Australia's Privacy Reforms Just Removed the Small Business Exemption. The Bill Lands on Everyone.

Australia's Privacy Act reforms have removed the small business exemption. For decades, most businesses under $3 million in turnover sat outside the rules. That door is closing. Nearly every Australian business now has to comply with the 13 Australian Privacy Principles, regardless of size.

This is not a tidy-up. The reforms add real teeth. If you use automated systems to segment marketing based on behaviour, you have to disclose that the systems exist, what personal information feeds them and what decisions they make. A new statutory tort means individuals can sue directly for reckless handling of their data. The Office of the Australian Information Commissioner has said it will fine organisations that fall short.

Most marketers are not ready. Recent research found only 29% of marketing, digital and ecommerce leaders believe their organisation is effective at activating data to deliver good customer experiences. The same teams now have to prove they handle that data lawfully, with personal legal exposure attached.

For years, privacy was something Australian small businesses could treat as a big-end-of-town problem. That logic is dead. The corner shop running a customer list and the mid-market retailer running behavioural segments now sit under the same principles.

This is not only a compliance cost. It is a forcing function. The businesses that get their data handling in order will be the ones who actually know what data they hold, where it sits and why they collected it. The ones who do not will be the ones exposed when a complaint or an audit arrives. Knowing your own numbers now includes knowing your own data.

The reforms reward the businesses that already run a tight operation and punish the ones flying blind on their own data. Treat it as a reason to finally get the house in order.