Australia’s privacy laws have undergone the most significant reforms since the Privacy Act was introduced. The changes that started rolling out in late 2025 and continue through 2026 fundamentally alter how businesses must handle personal information.

If you collect, store, or process data about Australians—which is basically every business—you need to understand what’s changed. Let’s break down what matters.

The Big Picture Changes

The Privacy Act reforms increase penalties dramatically, expand individual rights, and impose stricter requirements on businesses. Australia is essentially catching up to where Europe has been with GDPR and where other jurisdictions are heading.

Maximum penalties jumped from $2.1 million to the greater of $50 million, 30% of adjusted turnover, or three times the value of any benefit obtained through the misuse of information. These aren’t theoretical fines—the government is explicitly signaling that enforcement will increase.

The small business exemption threshold changed. Previously, businesses with annual turnover under $3 million were largely exempt from the Privacy Act. That exemption is narrowing significantly, bringing many more small businesses under the legislation.

Individual rights expanded substantially. Australians now have stronger rights to access their data, request corrections, object to processing, and in some cases, request deletion. These aren’t just suggestions—businesses must comply with specific timeframes.

What Counts as Personal Information

The definition of personal information expanded to explicitly include technical data like IP addresses, device identifiers, and location data. If you’re using analytics, tracking pixels, or any standard web technologies, you’re collecting personal information.

Biometric data and genetic information now have special protections. If your business uses facial recognition, fingerprint scanning, or any biometric authentication, additional requirements apply.

Inferred or derived information counts too. If you’re using AI or algorithms to make predictions or categorizations about people based on their data, that’s personal information subject to the Act.

This matters because many businesses didn’t consider themselves to be handling personal information under the old definition. Under the new rules, almost everyone is.

Consent Requirements Got Strict

The rules around consent tightened considerably. Pre-ticked boxes are no longer valid consent. Consent must be freely given, specific, informed, and unambiguous. Bundling consent for multiple purposes is restricted—you can’t force people to agree to marketing to use your core service.

Importantly, consent must be as easy to withdraw as it was to give. If users can sign up with one click, they need to be able to opt out with similar ease. Those deliberately complicated unsubscribe processes are now explicitly prohibited.

For children’s data, the age of consent was clarified and parental consent requirements strengthened. If you’re providing services that appeal to children, you need robust age verification and parental consent mechanisms.

Data Breach Notification

The Notifiable Data Breaches scheme got sharper teeth. Timeframes for notification shortened—you now have 30 days rather than the previous “as soon as practicable” standard. Penalties for failing to notify increased substantially.

The threshold for what counts as a notifiable breach was clarified. It’s not just massive hacks—any breach likely to result in serious harm must be reported. This includes scenarios like accidentally emailing someone’s personal information to the wrong recipient at scale.

You must notify both the Privacy Commissioner and affected individuals. For affected individuals, the notification must explain what happened, what data was involved, and what they should do. Generic “we take security seriously” statements don’t cut it.

Right to Erasure (Kind Of)

Australia hasn’t adopted a full “right to be forgotten” like Europe, but there’s now a right to request deletion of personal information in certain circumstances. If you no longer need the data for the purpose you collected it, individuals can request deletion.

Businesses can refuse if they have legal obligations to retain the data (accounting records, for example), but the burden is on businesses to justify retention. You can’t just keep data indefinitely because you might want it later.

This requires thinking about data retention policies proactively. How long do you actually need customer information? What’s your process for deletion requests? Most Australian businesses haven’t had to think about this before.

Privacy Policies Actually Matter Now

Privacy policies can no longer be incomprehensible legal documents. They must be clear, concise, and easy to understand. Specific requirements exist around what must be disclosed:

• What information you collect
• How you use it
• Who you share it with
• How individuals can access or correct their information
• Your complaint handling process
• Whether you send data overseas

Cookie notices and tracking disclosures became mandatory. If you’re using cookies or similar technologies beyond strictly necessary ones, you need explicit consent and clear disclosure.

Most importantly, your privacy policy must be accurate. If it says you don’t sell customer data but you actually do, that’s now explicitly illegal and heavily penalized.

Cross-Border Data Transfers

Rules around sending personal information overseas tightened. You remain accountable for data even after you’ve transferred it to another organization, regardless of where they’re located.

Before sending data offshore, you must ensure the recipient provides substantially similar protections to Australian privacy law. This usually means contracts with specific privacy clauses, not just trusting that a foreign provider will handle it appropriately.

Cloud services complicate this. Using AWS, Microsoft Azure, or Google Cloud often involves data being processed in foreign jurisdictions. You need to understand where data is being stored and processed, ensure appropriate protections are in place, and disclose this in your privacy policy.

Direct Marketing Rules

Unsolicited marketing got harder to do legally. The existing spam rules tightened, and the privacy implications of marketing became more explicit.

You need clear consent for marketing communications. The old approach of “we collected your email so we can market to you” doesn’t work anymore. Consent must be specific to marketing, and opting out must be simple.

Behavioral advertising and tracking for marketing purposes require consent. If you’re using Facebook Pixel, Google Ads tracking, or any similar technologies, you need to disclose this and get consent.

Marketing to people whose data you bought or obtained from third parties now requires specific consent from those individuals. List buying and sharing is much riskier under the new rules.

What You Actually Need to Do

For most businesses, compliance means:

Audit what data you collect and why. Many businesses collect data because they can, not because they need it. Figure out what you actually need and stop collecting the rest.

Update your privacy policy to meet the new requirements. If yours was written by copying someone else’s and hasn’t been updated since 2015, it’s almost certainly non-compliant.

Implement proper consent mechanisms for data collection, marketing, and cookies. Pre-ticked boxes and assumed consent don’t work anymore.

Establish data breach response procedures. Know who’s responsible, what the notification process is, and how you’ll communicate with affected individuals.

Review third-party relationships to ensure data shared with service providers, cloud platforms, and business partners is properly protected.

Create processes for individual rights requests. How will you handle access requests, correction requests, and deletion requests? You need documented procedures and reasonable timeframes.

Train staff on privacy obligations. Data breaches often happen through human error, not technical failures. Everyone handling customer data needs to understand the rules.

Penalties Are Real

The government has been explicit that enforcement will increase. The Office of the Australian Information Commissioner (OAIC) has more funding and is pursuing more investigations.

Recent enforcement actions give you a sense of what’s being prioritized. Cases involving failure to adequately protect data, deceptive privacy policies, and inadequate breach responses have all resulted in significant penalties.

The reputational damage from privacy violations often exceeds the financial penalties. Customers care about privacy more than they used to, and breaches make news. Especially for consumer-facing businesses, privacy violations create lasting brand damage.

When to Get Help

For small businesses with minimal data processing, you can probably handle compliance yourself using resources from the OAIC website. Their guides are actually pretty good.

If you’re processing sensitive data (health information, financial data, children’s data), handling large volumes of personal information, or operating in complex technical environments, get professional advice. Privacy lawyers or consultants who specialize in Australian privacy law can help ensure compliance.

The upfront cost is lower than the potential penalties and remediation costs if you get it wrong. Think of it as insurance that also happens to make your business more trustworthy.

The Bottom Line

Australian privacy laws now have teeth. The era of treating privacy compliance as optional or aspirational is over. Businesses that handle personal information—which is nearly all businesses—need to take this seriously.

The changes are broadly positive for consumers and create a more level playing field for businesses that were already doing the right thing. Companies that were cavalier with customer data now face real consequences.

Compliance isn’t just about avoiding penalties. It’s about earning customer trust, which is increasingly valuable as people become more aware of how their data is used and misused. Getting privacy right is good for business beyond just avoiding fines.

Start with understanding what data you have, why you have it, and how you’re protecting it. The rest flows from there. The new Australian privacy regime is complex, but it’s not impossible to comply with if you approach it systematically.

And given the penalties for non-compliance, you really don’t have a choice.