The headline number is real: more than 100,000 small businesses become subject to the Privacy Act from 1 July 2026. The mechanism catches people off guard, though, because it comes through the anti-money-laundering reforms, not the privacy reforms directly. From that date the AML-CTF regime extends to “tranche two” professions — lawyers, conveyancers, accountants, real-estate agents and dealers in high-value goods such as jewellers — and the privacy obligations follow the data they handle under it.
If you’re in one of those sectors and you’ve relied on the small-business exemption, that comfort is going. Note the nuance: the blanket $3 million-turnover exemption hasn’t been formally repealed yet — that’s expected in a later tranche — but the AML-CTF path pulls you in regardless for the data you handle under the new obligations.
The practical work is unglamorous and overdue: know what personal information you hold and why, write or refresh a privacy policy that maps to the Australian Privacy Principles, lock down access and storage, and have a breach-response process you could actually run. Start now; 1 July is not far, and the AML and ADM changes stack on top.
