Three Privacy Act deadlines hit in 2026: small business regulation from July 1, Children's Online Privacy Code and automated decision-making transparency by December.
From July 1, roughly 100,000 Australian small businesses lose their Privacy Act exemption, with two more compliance deadlines hitting before December.
The Australian Government confirmed three Privacy Act reform deadlines for 2026: small business regulation from July 1, the Children's Online Privacy Code by December 10 and automated decision-making transparency by December 10.
Businesses that have never needed a privacy policy, breach notification process or data handling framework will need all three within months.
This directly targets Australian small businesses previously exempt due to size, covering an estimated 100,000+ operators across every sector.
Every Australian small business owner, founder-led company and sole trader collecting customer data through a website, CRM or email list.
Non-compliance after July 1 exposes your business to OAIC investigation, enforceable undertakings and penalties that did not previously apply to you.
Audit your current privacy policy against the Australian Privacy Principles before July 1
Review any automated decision-making tools (chatbots, lead scoring, dynamic pricing) for transparency obligations landing in December