Independent compliance guidance tool. Not affiliated with the Australian Government or OAIC. For official information visit oaic.gov.au
December 2026 deadline approaching

Is your small business ready for
Australia’s new privacy laws?

Answer 5 plain-English questions. Get a clear, personalised compliance result in under 2 minutes. Free — no signup required.

✓ Free tool ✓ No signup ✓ Updated July 2026 ✓ Privacy Act 1988 (Cth)
Your answers:
Fill in the form below

Your Business Details

Answer all 5 questions then click Calculate below

The $3M threshold is the current small business exemption line — but it is being phased out entirely by December 2026.

Some industries are regulated regardless of turnover — especially health, finance, and businesses covered under AML/CTF law from July 2026.

Personal information includes: customer names, emails, phone numbers, dates of birth, payment details, booking records, photos, IP addresses, and employee records.

This includes tools you may not think of as “AI”: Mailchimp, Meta Ads, HubSpot, Google Ads, Microsoft 365 Copilot, Xero (automated reporting), AI chatbots, automated scheduling, credit scoring, or any tool that makes automated decisions about people.

Select all that apply. These categories carry stricter consent rules and are an OAIC enforcement priority.

Answered all 5 questions? Click below to see your personalised compliance result.

⚡ Instant result — no email, no signup

Example Result

Likely Regulated — Action Required

Your business is likely regulated under the Privacy Act

This example shows a retail business under $3M turnover collecting customer data. Fill in your details above and click Calculate to get your personalised result.

Assessment confidence: High Based on your answers
ℹ️ This is an indicative assessment only — not a legal determination of your obligations. Results are based on your self-reported answers. Seek independent legal advice for your specific circumstances.

Key Deadlines That Apply to You

1 Jul 2026 AML/CTF Tranche 2 — real estate agents, accountants, lawyers, and high-value goods dealers became regulated under the Privacy Act.
Dec 2026 Small business exemption removed. All businesses collecting personal information will be regulated under the Privacy Act.
10 Dec 2026 AI and automated decision-making must be disclosed in your privacy policy under new APP 1.7–1.9. Children’s Online Privacy Code takes effect.

Penalty Exposure

Up to $50M

Serious or Repeated Privacy Breach

Federal Court can impose $50M, three times the benefit obtained, or 30% of adjusted turnover — whichever is highest.

$66,000

Non-Compliant Privacy Policy

OAIC can issue this directly — no court process required. Applies if your policy is missing, outdated, or does not meet APP 1.

Civil Penalty

Failure to Notify a Data Breach

Under the NDB scheme, failing to notify affected individuals and the OAIC of an eligible breach attracts separate civil penalties.

Note: Maximum penalties generally apply in serious or repeated cases. Most first-time compliance issues are resolved through OAIC guidance or infringement notices.

Your Likely Obligations

You will likely need a compliant Privacy Policy published on your website, naming all data you collect and why (APP 1).
You will likely need to notify customers at the point of collection what data you are collecting and how it will be used (APP 5).
You will likely need to take reasonable security steps to protect personal information (APP 11).
You will likely need a documented Notifiable Data Breach response plan.

Your Next Steps

Audit your data

List every type of personal information you collect, where it is stored, who can access it, and whether it is shared with third-party services.

Update your privacy policy

Your policy must reflect your actual data practices, name all third-party tools, and disclose any AI or automated decision-making use by December 2026.

Get professional advice

Visit oaic.gov.au or speak with a privacy lawyer to confirm your specific obligations and get a compliant privacy policy drafted.

Take Action Now

📋 Download Free OAIC Compliance Checklist 🔗 OAIC Official Guidance for Small Business
Legal Disclaimer: This tool provides general information only and does not constitute legal advice. Results are indicative only and are not a determination of legal obligations. Based on self-reported answers and the law as at July 2026. Seek independent legal advice for your specific circumstances. Last updated: July 2026 · v1.1
Privacy Act 2026 Guide

Why This Matters Now

Australia’s largest privacy reform in decades

The Privacy Act 1988 is being overhauled. The changes are not minor amendments — they are a fundamental expansion of who is regulated, what is required, and how penalties are enforced.

2.5M
Small businesses newly regulated by December 2026
$50M
Maximum penalty for serious privacy breaches
$66K
OAIC direct fine — no court required

OAIC launched its first-ever active compliance sweep in January 2026

Real estate agents, pharmacists, car rental companies, licensed venues, and pawnbrokers were targeted first. Proactive enforcement has replaced reactive complaint handling.

About This Tool

How the checker works

The checker maps your five answers against current Privacy Act rules, AML/CTF Tranche 2 industry designations, and the December 2026 reform timeline. Here is what each question measures and why it matters.

Question 1

Annual Turnover

The $3M line is the current small business exemption threshold. Businesses above it are already regulated. Businesses below it may be exempt now — but all businesses are expected to be regulated by December 2026 regardless of turnover when the exemption is removed.

Under $3M$3M–$50MOver $50M

Question 2

Industry

The most critical question. Health services, financial services, and childcare have always been regulated. Real estate agents, accountants, lawyers, and high-value goods dealers became regulated from 1 July 2026 through AML/CTF Tranche 2 — regardless of their turnover.

HealthFinanceReal estateAccountantsLawyers

Question 3

Personal Information

A business collecting zero personal data has minimal obligations even when regulated. Most businesses collect data without realising — customer names, emails, booking info, IP addresses, and employee records all count.

NamesEmailsPayment infoIP addresses

Question 4

AI and Automated Tools

From 10 December 2026, regulated businesses using automated decision-making must disclose this in their privacy policy. This catches many common tools — Mailchimp, Meta Ads, HubSpot, Google Ads, and automated CRM features all potentially qualify.

MailchimpMeta AdsHubSpotGoogle AdsXero

Question 5

Sensitive Data Categories

Specific categories carry stricter consent requirements and higher security obligations. They are also enforcement priorities for the OAIC. Children’s data additionally triggers the new Children’s Online Privacy Code by December 2026.

Health infoFinancial infoBiometricChildren’s dataGov. IDs

Critical Dates

The 2024–2026 Privacy Act timeline

These are the legislated dates that determine when obligations begin. Missing a deadline increases your liability — it does not reduce it.

10 December 2024

Privacy and Other Legislation Amendment Act 2024 — Royal Assent

Most significant reform in 30 years. Introduced the statutory tort, new APP 1 obligations, expanded OAIC enforcement powers, and the $66,000 direct infringement notice power.

All regulated entitiesOAIC new powersStatutory tort

June 2025

Statutory Tort for Serious Invasions of Privacy Commences

Individuals gained the right to sue organisations directly in court for serious privacy invasions — without going through the OAIC first.

Individual right to sueDirect court action

January 2026

OAIC Launches First-Ever Active Compliance Sweep

The OAIC began proactively auditing businesses. First targets: real estate agents, pharmacies, car rental companies, licensed venues, and pawnbrokers.

Real estatePharmacyCar rentalLicensed venues

1 July 2026

AML/CTF Tranche 2 — 100,000+ Businesses Newly Regulated

Accountants, tax agents, lawyers, conveyancers, real estate agents, and high-value goods dealers brought into the Privacy Act regime regardless of turnover.

AccountantsLawyersReal estateHigh-value goods

10 December 2026

Full Exemption Removal + AI Disclosure + Children’s Code

Small business exemption removed entirely. New APP 1.7–1.9 mandate AI and automated decision-making disclosure. Children’s Online Privacy Code registered.

All businessesAI disclosureChildren’s Code2.5M SMBs

Who Is Affected

Which Australian industries are regulated

Regulation depends on your industry and turnover. Some sectors are regulated regardless of size.

🏥

Health Services

Always Regulated

💰

Financial Services

Always Regulated

🎓

Childcare / Education

Always Regulated

🏠

Real Estate Agents

From 1 July 2026

📊

Accountants / Tax Agents

From 1 July 2026

⚖️

Lawyers / Conveyancers

From 1 July 2026

💎

High-Value Goods

From 1 July 2026

🛒

Retail / eCommerce

By December 2026

Hospitality / Cafes

By December 2026

🔧

Trades / Construction

By December 2026

IndustryFromStatusReason
Health servicesAlwaysAlwaysHealth records — APP 3 sensitive category
Financial services / AFSL/ACLAlwaysAlwaysASIC / Privacy Act linkage
Childcare / SchoolsAlwaysAlwaysSensitive data about minors
Real estate agents1 Jul 2026AML Tranche 2AUSTRAC — AML/CTF Act expanded
Accountants / Tax agents1 Jul 2026AML Tranche 2Reporting entity — AML/CTF Act
Lawyers / Conveyancers1 Jul 2026AML Tranche 2Designated service provider
High-value goods dealers1 Jul 2026AML Tranche 2Cash transaction reporting — AUSTRAC
Retail / eCommerceDec 2026Exemption RemovalSmall business exemption removed
Hospitality / FoodDec 2026Exemption RemovalSmall business exemption removed
Construction / TradesDec 2026Exemption RemovalSmall business exemption removed

Your Legal Obligations

The Australian Privacy Principles explained simply

Regulated businesses must comply with 13 Australian Privacy Principles. The four most commonly relevant for small businesses are shown first.

APP 1

Transparent Privacy Policy

You must have a clear, up-to-date privacy policy describing what you collect, how you use it, and who you share it with. From December 2026 it must also disclose AI use.

APP 5

Notification at Point of Collection

You must notify individuals at the point of data collection — what you are collecting, why, and who you might share it with.

APP 11

Security of Personal Information

You must take reasonable steps to protect personal information from misuse, loss, and unauthorised access or disclosure.

APP 12

Access and Correction

Individuals have the right to request access to personal information you hold about them and ask you to correct inaccurate data.

APP 2

Anonymity and Pseudonymity

Where practicable, individuals must be able to interact with you anonymously or using a pseudonym.

APP 3

Collection of Solicited Information

You may only collect personal information that is reasonably necessary for your business functions. Sensitive information requires explicit consent.

APP 4

Unsolicited Personal Information

If you receive personal information you did not request, you must assess whether you could lawfully have collected it. If not, destroy or de-identify it.

APP 6

Use or Disclosure

You may only use personal information for the primary purpose it was collected for. You need consent for anything else.

APP 7

Direct Marketing

You may only use personal information for direct marketing with consent, or for current customers with similar offers. Always provide an easy opt-out.

APP 8

Cross-Border Disclosure

Before sending personal information to overseas recipients — including cloud services like Google, Xero, or Mailchimp — you must ensure they protect data to APP standards. Disclose this in your privacy policy.

APP 9

Government Identifiers

You must not use government identifiers (TFN, Medicare, passport) as your own customer identifier unless required by law.

APP 10

Quality of Personal Information

Take reasonable steps to ensure personal information is accurate, up-to-date, and complete — especially before making decisions about individuals.

APP 13

Correction of Personal Information

Individuals may request correction of inaccurate data. You must take reasonable steps to correct it and notify third parties where practicable.

Common Questions

Frequently asked questions from Australian SMBs

Yes — if you operate in a regulated industry (health, financial services, real estate, accounting, legal), you need a compliant privacy policy now. For all other sole traders collecting personal information, you will need one by December 2026. Business structure does not affect your Privacy Act obligations — what matters is what information you collect and what industry you are in.
Yes — two obligations apply. First, each platform receives personal information from your customers, so they are third-party disclosures that must be listed in your privacy policy. Second, all three are US-based, which triggers APP 8 cross-border disclosure obligations. Your privacy policy must acknowledge these overseas disclosures. These tools may also qualify as automated decision-making under the December 2026 AI disclosure rules.
Almost certainly yes. If you are in a regulated industry (health, finance, real estate, accounting, law), you are already regulated now regardless of turnover. For all other businesses under $3M, the small business exemption is being removed by December 2026. This affects an estimated 2.5 million Australian businesses. Monitor the Attorney-General’s Department website for confirmed commencement dates.
Yes. Under the 2024 reforms, the OAIC can issue infringement notices of up to $66,000 directly — no Federal Court process required. This power is designed for issues like missing or non-compliant privacy policies. If you do not pay, the OAIC can escalate to the Federal Court where penalties can reach $50 million. Maximum penalties generally apply in serious or repeated cases, not minor or first-time issues.
An eligible breach occurs when personal information is accessed or lost without authorisation AND the breach is likely to result in serious harm to one or more individuals AND you have not been able to prevent that harm. Examples: hacked customer database, stolen laptop with staff records, accidental email to wrong recipient containing sensitive data. If regulated, you must notify affected individuals and the OAIC as quickly as practicable.

Sources and References

Where this information comes from

Office of the Australian Information Commissioner (OAIC)

oaic.gov.au/privacy/privacy-for-organisations/small-business

Primary regulatory authority — official SMB guidance.

Privacy and Other Legislation Amendment Act 2024

legislation.gov.au

Source legislation for the statutory tort, APP 1 amendments, infringement notice powers, and penalty increases.

AUSTRAC — AML/CTF Tranche 2 Reforms

austrac.gov.au

AML/CTF reforms that brought accountants, lawyers, real estate agents and high-value goods dealers into the regulated population from 1 July 2026.

Attorney-General’s Department — Privacy Act Review

ag.gov.au

Government department responsible for the small business exemption removal and overall Privacy Act reform program.

General information only

This guide provides general information about the Privacy Act 1988 (Cth) and its reforms. It does not constitute legal advice. The law is subject to change. Seek independent legal advice from a qualified Australian privacy lawyer. Last updated: July 2026 · v1.1

Information sourced from the OAIC, the Privacy Act 1988 (Cth), and the Privacy and Other Legislation Amendment Act 2024.

This free tool is for general guidance only — not legal advice. Not affiliated with the Australian Government or OAIC.