Most Australian small businesses have historically sat outside the Privacy Act 1988 because of the under-$3M turnover exemption. The reforms changed that. As of 1 July 2026, an estimated 100,000-plus small businesses become regulated for the first time — including many that have grown past the threshold or work in regulated supply chains.

For those businesses, the Australian Privacy Principles (APPs) become directly enforceable. The OAIC now has tiered civil-penalty powers, including infringement notices issued directly without going through court. And the statutory tort of serious invasions of privacy — which commenced June 2025 — creates a direct civil-action pathway for affected individuals.

Practical first steps: know what personal information you hold, why, and where. Have a privacy policy that matches reality (not a template inherited from a 2019 web build). Have a process for handling access and correction requests. Know who in your business is accountable. It's not a big project. It's a project you can't keep deferring.

What it means for your businessIf your business is approaching or past $3M turnover, the Privacy Act will apply from 1 July 2026. Audit what personal data you hold and update your privacy policy — this quarter.
Source & referenceCorrs Chambers Westgarth — Australia's ongoing privacy reforms ↑