The Privacy Act 1988 (the Privacy Act) was introduced to protect the privacy of individuals and regulate how businesses (generally with a turnover higher than $3 million) handle personal information. Reforms over the years – with significant updates implemented as recently as 2023 and further refined in 2025 – have expanded the powers of the Information Commissioner and introduced stricter data breach regulations to keep pace with emerging technologies.

If your business is regulated by the Privacy Act 1988 (Cth), then you’ll need to know how the recent amendments affect the way you collect, use, store and disclose personal information relating to your consumers.

Why Do We Need Changes?

Advances in technology, the rise of artificial intelligence, the Internet of Things and digital platforms’ ever-expanding ability to access, store, use and share personal information have raised fresh concerns about whether the existing Act sufficiently upholds consumer rights to privacy. As digital interactions intensify in 2025, it has become clear that our privacy laws need to evolve to hold businesses accountable in this dynamic environment.

The Big Picture

There are two main pillars underpinning the recent privacy reforms, both of which invite valuable input from businesses and individuals alike.

Online Privacy Bill

The first is the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill, more commonly referred to as the Online Privacy Bill. In response to the ACCC’s latest Digital Platforms Inquiry in 2023, this bill introduces a specialised online privacy code for major social media, data brokerage services and other significant electronic platforms. Notably, it addresses concerns over the impact of digital services on mental health and data security across all user demographics. Submissions are invited until 31 March 2025.

Much of these measures are designed to ensure that online platforms handle personal data responsibly while protecting the wellbeing of their users. For further insights on ensuring your digital business remains compliant, check out our online business privacy guide.

Discussion Paper

The other pillar is the Privacy Act Review Discussion Paper, which builds on earlier consultations to ensure that Australia’s privacy law framework robustly protects consumer data in today’s fast-changing digital landscape. This discussion paper is open to submissions until 15 April 2025 and seeks to determine how well the current legislation serves its purpose, and where further improvements can be made.

Current Provisions Of The Privacy Act

The Privacy Act does not regulate all businesses. If you’re unsure whether your business is affected, we have outlined the main criteria in a simple guide for you here, or you can use this checklist. For instance, if your business has an annual turnover of less than $3 million, you may not need to comply fully with the Act.

The Act governs the collection, storage and distribution of personal information. As such, if your business handles consumer data – from contact details and financial records to sensitive personal information – the Act’s requirements on data handling, transparency and accountability will directly impact your operations.

The Act is built around 13 Australian Privacy Principles (APPs) which specify, among other things, that:

  • Your business must handle personal information in an open and transparent manner
  • Individuals should have the option of not revealing their identity or using a pseudonym
  • Collection of personal information should be limited to what is appropriate or reasonably necessary
  • Appropriate steps must be taken if personal information is received inadvertently
  • Your business must clearly disclose why you need an individual’s personal information when collecting it
  • An individual’s personal information should only be used in ways that they would reasonably expect
  • Direct marketing using personal information can only occur with an opt-out facility and a reasonable expectation
  • All reasonable steps must be taken to ensure overseas recipients comply with the APPs
  • The use and disclosure of government-related identifiers are subject to strict restrictions
  • Information collected must be accurate, up-to-date and complete
  • Reasonable measures must be in place to prevent misuse, interference or loss of personal information – including appropriate security systems and data breach monitoring
  • Generally, individuals must be allowed access to the personal information you hold about them
  • There is an obligation to correct personal information to ensure it is accurate, current, complete, relevant and not misleading

If you’re not too familiar with these principles, we’ve written about them in detail here.

Proposed Online Privacy Bill

Because the Privacy Act 1988 doesn’t fully address the unique challenges of digital environments, additional provisions – commonly known as an online privacy (OP) code – have been proposed. These new measures, informed by recommendations from the ACCC’s latest Digital Platforms Inquiry, are designed to ensure that privacy protections extend to major online services.

The changes specifically target social media services and other online platforms, including:

  • Social networking sites such as Facebook
  • Dating apps
  • Online content services like OnlyFans
  • Blogging and forum sites such as Reddit
  • Multiplayer online games with interactive chat capabilities
  • Messaging and videoconferencing platforms including WhatsApp and Zoom

They also apply to data brokerage services and large online electronic services with over 2.5 million end users in a year. For more guidance on addressing your online legal obligations, have a look at our resource on online shop terms and conditions.

Proposed Inclusions And Amendments

The key changes proposed to extend personal data protections for online platform users include:

  • Increased penalties – maximum fines under the Privacy Act are proposed to rise to $10 million to underscore the importance of data security
  • Mandatory transparency about a third party’s identity when personal information is shared
  • Requirements for fair and reasonable handling of data, including easy opt-out facilities and robust risk mitigation for sensitive information
  • Stricter controls on overseas data flows, including removal of consent exceptions and the inclusion of standard contractual clauses ensuring privacy protection
  • Mandating the erasure of personal information that relates to sensitive topics or involves data concerning children
  • Enhanced transparency and the right to object in relation to direct marketing practices
  • Consideration of lowering the annual turnover threshold from $3 million in certain circumstances
  • Better protection for employee data, especially concerning information held from previous employment
  • Clarification regarding the roles of data controllers and data processors, with an emphasis on organisational accountability
  • A direct right of action for victims of privacy breaches – including established procedures for conciliation and court action

As we step into a digitally advanced era in 2025, it’s crucial for businesses to regularly review their privacy policies and data handling practices. Not only does this help safeguard your customers’ sensitive data, but it also ensures that you remain compliant with the evolving legal landscape. For additional resources, take a look at our insights on business set-up ideas and on protecting your intellectual property.

Privacy Act 1988 Discussion Paper

The review of the Privacy Act aims to ensure that privacy protections empower consumers, rigorously secure their data and support a thriving Australian economy. The discussion paper seeks to answer key questions such as:

  • The scope and application of the Privacy Act in today’s digital environment
  • Whether the Act effectively protects personal information and promotes strong privacy practices by businesses
  • Whether individuals should have a direct right of action to enforce their privacy rights
  • If a statutory tort for serious invasions of privacy should be introduced
  • The impact and effectiveness of the notifiable data breach scheme
  • The adequacy of current enforcement powers
  • The potential value of an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws

Key Proposed Amendments

The key proposed amendments emerging from the discussion paper include:

  • Broadening the definition of personal information to include online identifiers, location data, and other digital imprints that contribute to a person being reasonably identifiable
  • Providing greater clarity on how and when individuals are notified about the collection of their personal information
  • Defining ‘consent’ for data collection and use as voluntary, informed, current, specific and unambiguous
  • Ensuring the collection, use and disclosure of personal data is fair and reasonable, taking into account expectations, necessity, proportionality, transparency and potential risks, particularly for children
  • Introducing increased protections for businesses engaged in restricted practices, such as data brokering or handling sensitive information
  • Adopting default pro-privacy settings for digital services
  • Enhancing protections for children and other vulnerable individuals
  • Establishing a clear right for individuals to object to or withdraw consent for the collection, use or disclosure of their data
  • Mandating notifications when personal data is used to influence behaviour, such as in direct marketing contexts
  • Requiring privacy policies to disclose the potential use of personal information in automated decision-making
  • Refining the definition of the reasonable steps required to secure and ultimately destruct personal data that is no longer needed
  • Introducing further organisational accountability measures, especially where there are secondary purposes for data collection
  • Improving security and transparency around overseas data transfers
  • Clarifying and strengthening enforcement provisions within the Act
  • Establishing a direct right of action for victims of privacy breaches, complete with a structured process for conciliation and litigation
  • Outlining options for introducing a statutory tort for serious privacy invasions
  • Updating the Notifiable Data Breaches Scheme to require detailed disclosure of the steps taken in response to data breaches

Key Takeaways

Both the Online Privacy Bill and the Privacy Act Review Discussion Paper recognise that the increased reliance on social media and digital platforms in 2025 necessitates extending privacy protections to these areas. This ensures that the collection, use and distribution of personal information is regulated consistently across all platforms.

They are actively seeking input from businesses and individuals to shape these crucial reforms. You can review the proposals by following these links:

If you’re a business affected by the Privacy Act 1988, it’s essential to reassess your processes, procedures, security measures and data breach monitoring practices to ensure compliance with the latest amendments. Our resources on company set up and employment contracts can offer further guidance on keeping your business legally protected.

If you have concerns or need legal advice about privacy laws and how these changes affect your business, Sprintlaw has the expertise you need. Reach out to our team for a free, no-obligation chat at team@sprintlaw.com.au or call 1800 730 617.

Sarah Voysey
Sarah is a content and copy writer with a background in merchant banking. She has a passion for putting technical language into plain English and is a contributing writer for Sprintlaw.
About Sprintlaw

Sprintlaw's expert lawyers make legal services affordable and accessible for business owners. We're Australia's fastest growing law firm and operate entirely online.

5.0 Review Stars
(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is hidden when viewing the form
  • This field is for validation purposes and should be left unchanged.

Related Services

Employee Privacy Handbook

Get an Employee Privacy Handbook
Learn More

Data & Privacy Lawyers

Specialist data & privacy lawyers
Learn More

Online Data & Privacy Lawyers

Get expert help from our online data & privacy lawyers
Learn More

Privacy Advice

Understand your legal risks around privacy.
Learn More

Privacy Policy (Health Service Provider)

Privacy policies tailored to health service providers.
Learn More
Related Articles
Power of Attorney in NSW: A Detailed Guide to Securing Your Financial Future
Posted 5th March, 2025
Mastering Power of Attorney in Australia: Your Essential Guide
Posted 5th March, 2025
Decoding ‘Reasonably Practicable’ in Workplace Safety: A Balanced Risk Management Guide
Posted 5th March, 2025
Recipient-Created Tax Invoices (RCTIs) in Australia: Everything You Need to Know
Posted 5th March, 2025
The Ultimate Guide to Updating Your ABN Details for Australian Businesses
Posted 3rd March, 2025
Demystifying Trusts: An In-Depth Look at Trust Deeds in Australia
Posted 3rd March, 2025