Changes To The Privacy Act: What You Need To Know

Privacy law in Australia is changing fast. If your business collects names, emails, phone numbers, location data or payment details (even through a website or an app), the Privacy Act 1988 (Cth) affects you - and the rules are tightening.

In this guide, we’ll unpack what has already changed, what’s likely coming next, and the practical steps you can take now so your business stays compliant and builds customer trust.

Don’t worry - we’ll keep it in plain English and focus on what you actually need to do.

What Has Already Changed Under The Privacy Act?

Several important changes are already law. These are the ones most small and medium businesses should know about right now.

Much Stronger Penalties

For serious or repeated interferences with privacy, maximum penalties for companies increased significantly. This shift reflects how seriously regulators treat data protection today. Even if you’re a smaller business, a breach can become very expensive once you factor in forensics, customer notifications, remediation and reputational damage.

Broader Reach (Including Overseas Operators)

The Act has an expanded extra‑territorial reach. If you target Australian customers or handle their personal information, you can be caught - even if your tech stack or team is partly overseas.

More Powers For The Regulator

The Office of the Australian Information Commissioner (OAIC) now has stronger information‑gathering and enforcement powers. Practically, that means more scrutiny after incidents and clearer expectations to demonstrate you had reasonable steps in place to protect data.

Mandatory Data Breach Notification Continues

The Notifiable Data Breaches scheme remains in force. If an eligible data breach is likely to cause serious harm, you must assess quickly and notify affected individuals and the OAIC. Having a clear incident playbook matters - response time and evidence of “reasonable steps” are key.

If you don’t already have one, it’s wise to implement a Data Breach Response Plan and template Data Breach Notification materials so you can act within hours, not days.

What Reforms Are On The Way?

The Government has outlined a roadmap of reforms following the Privacy Act Review. While final details will be set in legislation, here are the headline proposals the Government has either agreed to or agreed in‑principle (meaning they are likely in some form).

1) A Broader Definition Of “Personal Information”

Expect the definition to capture a wider range of identifiers (think technical or inferred data that can reasonably identify someone). If you rely on analytics, ad tech or device‑level tracking, the scope may widen.

2) Changes To The Small Business Exemption

Right now, most small businesses under $3 million annual turnover are exempt from many Privacy Act obligations. The Government has indicated this exemption could be removed or narrowed - likely with a transition period.

If you’re small today, plan as if core obligations (like having an up‑to‑date Privacy Policy and robust security practices) will apply in the near future.

3) Stronger Consent, Transparency And Direct Marketing Rules

Clearer consent standards, simpler explanations of how data is used, and more control for individuals around direct marketing, targeting and profiling are on the agenda. If you run mailing lists or digital ads, review your consent flows and content against Australia’s email marketing laws and prepare for tighter settings.

4) Children’s Privacy And High‑Risk Processing

Expect enhanced protections for children (e.g. age‑appropriate design, minimising data by default) and additional guardrails for “high‑risk” data uses (like large‑scale profiling or sensitive data processing). Some activities may require documented privacy risk assessments.

5) Individual Rights (Correction, Access And Potential Erasure)

Broader, clearer rights for individuals to access and correct their data are expected - and there has been strong discussion around an ability to request deletion. If you store data across multiple systems, now’s the time to map where it lives. For context, many businesses also ask about the right to be forgotten and how it might interact with Australian privacy law.

6) Stronger Security And Governance Expectations

Expect a bigger emphasis on privacy governance: policies, staff training, supplier due diligence, and demonstrable risk assessments. If you use vendors to process customer data, a robust Data Processing Agreement with clear security and breach response clauses will become even more important.

Who Will These Changes Affect?

Almost every business that collects personal information in Australia will be affected in some way, including:

• Startups and online stores collecting sign‑ups, orders, or support tickets.
• Professional services handling customer files, documents, or identification.
• Hospitality and retail with loyalty programs, Wi‑Fi data, or CCTV footage linked to individuals.
• Apps and SaaS platforms using analytics, tracking or targeted communications.

If you rely on integrations (payments, marketing, CRM, support tools), assume your obligations are shared across that ecosystem. Contracts with providers and resellers should clearly allocate privacy and security responsibilities.

What Should Your Business Do Now?

Here’s a practical, step‑by‑step plan to get ahead of the curve. You don’t need to fix everything overnight - start with fundamentals and build from there.

Step 1: Map The Personal Information You Collect

List what you collect (names, emails, phone numbers, payment tokens, location), where it’s stored, who can access it, and which third parties receive it. Mapping helps you spot gaps and minimisation opportunities.

As you review retention, align your practices with your obligations and what is genuinely needed for your operations. Our explainer on data retention laws can help you frame those decisions.

Step 2: Update Your Privacy Notices And Customer‑Facing Content

Make sure your public‑facing Privacy Policy explains what you collect, why, where it goes, how long you keep it, and how customers can contact you. Keep it clear and in plain English.

When you collect data directly (for example, at sign‑up or checkout), present a concise Privacy Collection Notice that covers the essentials at the point of capture.

Step 3: Tighten Security And Prepare For Incidents

Adopt reasonable technical and organisational measures (access controls, MFA, encryption at rest/in transit, audit logging, vendor reviews). Train staff - most incidents start with a simple mistake like a misdirected email or weak password.

Keep an internal Data Breach Response Plan that sets out roles, timelines and templates. Running a short “tabletop” exercise will show whether your process works under pressure.

Step 4: Review Direct Marketing And Consent

Check your sign‑up forms, cookie prompts and unsubscribe links. Make it easy to opt out. Ensure your email and SMS campaigns respect consent rules and content requirements under Australian email marketing laws.

Step 5: Lock Down Your Vendor And International Transfers

If suppliers process personal information for you (hosting, payments, analytics, CRM), put in place a tailored Data Processing Agreement and verify their security. Understand where data is stored and the safeguards for any overseas transfers.

Step 6: Plan For The Next Wave Of Reforms

If the small business exemption narrows, you’ll be ready. Set a roadmap to align with stronger consent, child protections and transparency requirements. If you also operate in Europe, consider aligning settings using our GDPR Package so your global posture is consistent.

Key Legal Documents To Review Or Implement

The right documents help you comply, set expectations with customers, and manage risk with suppliers and staff. Depending on your model, consider the following.

• Privacy Policy: Your public statement about how you collect, use, disclose and secure personal information. Keep it easy to read and consistent with what your systems actually do. Link it on your website and app. Start with a tailored Privacy Policy.
• Privacy Collection Notice: A short notice at the point of data capture so people understand what they’re providing and why. See Privacy Collection Notice.
• Data Breach Response Plan: An internal playbook to investigate, contain, assess and notify during an incident. A clear Data Breach Response Plan reduces downtime and mistakes.
• Data Processing Agreement (DPA): Contract terms with vendors who process personal information for you, covering security, sub‑processors, audits and incident response. Use a robust Data Processing Agreement to set standards.
• Website or App Terms: Your platform rules, acceptable use and liability limits. These should align with the privacy disclosures and your operational reality.
• Marketing Compliance Settings: While not a single document, ensure your templates and automations reflect Australia’s email marketing laws (clear consent records, working unsubscribe, accurate sender details).

For teams in regulated verticals (health, finance, education), you may need specialist policies (e.g. health records) and stricter retention rules. If in doubt, get tailored advice early.

Common Questions About The Privacy Act Changes

Do I Need Consent For Everything?

Not always - there are different legal bases and exceptions. But consent is becoming more important, especially for direct marketing, targeting and kids’ data. Where you rely on consent, make it specific, informed, unambiguous and easy to withdraw.

Can I Keep Customer Data “Just In Case”?

It’s risky. Retain only what you need for stated purposes and legal obligations. Unnecessary data increases breach impact and compliance costs. Review your systems against your retention policy and the principles in Australia’s data retention laws.

What If I Use Overseas Tools?

That’s common. You remain responsible for personal information you disclose overseas. Do due diligence, put strong DPAs in place, and consider hosting and regional settings that align with your risk appetite.

Will The Small Business Exemption Disappear Overnight?

A sudden switch is unlikely - reforms typically include transition periods. But it’s smart to start aligning now so you’re not rushing later.

Key Takeaways

• Penalties are already higher and the OAIC has stronger enforcement powers - treat privacy risk as a board‑level issue.
• Reforms are set to broaden what counts as personal information and may reduce the small business exemption, with tighter rules around consent, marketing and children’s data.
• Start with the basics: map your data, minimise what you collect, and align notices, consent and security with what you actually do.
• Put the right tools in place - a clear Privacy Policy, concise collection notices, a breach response plan and strong vendor agreements.
• Tighten direct marketing and consent flows to prepare for stricter rules and maintain customer trust.
• Planning ahead now will make the transition to the new regime smooth and protect your brand if something goes wrong.

If you’d like a consultation on getting your business ready for the Privacy Act changes, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.