10 min read

OAIC Small Business Exemption Removed: What Australian Small Businesses Need to Do

The Privacy Act small business exemption is being removed under Tranche 2 reforms, bringing 2.3 million additional businesses under Australian privacy law. Here's what it means and how to prepare.

Executive Summary

The short version:

For decades, Australian businesses with annual turnover under $3 million were largely exempt from the Privacy Act 1988. That exemption is being removed under the upcoming Tranche 2 reforms — expected in 2026-2027 — bringing approximately 2.3 million additional small businesses under full Privacy Act obligations.

If your business currently relies on the small business exemption, you need to start preparing now. When the exemption is removed, you'll need a compliant privacy policy, a data breach notification process, and documented privacy practices — with penalties of up to $50 million for serious breaches.

This guide explains what's changing, when, which businesses are affected, and exactly what you need to do to prepare.

Table of Contents

What Was the Small Business Exemption?

Under the current Privacy Act 1988, most Australian businesses with annual turnover of $3 million or less are exempt from the Act's requirements. This exemption was introduced in 2000 when the Privacy Act was extended to cover the private sector, on the basis that compliance costs would be disproportionate for small businesses.

What the exemption currently allows small businesses to do (that others can't):

  • Collect, use, and disclose personal information without following the 13 Australian Privacy Principles
  • Operate without a privacy policy
  • Handle customer data without formal breach notification procedures
  • Avoid OAIC investigation and enforcement

Important: The exemption was never absolute. Even under the current rules, small businesses must comply with the Privacy Act if they:

  • Provide health services and hold health records
  • Disclose personal information about another person for a benefit
  • Are a contracted service provider for a Commonwealth contract
  • Operate a residential tenancy database
  • Are related to a body corporate that must comply

Despite these carve-outs, the vast majority of Australian small businesses — from sole traders to businesses with dozens of employees — have been able to operate outside the Privacy Act framework.

Why Is the OAIC Removing the Exemption?

The push to remove the small business exemption has been building for years. The 2023 Privacy Act Review Report by the Attorney-General's Department included removal of the exemption as a key recommendation. Here's why:

1. The Digital Economy Has Changed Everything

When the exemption was created in 2000, most small businesses collected personal information on paper forms. Today, even a sole trader running an online store collects email addresses, payment details, browsing behaviour, and location data. The volume and sensitivity of personal information held by small businesses has grown enormously.

2. Small Businesses Are High-Value Targets for Cybercriminals

Cybercriminals specifically target small businesses because they're perceived as having weaker security and less sophisticated defences. Without Privacy Act obligations, many small businesses have had little regulatory incentive to implement proper data protection measures.

3. The Exemption Creates a Compliance Gap

Millions of Australians interact with small businesses every day — from their local GP to their gym to the online store they bought from last week. Under the current system, a significant portion of these interactions occur outside the Privacy Act framework, leaving consumers without formal protections.

4. International Privacy Standards Have Moved On

Australia's trading partners — including the EU, UK, and New Zealand — don't have equivalent small business exemptions. This creates friction for businesses operating across borders and leaves Australian consumers with fewer protections than their international counterparts.

5. The OAIC Has Consistently Advocated for Removal

The Office of the Australian Information Commissioner has repeatedly called for removal of the exemption in submissions, reports, and public statements. Former Commissioner Angelene Falk and current Commissioner Carly Kind have both highlighted the exemption as a significant gap in Australia's privacy framework.

When Does This Take Effect?

The small business exemption removal is part of the Tranche 2 privacy reforms, which are expected to be legislated in 2026-2027.

Important caveat: The exact timing depends on the parliamentary schedule and the government's legislative priorities. Privacy reform has bipartisan support, so passage is expected — but the precise date is not yet confirmed.

What we know:

  • The government has committed to progressing Tranche 2 reforms
  • A transition period is expected — likely 12-24 months from when legislation passes
  • The OAIC has signalled it will provide guidance and resources for newly covered businesses
  • The December 2026 automated decision-making reforms are separate and already confirmed

What this means for planning: If legislation passes in early 2027 with an 18-month transition, you could face full compliance obligations by mid-2028. If it passes sooner with a shorter transition, it could be earlier. Building compliance infrastructure now means you won't be scrambling when the deadline hits.

Which Businesses Are Affected?

The exemption removal will affect any business with annual turnover at or below $3 million that isn't already covered by one of the existing carve-outs.

Affected business types include:

  • Retail and e-commerce — online stores, boutiques, markets
  • Hospitality — cafes, restaurants, bars, food trucks
  • Professional services — accountants, bookkeepers, consultants, designers
  • Trades — electricians, plumbers, builders, landscapers
  • Creative services — photographers, videographers, writers, musicians
  • Fitness and wellness — personal trainers, yoga studios, massage therapists
  • Education — tutors, coaching services, training providers
  • Real estate — buyers agents, property managers (some already covered)
  • Technology — app developers, web designers, SaaS startups
  • Any business with a website that collects email addresses

The key question is simple: Does your business collect personal information (names, email addresses, phone numbers, payment details, IP addresses) from customers, employees, or suppliers? If yes, and your turnover is under $3 million, you will be affected.

What You'll Need to Have in Place

When the exemption is removed, small businesses will need to comply with the full Privacy Act framework. Here's what that means in practice:

1. A Compliant Privacy Policy

You'll need a privacy policy that covers all 13 Australian Privacy Principles (APPs). This isn't a US-style disclaimer — it's a specific document that must address how you:

  • Collect personal information (APP 3)
  • Use and disclose it (APPs 6, 7)
  • Ensure its quality and security (APPs 10, 11)
  • Allow individuals to access and correct their information (APPs 12, 13)
  • Handle sensitive information (APP 3)
  • Use information for direct marketing (APP 7)
  • Disclose information to overseas recipients (APP 8)

Your privacy policy must be freely available — typically on your website — and written in clear, plain English.

2. Notifiable Data Breaches (NDB) Scheme Compliance

The Notifiable Data Breaches scheme has been mandatory for Privacy Act-covered entities since 2018. When the exemption is removed, small businesses will be covered for the first time.

Under the NDB scheme, if you experience an "eligible data breach" — one that is likely to result in serious harm to affected individuals — you must:

  • Notify the OAIC as soon as practicable
  • Notify affected individuals directly
  • Take remedial action to reduce harm

This applies even if you're a small business. A cyber attack that exposes your customers' email addresses and payment details would trigger NDB obligations.

Your privacy policy must include a section explaining the NDB scheme and how individuals can get more information if they believe their information has been involved in a breach.

3. Data Security Measures

APP 11 requires you to take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. Since the December 2024 reforms, this explicitly includes both:

  • Technical measures: Encryption, access controls, secure passwords, regular software updates
  • Organisational measures: Staff training, documented policies, vendor assessment

"Reasonable steps" is assessed relative to the size and nature of your business — a sole trader isn't expected to have the same security infrastructure as a large corporation. But having no security measures at all won't be acceptable.

4. Process for Handling Access and Correction Requests

Under APPs 12 and 13, individuals have the right to:

  • Access the personal information you hold about them
  • Request corrections if it's inaccurate, incomplete, or outdated

You'll need a documented process for handling these requests, including:

  • How individuals can make a request
  • Who in your business is responsible for responding
  • How long you have to respond (generally 30 days)
  • What to do if you refuse a request

5. Direct Marketing Compliance

APP 7 restricts how you can use personal information for direct marketing. If you send marketing emails, SMS messages, or other communications to customers, you'll need to:

  • Ensure you have consent or a legitimate basis for marketing
  • Allow individuals to opt out easily
  • Stop sending marketing communications when someone opts out

This overlaps with your obligations under the Spam Act 2003, which already applies regardless of the Privacy Act.

Penalties for Non-Compliance

When small businesses become covered by the Privacy Act, they'll face the same penalty framework as large businesses — updated significantly by the December 2024 reforms.

The penalty tiers:

Breach TypeIndividualCompany
Interference with privacyUp to $660,000Up to $3.3 million
Serious or repeated breachUp to $2.5 millionUp to $50 million*

*Or 30% of adjusted turnover, or three times the benefit obtained — whichever is greater.

Enforcement mechanisms:

The OAIC can now:

  • Issue infringement notices (on-the-spot fines up to $66,000) without going to court
  • Issue compliance notices requiring specific actions
  • Conduct formal investigations and seek court-ordered penalties
  • Publish details of enforcement actions (reputational risk)

The statutory tort:

Since June 2025, individuals can also sue directly for serious privacy invasions — without needing to prove financial damage. This litigation risk applies to all Privacy Act-covered entities, including small businesses once the exemption is removed.

The practical risk for small businesses:

Enforcement actions against small businesses are likely to focus on:

  • Serious data breaches that weren't notified
  • Failure to have any privacy policy
  • Repeated complaints that weren't addressed
  • Egregious misuse of customer data

A small business that makes genuine efforts to comply — even imperfectly — is in a much better position than one that ignores its obligations entirely.

How to Prepare Now

The exemption removal isn't confirmed yet, but preparation now saves significant cost and stress later. Here's a practical approach:

Step 1 — Audit What Personal Information You Hold (Now)

Map out every type of personal information your business collects:

  • Customer names, email addresses, phone numbers
  • Payment information
  • Delivery addresses
  • Website analytics data (IP addresses, browsing behaviour)
  • Employee records
  • Supplier contact details

Understand where it's stored, who has access, and how long you keep it.

Step 2 — Get a Compliant Privacy Policy (Now)

Don't wait for the legislation to pass. A privacy policy:

  • Shows good faith if the OAIC or a customer asks
  • Builds customer trust today
  • Only needs minor updates when the exemption is removed
  • Costs far less now than having one drafted under deadline pressure

The key is getting a policy that covers all 13 APPs and the NDB scheme — not a generic US template adapted for Australia.

Step 3 — Implement Basic Security Measures (Now)

  • Enable two-factor authentication on all business accounts
  • Use strong, unique passwords (a password manager helps)
  • Keep software and systems updated
  • Back up important data regularly
  • Train any staff who handle personal information

Step 4 — Create a Simple Breach Response Plan (3-6 months)

You don't need a 50-page incident response plan. A simple document covering:

  • Who to contact internally if a breach is suspected
  • How to assess whether it's an "eligible data breach" under the NDB scheme
  • How to notify the OAIC (via their online portal)
  • How to notify affected individuals

Step 5 — Review Your Marketing Practices (3-6 months)

Check that your email marketing:

  • Has clear consent or a legitimate basis
  • Includes an easy unsubscribe option
  • Honours unsubscribe requests promptly

Step 6 — Monitor Legislative Progress (Ongoing)

Follow the OAIC's website (oaic.gov.au) and the Attorney-General's Department for updates on Tranche 2 legislation. Sign up for the OAIC's newsletter to get alerts when key developments occur.

How ComplianceKit Helps Small Businesses Prepare

ComplianceKit is built specifically for Australian businesses — including the small businesses that are about to come under Privacy Act obligations for the first time.

What You Get

A ComplianceKit privacy policy covers:

  • All 13 Australian Privacy Principles
  • The Notifiable Data Breaches scheme (the requirement that even large AU enterprises miss)
  • December 2024 reform implications
  • June 2025 statutory tort considerations
  • Plain English at Grade 10 reading level — your customers can actually read it

Managed Compliance — Built for Law Changes

The Tranche 2 reforms are exactly why Managed Compliance exists. When the small business exemption is removed and your obligations change, your policy will be updated automatically — without you needing to track legislation yourself.

What Managed Compliance does when Tranche 2 passes:

  • Automatically updates your policy for any new requirements
  • Emails you to let you know what changed and why
  • Maintains a complete version history so you can see exactly what was updated
  • Keeps your hosted policy URL current — no need to re-upload to your website

The Cost Comparison

OptionCostWhat you get
Privacy lawyer$500–$2,000+Custom policy, legal advice
US-based generator$29–$99/monthGeneric policy, often missing APPs and NDB scheme
ComplianceKit — Generate Once$79 AUD one-timeAU-compliant policy, 4 formats, lifetime access
ComplianceKit — Managed Compliance$79 + $29/yearEverything above + automatic updates, hosted URL

Why Not Just Use a Free Template?

Free privacy policy templates are almost universally US-centric. They typically:

  • Miss the NDB scheme entirely (a mandatory requirement since 2018)
  • Cover fewer than the required 13 APPs
  • Use US legal terminology
  • Don't reflect Australian Privacy Act requirements
  • Won't be updated when Tranche 2 passes

When the Privacy Act exemption is removed and your business faces OAIC scrutiny, "I downloaded a free template" is not a defence.

Frequently Asked Questions

Does the small business exemption removal apply to me if I'm a sole trader?

If you're a sole trader with turnover under $3 million and you don't fall into one of the existing carve-outs (health services, etc.), you currently benefit from the exemption. The removal will apply to you.

I don't have a website. Does this still affect me?

Possibly. Even without a website, if you collect personal information from customers, employees, or suppliers — including names and phone numbers in a contacts list — you may be subject to the Privacy Act once the exemption is removed.

My business is tiny. Will the OAIC really come after me?

The OAIC's enforcement focus tends to be on larger businesses and serious breaches. However, complaints-driven investigations can affect businesses of any size. And the statutory tort (in effect since June 2025) allows individuals to sue directly without going through the OAIC. The bigger risk for small businesses may be civil litigation rather than OAIC enforcement.

What if I miss the deadline?

Operating without Privacy Act compliance after the exemption is removed and any transition period expires would expose you to OAIC enforcement and civil claims. The OAIC has indicated it will provide guidance and resources for newly covered businesses, but compliance will ultimately be mandatory.

I already have a privacy policy. Is it good enough?

It depends on where you got it. If it's a US template, probably not — US privacy policies don't cover Australian-specific requirements like the NDB scheme and all 13 APPs. Check whether it mentions the Privacy Act 1988, all 13 Australian Privacy Principles, and the Notifiable Data Breaches scheme. If not, it needs updating.

Summary

The OAIC small business exemption is being removed as part of the Tranche 2 privacy reforms expected in 2026-2027. When it happens, approximately 2.3 million additional Australian businesses will be subject to the full Privacy Act framework — including the requirement for a compliant privacy policy, the Notifiable Data Breaches scheme, data security obligations, and penalties of up to $50 million for serious breaches.

The smartest approach is to prepare now:

  1. Audit what personal information you collect
  2. Get a compliant privacy policy (one that actually covers Australian law)
  3. Implement basic security measures
  4. Create a simple breach response plan
  5. Monitor legislative progress

Don't wait until the legislation passes to start. The businesses that prepare early will have far less to do when the compliance deadline arrives — and will benefit from the customer trust that strong privacy practices build in the meantime.

Last updated: April 13, 2026

This guide provides general information about Australian privacy law. It is not legal advice. For specific legal questions about your situation, consult a qualified privacy lawyer or contact the OAIC on 1300 363 992.

Ready to Get Compliant Before the Deadline?

ComplianceKit generates privacy policies specifically for Australian businesses — already covering all 13 APPs and the NDB scheme, with Managed Compliance to handle automatic updates when Tranche 2 passes.

Generate Your Compliant Privacy Policy — $79 AUD →

Generate Your Compliant Privacy Policy

ComplianceKit automatically includes all 13 Australian Privacy Principles and the NDB scheme. Generate your policy in 5 minutes.

Get Started →

Last updated: 13 April 2026

This guide provides general information about Australian privacy law. It's not legal advice. For specific legal questions about your situation, consult a qualified privacy lawyer.