If you have read anything about Australia's privacy reforms lately, you have probably seen a confident headline telling you that every small business must comply with the Privacy Act by December 2026. It is worth being precise, because that is not quite what the law says, and the difference changes what you should actually do. Here is the accurate picture for South Australian businesses, and a sensible plan to get ahead of it.
What is actually changing, and what isn't yet
Australia's privacy overhaul is happening in stages. Some of it is already law with a firm commencement date. A large part of it, including the change everyone is talking about, is proposed but not yet legislated. Keeping those two buckets separate is the key to not over-reacting or under-reacting.
Locked in: AI and automated decision-making transparency, 10 December 2026
The Privacy and Other Legislation Amendment Act 2024 is law, and one of its provisions commences on 10 December 2026. From that date, if your organisation is covered by the Privacy Act and you use a computer program to make decisions that could significantly affect someone, using their personal information, you must say so in your privacy policy. In plain terms: if you use AI or automated systems to make, or substantially help make, decisions about people, such as approving applications, scoring or ranking them, or determining what they are offered, you will need to disclose it. This is a real deadline, and it is the one to put on the calendar.
Already in force: stronger enforcement and a new privacy tort
The first tranche of reforms also brought changes that are already operating. There is now a statutory cause of action for serious invasions of privacy, in force since mid 2025, new criminal offences for doxxing, and the regulator, the Office of the Australian Information Commissioner, has stronger and more flexible enforcement powers. The practical effect is simple: getting privacy wrong carries more legal and financial risk than it did two years ago.
Proposed, not yet law: the small business exemption
Here is the big one, and the one most commonly misreported. Since 1988 the Privacy Act has exempted most businesses with annual turnover of three million dollars or less. Removing that exemption, which would bring an estimated two and a half million small businesses under the full Privacy Act for the first time, has been agreed in principle by the government and is being progressed as part of a second tranche of reforms. As of mid 2026 it is not law, and there is no confirmed commencement date. So treat it as coming, not as a deadline you have already missed. Anyone telling you the exemption is gone as of December 2026 is getting ahead of the legislation.
Why prepare now if the big change isn't law yet
Three reasons. First, the direction is clear and the government has restated its intent, so this is a question of when, not if. Second, a lot of small businesses are not as exempt as they assume. The exemption already does not apply if you handle health information, trade in personal information, or are contracted to provide services to a Commonwealth entity, among other cases, so many SMBs have obligations today. Third, the work involved is low regret. Knowing what personal information you hold, where it lives and who can reach it is good practice regardless of the law, and it is exactly what you would scramble to do under deadline pressure if you leave it.
What I would do now
- Map your personal information. You cannot protect, or properly disclose, what you have not mapped. List what you collect, why, where it is stored and who can access it. This one step makes everything else easier.
- Review your privacy policy. If you do not have one, that is the gap to close first. If you use AI or automated decision-making about people, start drafting the disclosure now so it is ready well before December 2026.
- Tighten access and minimise data. Limit who can see personal information to those who need it, and delete what you no longer need. Tools like Microsoft Purview help you classify and control sensitive data inside Microsoft 365.
- Have a breach plan. The Notifiable Data Breaches scheme already requires eligible breaches to be reported. Know who does what, and how fast, if one happens.
- Get the security foundations right. You cannot keep data private if you cannot keep it secure. Our free Essential Eight self-assessment tool is a quick way to see where your security baseline sits.
Privacy and security are the same project
It is tempting to treat privacy as a legal box and security as an IT box, but in practice they are the same work. A breach is both a security failure and a privacy failure. Good compliance and governance programmes line these up so you are not doing the work twice: classify your data once, control access once, document it once, and you satisfy both the security frameworks your clients ask about and the privacy obligations the law is tightening. That is the approach we take with South Australian businesses, and it is far less painful than treating each new regulation as a separate fire drill.
One real deadline, one big shift coming. Both reward preparing early.
The dated requirement is AI and automated-decision transparency from 10 December 2026. The larger change, the end of the small business exemption, is proposed and has no confirmed date yet, so don't panic, but don't ignore it either. Map your data, sort your privacy policy and tie privacy to your security baseline now, while you can do it calmly rather than under a deadline.
If you are not sure whether the Privacy Act applies to you today, or what the December 2026 transparency rule means for the AI tools you have started using, that is worth getting clear on. Our cyber security and compliance team can help you work out where you stand and what to prioritise first. This article is general information, not legal advice; for your specific obligations, confirm with a qualified privacy lawyer.