If you run a business in Australia and you collect any kind of personal data — which is basically every business — the upcoming Privacy Act changes should be on your radar. They’re the most significant update to Australian privacy law in over a decade, and the compliance window is shorter than most organisations realise.

Let’s cut through the legal jargon and look at what’s actually changing.

Why Now?

The current Privacy Act dates back to 1988. It’s been amended over the years, but the fundamental framework was designed for a world of paper files and fax machines. The Attorney-General’s Department has been reviewing it since 2020, and the reform package is now moving through parliament.

The trigger was a series of high-profile data breaches — Optus, Medibank, Latitude Financial — that exposed the personal information of millions of Australians. Public trust in how companies handle data hit an all-time low. The government responded with reforms that give individuals more control and impose stricter obligations on organisations.

The Key Changes

Here’s what matters for businesses.

A statutory tort for serious privacy breaches. This is the big one. For the first time, individuals will be able to sue organisations directly for serious invasions of privacy. Currently, the main enforcement mechanism is through the Office of the Australian Information Commissioner (OAIC). The new tort opens the door to private litigation, which means the financial exposure for a privacy breach just increased dramatically.

Expanded definition of personal information. The reforms broaden what counts as “personal information” to include technical data like IP addresses, device identifiers, and location data. If your website uses analytics, advertising trackers, or any kind of behavioural data collection, you’re likely capturing personal information under the new definition whether you realise it or not.

Children’s privacy protections. New provisions specifically address how organisations collect and use children’s data. If your product or service is used by anyone under 18, expect additional consent requirements and restrictions on how that data can be processed.

Right to erasure. Similar to GDPR’s “right to be forgotten,” Australians will gain the right to request deletion of their personal information. This means you need to know exactly where all your data lives — across every system, backup, and third-party integration. If you can’t delete it on request, you’ve got a compliance problem.

Mandatory transparency. Organisations will need to be far more specific about what data they collect, why they collect it, and who they share it with. Vague privacy policies that say “we may share your information with third parties” won’t cut it anymore.

Who Does This Affect?

Currently, the Privacy Act only applies to organisations with annual turnover above $3 million (with some exceptions for health providers and certain other sectors). There’s been strong advocacy to remove this exemption entirely, which would bring small businesses under the same obligations as large ones.

Even if the small business exemption survives in some form, the threshold may be lowered. If you’re a small business that handles sensitive data — health information, financial records, biometric data — don’t assume you’re exempt.

What You Should Do Now

Don’t wait for the final legislation to start preparing. The core direction is clear, and most of these steps are good practice regardless.

Audit your data. Map every piece of personal information you collect, where it’s stored, who has access, and how long you keep it. This is tedious work, but it’s the foundation of everything else. You can’t protect what you can’t find.

Review your privacy policy. Strip out the vague language. Be specific about what you collect, why, and who you share it with. The OAIC website has guidance on what a compliant privacy policy looks like under the current law, and it’s a reasonable starting point for the reforms.

Implement data minimisation. Stop collecting data you don’t need. Every piece of personal information you hold is a liability. If you’re collecting date of birth because a form template included that field, remove it. If you’re retaining customer records for ten years “just in case,” set a retention policy and stick to it.

Plan for deletion requests. Test whether you can actually delete someone’s data across all your systems. Many organisations discover that data is duplicated across CRMs, email marketing platforms, analytics tools, and backups — and there’s no single process to remove it from all of them.

Train your team. Privacy compliance isn’t just an IT issue. It’s everyone’s responsibility. Make sure your staff know how to handle data requests, what constitutes personal information, and who to escalate issues to.

The Bigger Picture

Australia has lagged behind Europe, the UK, and parts of Asia on privacy regulation for years. These reforms bring us closer to international standards, which is actually good news for Australian businesses that operate globally. Aligning with frameworks like GDPR reduces the complexity of multi-jurisdiction compliance.

But the transition won’t be painless. Small and medium businesses in particular will feel the burden. The key is to start now, move methodically, and treat privacy as an ongoing practice rather than a one-off compliance exercise.

The companies that handle this well will build trust with their customers. The ones that don’t will find themselves in the headlines for all the wrong reasons.