For more than two decades, most small businesses in Australia operated outside the reach of federal privacy law. If your annual turnover was under $3 million, the Privacy Act 1988 (Cth) and its 13 Australian Privacy Principles simply did not apply to you. That settled position is now under sustained pressure. The Privacy and Other Legislation Amendment Act 2024 (Cth) — which received Royal Assent on 10 December 2024 — has rewritten significant parts of the privacy regime, and a second tranche of reforms is expected to remove the small business exemption altogether. This article explains what has already changed for NSW small businesses, what is coming, and what sensible owners are doing now.
The Privacy Act in Brief
The Privacy Act 1988 (Cth) regulates how organisations handle personal information — anything from names and email addresses to photographs, CCTV footage, and customer purchase histories. The core obligations sit in the Australian Privacy Principles (APPs), which cover collection, storage, use, disclosure, security, access, and correction of personal information.
Under section 6D of the Act, a “small business operator” with an annual turnover of $3 million or less is excluded from the definition of “organisation” and so falls outside the APP regime. According to the Office of the Australian Information Commissioner (OAIC), this exemption captures the vast majority of Australian businesses — well over 2 million enterprises.
The exemption was introduced in 2000 to spare smaller operators from compliance costs. It has not been updated since, and the digital landscape has changed beyond recognition.
What Changed in December 2024
The first tranche of privacy reform has already commenced. The amendments most relevant to NSW small businesses are:
- Higher penalties and tougher enforcement. Civil penalties for serious or repeated interferences with privacy can reach $50 million, three times the benefit obtained from the conduct, or 30 per cent of adjusted turnover — whichever is highest. The OAIC can also issue infringement notices of up to $66,000 per contravention for lower-level failings such as not having a compliant privacy policy.
- Stronger security obligations. APP 11 — which requires “reasonable steps” to secure personal information — has been clarified to expressly include “technical and organisational measures.” That means encryption, access controls, secure backups, staff training, written procedures, and regular review.
- A statutory tort for serious invasions of privacy. Commenced on 10 June 2025. For the first time, individuals can sue another party directly for a serious invasion of their privacy.
- New criminal offences for “doxxing.” Targeted release of personal data online or by phone to menace or harass a person now carries serious criminal penalties.
- Anti-money laundering reforms. From 1 July 2026, around 100,000 small businesses in sectors such as conveyancing, real estate, accounting, and professional services will be brought into the Privacy Act through tranche 2 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) reforms — regardless of turnover.
- Automated decision-making transparency. Businesses covered by the Act that use computer programs (including AI) to make decisions significantly affecting individuals will need to disclose this in their privacy policies. This obligation commences 10 December 2026.
The Office of the Australian Information Commissioner is also developing a Children’s Online Privacy Code, which will impose specific obligations on services accessible by children once registered.
The Statutory Tort: Why It Matters Even If You Are “Exempt”
The most significant practical change for many small business owners is the new statutory tort. It does not depend on the small business exemption. Any business or individual can be sued.
A plaintiff must establish that:
- The defendant invaded their privacy by intruding upon their seclusion or by misusing information about them;
- The plaintiff had a reasonable expectation of privacy;
- The invasion was serious;
- The invasion was intentional or reckless; and
- The public interest in the plaintiff’s privacy outweighs any countervailing public interest such as freedom of expression.
For a small NSW business, the implications are concrete. Mishandling customer data after a cyber incident, sharing a former employee’s medical information without consent, or installing covert surveillance can all give rise to a cause of action — quite apart from any complaint to the OAIC. Damages for non-economic loss are capped at the same level as defamation damages, which means awards can be substantial.
Is the Small Business Exemption Going Away?
In short — yes, but not yet. As of May 2026, the section 6D exemption remains in force. The Federal Government has agreed in principle to remove it, and the Attorney-General has confirmed that a second tranche of reforms is being progressed. No Bill has been introduced and no commencement date has been set.
Even with the exemption still on the books, the practical position is shifting. Several categories of small business have always been required to comply with the Privacy Act regardless of turnover, including:
- Health service providers (including allied health, gyms, and childcare operators that hold health information);
- Businesses that trade in personal information (buying or selling lists, leads, or profiles);
- Credit reporting bodies and credit providers;
- Recipients of Tax File Numbers; and
- Contractors providing services under a Commonwealth contract.
If your NSW business falls into any of these categories, you are already covered by the APPs, no matter your size.
What This Looks Like in Practice for a NSW Business
The reforms reach into ordinary day-to-day operations. A snapshot of where they bite:
| Activity | What the law now expects |
| Holding customer records | Reasonable technical and organisational security measures, including encryption and access controls (APP 11) |
| Sending marketing emails | Clear consent, easy unsubscribe, and a current privacy policy if covered by the Act |
| Workplace surveillance | Compliance with the Workplace Surveillance Act 2005 (NSW) and increasing scrutiny under the new statutory tort |
| Using AI tools or chatbots | Transparency in privacy policy from 10 December 2026 if covered by the Act |
| Suffering a data breach | If covered, assess within 30 days and notify the OAIC and affected individuals where serious harm is likely |
| Children using your service | Future obligations under the Children’s Online Privacy Code once registered |
The Workplace Surveillance Act 2005 (NSW) sits alongside the federal regime and continues to govern how NSW employers monitor employee email, internet use, and movement. It is unaffected by the Privacy Act amendments and remains an independent compliance obligation for any business with employees in NSW.
The Notifiable Data Breaches Scheme
For businesses already covered by the Privacy Act, the Notifiable Data Breaches scheme (Part IIIC of the Act) requires you to act when something goes wrong. The scheme bites where:
- There is unauthorised access to, unauthorised disclosure of, or loss of personal information;
- Serious harm to one or more individuals is likely; and
- Remedial action has not removed that risk.
If a suspected breach occurs, you have a maximum of 30 calendar days under section 26WH to assess whether it is an “eligible data breach”. If it is, you must notify both the OAIC and affected individuals as soon as practicable. The OAIC publishes a half-yearly statistical report and is increasingly willing to use its enforcement powers when breaches are mishandled.
A small NSW business that is currently exempt from the Privacy Act has no formal NDB obligation — but if the second-tranche reforms remove the exemption, the NDB scheme will apply automatically. Building the capability to detect, contain, and document a breach is sensible regardless.
Practical First Steps for NSW Small Businesses
Whether you are currently covered by the Act, due to be drawn in by the AML reforms in July 2026, or simply preparing for the eventual removal of the small business exemption, the same building blocks apply:
- Map your personal information. What do you collect, why, where is it stored, who has access, and how long do you keep it? You cannot protect what you have not inventoried.
- Write or update a privacy policy. Plain English, on your website, addressing collection, use, disclosure, storage, access, and complaints. This is already a legal requirement if you are covered, and a strong signal to customers either way.
- Tighten your security. Multi-factor authentication, encrypted storage, regular software patching, restricted access, and a disciplined approach to portable devices and removable media.
- Train your people. Most breaches involve human error. A short annual session on phishing, password hygiene, and incident reporting goes a long way.
- Have a data breach response plan. Even if you are not yet obliged to notify, you should know who is responsible for assessing an incident, who to call, and what records to keep.
- Review your contracts. Service agreements with cloud providers, IT contractors, and marketing platforms should set out data handling responsibilities clearly. You remain accountable for your customers’ information even when a third party holds it.
The Bottom Line
The privacy reforms now in force represent the most significant change to Australian privacy law since the Act was introduced in 1988. The small business exemption is still in place — for now — but the direction of travel is unmistakable. Penalties have risen sharply, individuals can sue directly through the new statutory tort, and certain sectors are being drawn into the Act regardless of turnover. The businesses on the Central Coast and across NSW that begin preparing now will face a smoother transition, fewer cyber risks, and a stronger basis for the trust customers expect.
If you have questions about how the Privacy Act reforms affect your business, the AML/CTF changes coming in July 2026, or how to prepare a compliant privacy framework, don’t hesitate to get in touch with one of our friendly Business Lawyers Central Coast. We can help you assess your obligations, draft policies, and put practical compliance steps in place — and if employment or contractual issues sit alongside your privacy concerns, we can address those at the same time. Contact our team today.
