Australia’s Privacy Act 1988 is undergoing its most significant overhaul in decades. Following the Attorney-General’s Privacy Act Review Report published in 2023 and a series of legislative proposals throughout 2024 and 2025, the Australian Government has committed to reforms that will fundamentally change who must comply with privacy law and what compliance looks like. The most consequential change for small businesses is the potential removal of the small business exemption, currently scheduled for implementation by December 2026. For Australian website operators, particularly those who have never needed to think about the Privacy Act, the time to prepare is now, not December.
The Small Business Exemption: What It Is and Why It Matters
Since 1988, the Privacy Act has included an exemption for organizations with annual turnover of $3 million or less. This exemption means that the vast majority of Australian small businesses, sole traders, and micro-enterprises are not currently required to comply with the Australian Privacy Principles (APPs) that govern how personal information is collected, stored, used, and disclosed.
The exemption was introduced when small businesses had limited capacity to collect and process personal information at scale. In 1988, a local bakery did not have a website, did not collect email addresses through digital forms, and did not use cloud-based CRM systems. The threshold reflected a reasonable assumption that small businesses posed minimal privacy risk.
That assumption no longer holds. In 2026, even a sole trader running an online store collects names, email addresses, shipping addresses, payment details, and browsing behavior data through analytics tools. A local gym with a booking system processes biometric data through access cards. A freelance consultant using a CRM stores detailed records about client interactions and billing.
The Attorney-General’s review acknowledged this reality and recommended removing the small business exemption entirely. The Government accepted this recommendation in principle and the legislative amendments are progressing through Parliament with a target implementation date of December 2026.
For the approximately 2.5 million Australian small businesses currently exempt, this is a seismic shift. Businesses that have never drafted a privacy policy or considered their data handling obligations will suddenly be subject to the same 13 Australian Privacy Principles that currently apply only to larger organizations and health service providers.
Enhanced Transparency for Automated Decisions
The Privacy Act reforms include new requirements around transparency and accountability for automated decision-making systems. These provisions are scheduled to take effect alongside the small business exemption removal in December 2026.
Under the proposed amendments, any organization that uses automated systems to make decisions that significantly affect individuals must provide meaningful information about those systems. The transparency obligation has several components.
Disclosure in privacy policies. Organizations must disclose in their privacy policies whether they use automated decision-making systems that significantly affect individuals. The disclosure must describe the types of personal information used as inputs, the general logic involved in the decision-making process, and the types of decisions that may result. Vague descriptions like “we may use automated systems” are insufficient. The disclosure must be specific enough for an individual to understand how automation affects their interaction with the organization.
Right to explanation. When an automated decision significantly affects an individual, that individual has the right to request a meaningful explanation of how the decision was reached. This does not require organizations to disclose proprietary algorithms or trade secrets, but it does require an explanation that goes beyond “the system decided.” The explanation must address the key factors that influenced the decision and any personal information that was used.
Right to human review. Individuals must have the right to request that a human review an automated decision that significantly affects them. The human reviewer must have genuine authority to overturn or modify the automated decision, not merely rubber-stamp it.
For website owners, these requirements apply to any automated process that uses personal information to make decisions about individuals. This includes automated eligibility determinations for financial products, algorithmic content moderation decisions, automated account suspension or restriction systems, dynamic pricing based on user behavior or profile, and automated fraud detection that blocks transactions or restricts access.
Any website using AI or algorithmic tools to make decisions about Australian users needs to audit those systems, document their logic, and build mechanisms for explanations and human review upon request.
New Consent Requirements: The End of Pre-Ticked Boxes
The Privacy Act reforms introduce explicit standards for what constitutes valid consent for the collection and use of personal information. These standards align more closely with international best practices established by the EU GDPR and bring Australian consent requirements into the modern era.
Under the current Privacy Act, consent is one of several bases for handling personal information, but the Act provides limited guidance on what makes consent valid. The reforms address this gap directly.
Consent must be voluntary. Consent is not valid if the individual had no genuine choice, if consent was a condition for accessing a service that does not require the personal information in question, or if the individual was subjected to undue pressure. Bundled consent, where agreement to data collection is embedded within broader terms of service without separate acknowledgment, is explicitly insufficient.
Consent must be informed. The individual must be told, in clear and plain language, what personal information will be collected, why it is being collected, who it will be shared with, and how long it will be retained. The information must be provided at the time consent is sought, not buried in a separate privacy policy that the individual is unlikely to read.
Consent must be specific. Blanket consent to all data processing activities is not valid. Each distinct purpose for collection must be separately identified, and the individual must be able to consent to some purposes while declining others. This is particularly relevant for websites that collect personal information for multiple purposes, such as service delivery, marketing, analytics, and third-party sharing.
Consent must be current. Consent obtained years ago under different conditions does not remain valid indefinitely. Organizations must refresh consent when their data practices change materially.
Pre-ticked boxes are not consent. The reforms explicitly state that pre-selected checkboxes, opt-out mechanisms presented as default consent, and inferred consent from inaction do not constitute valid consent. Any website using pre-ticked boxes for newsletter subscriptions or marketing permissions must redesign its forms to use unticked checkboxes or equivalent affirmative mechanisms.
For website owners, the consent reforms require a comprehensive review of every point at which the website collects personal information and seeks consent. Contact forms, newsletter signup forms, checkout processes, account registration flows, and cookie consent mechanisms all need to be evaluated against the new standards.
Privacy Policy Requirements Under the APPs
The Australian Privacy Principles (APPs) set out specific requirements for privacy policies that will apply to all organizations once the small business exemption is removed. APP 1 (Open and Transparent Management of Personal Information) requires every organization to have a clearly expressed and up-to-date privacy policy.
A compliant privacy policy under the APPs must address:
What personal information is collected. The policy must describe the kinds of personal information the organization collects, including sensitive information (health, biometric, racial or ethnic origin, political opinions, religious beliefs, sexual orientation). The description must be specific enough to give individuals a clear picture of what data the organization holds.
How personal information is collected. The policy must explain the methods of collection: directly from the individual through forms and interactions, or indirectly through third parties, public sources, or automated technologies like cookies and analytics scripts.
Purposes of collection. Each purpose for which personal information is collected must be stated. If information is collected for service delivery, marketing, analytics, research, or legal compliance, each purpose must be separately identified.
Disclosure to third parties. The policy must identify the types of organizations or entities to which personal information may be disclosed. This includes service providers, analytics platforms, advertising networks, payment processors, and government authorities.
Overseas disclosure. If personal information is likely to be disclosed to recipients outside Australia, the policy must identify the countries in which those recipients are located. For website operators who use international cloud services, this is a particularly important requirement. If your website data is stored on servers in the United States, processed by a European analytics provider, or backed up to infrastructure in Singapore, your privacy policy must disclose this.
Access and correction. The policy must explain how individuals can request access to their personal information and how they can request corrections to inaccurate or outdated information.
Complaints. The policy must describe how individuals can complain about a breach of the APPs and how the organization will handle such complaints.
For the millions of Australian small businesses that have never had a privacy policy, drafting one that meets these requirements is a significant undertaking. The policy must accurately reflect the organization’s actual data practices, which requires an internal audit of data flows, third-party relationships, and storage arrangements.
Spam Act 2003 Interaction: Email Marketing Consent
The Privacy Act reforms do not operate in isolation. Australian website operators must also comply with the Spam Act 2003, which governs commercial electronic messages including marketing emails, SMS messages, and instant messages. The interaction between the two laws creates a dual consent framework that website owners need to understand.
Under the Spam Act, sending commercial electronic messages requires either express consent or inferred consent. Express consent is a clear, affirmative indication that the individual agrees to receive messages. Inferred consent exists where there is a reasonable expectation, based on an existing business relationship, that the individual would consent to receiving messages.
The Privacy Act reforms affect this interaction in several ways. First, the new consent standards apply to the collection of contact information used for marketing. If an email address is collected through a pre-ticked marketing consent checkbox, the collection itself may not meet the Privacy Act’s requirements, which in turn undermines the Spam Act consent.
Second, privacy policy disclosures under the APPs must describe marketing as a purpose for collection. If your privacy policy omits this, your marketing communications may lack a lawful basis even if the Spam Act’s consent requirements are technically met.
Third, the unsubscribe mechanism required by the Spam Act (a functional unsubscribe facility in every commercial message, processed within five business days) intersects with the Privacy Act’s access and correction rights. An individual who unsubscribes has implicitly requested that their information no longer be used for marketing, which must be reflected in your data handling practices.
For website owners, compliance with one law does not guarantee compliance with the other. Email marketing practices must satisfy both the Spam Act’s consent and unsubscribe requirements and the Privacy Act’s collection, purpose limitation, and transparency obligations.
Practical Steps for Australian Small Business Websites
With December 2026 as the target date for the small business exemption removal, Australian small businesses should begin preparation now rather than waiting for the final legislative text. Here is a practical roadmap.
Conduct a data audit. Identify every type of personal information your website collects, how it is collected, where it is stored, who has access to it, and who it is shared with. Include analytics tools, payment processors, email marketing platforms, CRM systems, and any third-party integrations.
Draft a privacy policy. If you do not currently have a privacy policy, you will need one that meets all APP requirements. If you have an existing policy, review it against the APP requirements described above and update it accordingly.
Review consent mechanisms. Audit every form on your website that collects personal information. Replace pre-ticked boxes with unticked checkboxes. Ensure consent is specific to each purpose. Add clear, plain-language descriptions of what the individual is consenting to.
Assess automated decision-making. If your website uses any automated systems that affect individuals, document the systems, their inputs and outputs, and build mechanisms for providing explanations and human review.
Review email marketing practices. Ensure your marketing consent, unsubscribe mechanisms, and privacy policy disclosures are aligned across both the Privacy Act and the Spam Act.
Designate a privacy contact. While the reforms do not require small businesses to appoint a formal privacy officer, every organization needs someone responsible for handling privacy inquiries, complaints, and access requests. This person’s contact details should be in the privacy policy.
Plan for ongoing compliance. Privacy compliance is not a one-time project. Data practices evolve, third-party tools change, and regulatory guidance develops over time. Build privacy review into your regular business operations.
Conclusion
The removal of the small business exemption will bring millions of Australian businesses under the Privacy Act for the first time. Combined with the new consent standards, automated decision-making transparency requirements, and enhanced privacy policy obligations, the December 2026 reforms represent the most significant expansion of Australian privacy law since its inception.
The businesses that will transition smoothly are those that start preparing now. Conducting a data audit, drafting a compliant privacy policy, and fixing consent mechanisms are tasks that benefit from lead time. Waiting until December means competing with millions of other businesses for the same compliance resources.
WebLegal generates privacy policies starting from 14,90 € that address Australian Privacy Principles, including the new requirements taking effect in 2026. The process takes under 10 minutes and produces a policy tailored to your specific data practices, your third-party relationships, and your jurisdictional obligations. Whether you are a sole trader or a growing SME, having a compliant privacy policy before the exemption disappears is the most practical first step you can take.