Privacy Compliance Guide

Privacy Act 2026: What Australian Small Businesses Actually Need to Do

A plain-English breakdown of the Privacy Act reforms and the practical steps small businesses need to take in 2026.

Why the Privacy Act changes matter for small business

Australia's Privacy Act 1988 is undergoing its most significant reform in decades. The changes — flowing from the government's response to the 2022 Privacy Act Review — strengthen individual rights, increase penalties, and expand obligations for businesses that handle personal information.

Critically, the reforms are expected to remove or narrow the small business exemption that currently lets businesses with under $3 million turnover opt out of most Privacy Act obligations. If that exemption is removed, hundreds of thousands of Australian small businesses will become subject to the Act for the first time.

Even if you're already covered, the new rules are stricter — and the penalties are much higher.

Key changes you need to know about

Higher penalties

Maximum penalties for serious or repeated breaches have increased significantly — up to $50 million, or 30% of adjusted turnover, for large entities. Smaller penalties still apply to SMEs, but the message is clear: non-compliance is expensive.

Stronger individual rights

Individuals will have stronger rights to access, correct, and request deletion of their personal information. Businesses need processes to respond to these requests within defined timeframes.

Consent must be meaningful

Pre-ticked boxes and bundled consent buried in terms and conditions will no longer be sufficient. Consent must be specific, informed, and freely given.

Privacy by design

Businesses will be expected to consider privacy from the start when building systems or processes — not bolt on a privacy policy at the end.

Notifiable Data Breaches scheme — tighter obligations

If you experience a data breach that is likely to cause serious harm, you must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals promptly. The definition of "serious harm" is being clarified and broadened.

Privacy Act compliance checklist for small businesses

Work through this list and keep evidence of each action taken.

1. Know what personal information you hold

  • Map all the personal information your business collects (customers, employees, contractors)
  • Identify where it is stored (spreadsheets, software, paper files, cloud services)
  • Identify who has access to it
  • Identify how long you keep it and how you dispose of it

2. Update your privacy policy

  • Privacy policy is publicly available (on your website)
  • Policy accurately describes what information you collect and why
  • Policy explains how individuals can access or correct their information
  • Policy explains how to make a privacy complaint
  • Policy is written in plain English — not legal jargon

3. Consent and collection

  • Only collecting information that is reasonably necessary for your business function
  • Individuals informed of why you are collecting their information at the time of collection
  • Consent is specific and not buried in terms and conditions
  • Consent records kept so you can prove it was given

4. Data breach readiness

  • Data breach response plan documented
  • Staff know how to identify and report a suspected breach
  • OAIC notification process understood and documented
  • Contact details for OAIC saved and accessible

5. Individual rights requests

  • Process in place for handling access requests (requests to see personal information)
  • Process in place for handling correction requests
  • Process in place for handling deletion requests
  • Timeframes for responding to requests understood and tracked

Industries most affected

Australian SMEs in the following industries handle significant volumes of personal and sensitive information and face the greatest compliance risk under the new Privacy Act framework:

  • Aged care and home care — health information, sensitive personal data, carer records
  • Childcare and early education — child and family information, health records
  • Allied health — health information covered by stricter sensitive information rules
  • Construction and trades — employee records, subcontractor information
  • Food service and hospitality — customer data, loyalty programs, employee records

Turn your privacy policy into tracked obligations

CompliAI reads your privacy policy and compliance documents, extracts every obligation, and turns them into tasks with due dates and an audit trail — so you can prove you've met your Privacy Act obligations when it matters.

Try CompliAI free →

Useful Privacy Act resources

  • Office of the Australian Information Commissioner — oaic.gov.au
  • Privacy Act Review Report — ag.gov.au/rights-and-protections/privacy
  • Notifiable Data Breaches scheme — oaic.gov.au/privacy/notifiable-data-breaches
  • Australian Privacy Principles — oaic.gov.au/privacy/australian-privacy-principles