommendations are general in nature, do not constitute legal advice and may not be suitable for your specific circumstances. Whilst we try our best to ensure that the information is accurate, sometimes there may be errors or new information that has yet to be included. Any decisions you take based on information on this website are made at your own risk and we cannot be held liable for any losses you suffer. Contact us directly before relying on any of this information.