The $3 Million Privacy Exemption Is Ending. Most Australian Businesses Are Not Ready.

Your accountant knows your annual turnover. Your bookkeeper knows it. And until recently, that number determined whether the Privacy Act applied to your business at all.

If you’re under $3 million, odds are it hasn’t. The small business exemption — in place since the Privacy Act was first extended to the private sector in 2001 — has shielded the vast majority of Australian businesses from the full weight of the Australian Privacy Principles. No mandatory privacy policy. No formal data handling obligations. No notifiable data breach scheme.

That exemption is being removed.

The Australian Government accepted the recommendation to abolish the threshold as part of its response to the Privacy Act Review. Removal of the exemption is part of the Tranche 2 reforms, expected to be legislated in 2026–2027. A transition period of 12–24 months is anticipated after the legislation passes — meaning full compliance obligations could arrive by mid-2028, or sooner if the timeline tightens. When it lands, virtually every business in Australia will be subject to the full Australian Privacy Principles for the first time.

Short version — cut to the chase

If you read nothing else, read this.

The $3 million small business exemption is being removed. When it goes, the Privacy Act will apply to your business regardless of annual turnover — the threshold that has protected most SMEs for over two decades will no longer exist.
The commencement date is not yet set, but the policy decision is final. Waiting for a specific date to appear before you act is exactly what regulators expect — and the businesses that wait will be the ones scrambling.
“We’re too small to matter” is not a compliance position. The Office of the Australian Information Commissioner has enforcement powers including civil penalties up to $50 million. Size is not a mitigating factor in enforcement once the exemption goes.
Some businesses are already covered, regardless of turnover. Health service providers, businesses that trade in personal information, and others have never had the exemption. If that’s you, the new changes simply mean more company.
Start now. Compliance is a programme, not a switch. Businesses that begin building their privacy programme before commencement will find the transition manageable. Those that wait until the day it commences will not.

Who the exemption currently protects — and who it doesn’t

The small business exemption applies to businesses with an annual turnover of $3 million or less — unless they fall into one of several excluded categories. The most significant of those exclusions:

Health service providers — any business that holds health information, including allied health practices, pharmacies, gyms, and natural therapists, is already covered by the Act regardless of size.
Businesses that trade in personal information — including data brokers and businesses that buy or sell mailing lists.
Businesses related to larger entities — if you’re part of a corporate group where the group’s combined turnover exceeds $3 million, the exemption may not apply.
Contractors to the Australian Government — covered from the point of contracting.

If your business falls outside these categories and your annual turnover is under $3 million, you have likely been outside the Privacy Act’s reach entirely. That is the group this reform directly targets.

The scale of that group is significant. Approximately 92% of Australian businesses by number sit below the threshold. The reform is, in practical terms, an extension of the Privacy Act to the entire private sector — approximately 2.3 million additional businesses coming under the Act for the first time.

What the Australian Privacy Principles actually require

When the exemption is removed, your business will need to comply with the full set of Australian Privacy Principles. These are not abstract aspirations — they are specific, enforceable obligations. The key ones for a small business to understand:

APP 1 — Open and transparent management of personal information. You must have a clear, up-to-date privacy policy that describes what personal information you collect, why you collect it, how you hold it, and who you share it with. Not a generic template downloaded from the internet. An actual policy that reflects how your business operates.

APP 3 — Collection of solicited personal information. You can only collect personal information that is reasonably necessary for your business functions. If you’re collecting it “just in case”, you need a better answer than that.

APP 6 — Use and disclosure. Personal information collected for one purpose cannot generally be used for a different purpose without the individual’s consent. The marketing email list you built from customer enquiries has rules around how it can be used.

APP 11 — Security of personal information. You must take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. This includes technical controls — encryption, access management, secure disposal — and organisational ones: staff training, policies, procedures.

Notifiable Data Breaches scheme. From the moment the exemption is removed, you will be required to notify affected individuals and the OAIC if you experience an eligible data breach — one that is likely to result in serious harm. The 30-day notification clock starts from when you become aware. Missing it carries significant consequences.

Civil penalties. Serious or repeated breaches can attract penalties of up to $50 million (or 30% of adjusted turnover, or three times the benefit obtained — whichever is greatest). The OAIC can also issue infringement notices without going to court.

The statutory tort. Since June 2025, individuals can sue directly for serious privacy invasions without needing to prove financial loss and without going through the OAIC first. This litigation pathway applies to all Privacy Act-covered entities — including small businesses once the exemption is removed.

What I actually recommend

For a resource-constrained SME, privacy compliance does not need to be a large-firm exercise. It does need to be a real one. Here is where to start:

Complete a personal information inventory. Map what personal information your business holds, where it came from, where it’s stored, who has access, and how long you keep it. This is the foundation for everything else — you cannot comply with obligations you haven’t mapped.

Commission or write a compliant privacy policy. Your current policy — if you have one — was likely written for a pre-reform world. It needs to reflect actual practice, not aspirational practice. A policy that doesn’t match how you operate is worse than no policy, because it creates a false sense of coverage.

Assess your current security controls against APP 11. “Reasonable steps” will be judged against the nature and volume of personal information you hold, and the likely consequences of a breach. A business holding sensitive health or financial information will be held to a higher standard than one holding email addresses.

Establish an incident response procedure. Before you need it. Know who in your business is responsible for identifying a potential breach, who makes the decision to notify, and what the notification process looks like. Thirty days sounds long until you’re in the middle of one.

Train your staff. Privacy breaches are more often caused by human error than by sophisticated cyber attacks. Staff who understand what personal information is, why it matters, and what to do if something goes wrong are a genuine risk control.

Check your supplier contracts. If you share personal information with third parties — payroll providers, cloud storage, CRMs, booking systems — you need contractual protections in place. APP 11.2 requires you to take reasonable steps to ensure that any recipient of personal information does not breach the APPs.

The commercial pressure may actually arrive before the legislation does. Larger businesses that engage SMEs as suppliers or service providers are already including privacy compliance requirements in their procurement processes. If you handle the personal information of any of their customers or staff, expect to be asked for evidence of your privacy programme before the commencement date.

Sources

Primary sources

Attorney-General’s Department, Privacy Act Review Report 2022 — the source of the recommendation to remove the small business exemption, accepted by the Australian Government in its formal response. ag.gov.au/rights-and-protections/publications/privacy-act-review-report
Office of the Australian Information Commissioner, Australian Privacy Principles — the full text of all 13 APPs and their requirements. oaic.gov.au/privacy/australian-privacy-principles
Office of the Australian Information Commissioner, Notifiable Data Breaches scheme — the scheme’s scope, obligations, and notification process. oaic.gov.au/privacy/notifiable-data-breaches

Secondary sources

Small Business Development Corporation (WA), What changes to the Privacy Act mean for small businesses — source of the 92% figure and general reform context. smallbusiness.wa.gov.au/blog/what-changes-privacy-act-mean-small-businesses
ComplianceKit, OAIC Small Business Exemption: Current Status in 2026 and What’s Changing (April 2026) — source of the 2.3 million businesses figure, Tranche 2 timeline, and transition period estimates. compliancekit.co/blog/oaic-small-business-exemption-removed
Schiller Legal, Australia’s $3 Million Privacy Exemption Is Gone: What You Must Do Now (October 2025) — additional context on the reform direction and obligations. schillerlegal.com.au/post/australia-s-3-million-privacy-exemption-is-gone-what-you-must-do-now

Daniel Johns is a CRISC-certified virtual CISO and GRC advisor, Founder of Coastal Cyber, and a member of the ISACA Global Advisory Council and CompTIA Executive Council ANZ. He works with healthcare providers, financial services firms, and technology businesses across Southeast Queensland on privacy, cyber security, and governance.

If your privacy and cyber posture needs a clear-eyed assessment, book a 20-minute conversation.