Most SMBs under $3M turnover are exempt, BUT carve-outs exist for health service providers, contractors to the Commonwealth, list brokers, and certain other categories. From 10 December 2026 the exemption is removed entirely.

Is the breach deadline 72 hours?

No — that's the GDPR rule. Under the Australian Privacy Act you have up to 30 days to assess, then notify 'as soon as practicable' once confirmed eligible.

Do I need a privacy officer if I'm a small business?

Not legally mandated for non-public sector entities, but functionally required from 10 December 2026 to handle access/correction requests and breach response. Can be part of an existing role.

What's the maximum penalty?

Civil penalties up to $50M, 3× benefit, or 30% of adjusted turnover (whichever is greater) for serious or repeated interferences with privacy.

Privacy Act 2026: what Australian SMBs need to do before 10 December

On 10 December 2026 the small business exemption is removed. ~2 million SMBs become APP entities overnight. Here's exactly what you need in place.

What changes on 10 December 2026?

The Privacy and Other Legislation Amendment Act 2024 removes the small business exemption under s 6D of the Privacy Act 1988. From 10 December 2026, businesses with turnover under $3M lose their Privacy Act exemption and become APP entities — meaning all 13 Australian Privacy Principles apply, the Notifiable Data Breaches scheme applies, and the OAIC's civil penalty regime applies.

Approximately 2 million Australian SMBs are affected.

Are you actually exempt today?

Even today, not all "small businesses" are exempt. You are not exempt (even if under $3M turnover) if you:

Are a health service provider that holds health information
Trade in personal information (e.g. list brokers)
Are a contractor providing services to the Commonwealth
Are a credit reporting body or credit provider
Hold a Tax File Number for a non-employee
Operate a residential tenancy database

If you fall into any of these today, the Privacy Act already applies to you and you need to be compliant now — not just on 10 December 2026.

The 13 Australian Privacy Principles in plain English

The APPs run from collection (APP 1–5) through use and disclosure (APP 6–9) to data quality and security (APP 10–11) and individual rights (APP 12–13).

APP 1 — Have a clearly-expressed Privacy Policy meeting APP 1.4 minimum content
APP 3 — Only collect personal info that's reasonably necessary; sensitive info needs consent
APP 5 — Give a collection notice at or before collection
APP 6 — Only use/disclose info for the primary purpose or with consent
APP 8 — Take reasonable steps before overseas disclosure
APP 11 — Take reasonable steps to protect personal info
APP 12 / APP 13 — Provide access to and correction of personal info within 30 days

Notifiable Data Breaches — the 72-hour myth

You'll often hear "72-hour breach notification". That's the GDPR rule, not the Australian one.

Under the Privacy Act, you have up to 30 days to assess whether a suspected breach is an "eligible data breach". Once you're satisfied it is, you must notify the OAIC and affected individuals "as soon as practicable" — there's no fixed hour-count, but inaction beyond a few days will draw OAIC scrutiny.

The NDB timer tool tracks both clocks.

The new statutory tort for privacy invasion

From 10 June 2025, individuals have a statutory tort for serious invasions of privacy — intrusions on seclusion or misuse of information. This is actionable in court independent of the OAIC complaint pathway. Damages are uncapped at law, though courts have signalled awards in the $10K–$100K range for typical cases.

This creates a litigation risk over and above OAIC enforcement.

Doxxing — now a criminal offence

Sections 474.17C and 474.17D of the Criminal Code (added by the same 2024 amendments) create criminal offences for using a carriage service to menace, harass or cause offence by publishing personal data about an individual or group (with aggravated offences where motivated by prejudice). Penalties up to 7 years imprisonment.

Children's Online Privacy Code (2026)

The OAIC is developing a binding Children's Online Privacy Code, expected to apply from December 2026. Services likely to be accessed by children will face additional requirements including age-appropriate design, default privacy settings, and clearer transparency.

Automated decision-making transparency

The 2024 amendments include new ADM transparency requirements: if a substantially-automated decision will affect an individual, the entity will (from a phased commencement) need to disclose the use of ADM in its Privacy Policy and provide certain information about how the system operates.

Practical implication: build an ADM register now — list every algorithmic process that affects individuals, with model card, inputs, purpose, oversight and human-review pathway.

Penalties — what you're risking

Under the 2022 amendments (now in force):

Civil penalties up to $50M, 3× benefit, or 30% of adjusted turnover (whichever is greater) for serious or repeated interferences with privacy
OAIC compliance and enforceable undertaking powers
Statutory tort exposure (uncapped damages in serious cases)
Doxxing criminal liability

Recent enforcement: OAIC has commenced civil penalty proceedings against Medibank and Australian Clinical Labs under the new regime. Determinations have been issued against 7-Eleven, Bunnings, Kmart and Clearview AI for unlawful biometric processing.

Your 6-month action plan

If you're a currently-exempt SMB:

Month 1: Run our readiness scorer. Map personal information held (data inventory).

Month 2: Draft Privacy Policy meeting APP 1.4. Adopt collection notices into signup flows.

Month 3: Build NDB breach response plan. Run a tabletop exercise.

Month 4: Train all staff handling personal info. Document vendor data flows (APP 8 / DPAs).

Month 5: Build access + correction request workflow (APP 12 / 13). Designate a privacy officer (even part-time).

Month 6: Operational test pre 10 December. Board / leadership sign-off on policy.

If you're a larger APP entity that needs to refresh, the same plan compresses to ~6 weeks.