Privacy Law Update: what every small business owner in Australia needs to know

Written By Emma Heuston

Recent changes to privacy law in Australia are impacting businesses across the country.

The Privacy and Other Legislation Amendment Bill 2024 has become law in Australia and this article breaks down what’s changed, what hasn’t, and what it means for your small business.

Key Changes in Privacy Laws

The Privacy and Other Legislation Amendment Bill 2024 sees changes to the following aspects of privacy law:

1.             Automated decisions: if your business uses computer programs to make decisions that affect people (like whether they qualify for a service or an AI chatbot), you’ll need to update your privacy policy.

2.             Data security and breaches: stricter rules are now in place to manage personal data securely and report breaches.

3.             Children’s privacy: a new code will protect kids using online services.

4.             Serious invasions of privacy: people can now sue if their privacy is invaded recklessly or intentionally, even if no financial harm occurred.

5.             Doxxing laws: publishing personal information online to harass or threaten someone is now a criminal offence known as doxxing.

While these changes are important, more is on the way, including some key topics—like how small businesses handle privacy or employee records—are on hold until further reforms (likely later in 2025).

What does this mean for your small business?

So, where does this leave you and your small business?

Automated Decisions

Does your business use software to make decisions about customers?

For example:

  • approving or rejecting a loan application.

  • deciding eligibility for a service or benefit.

  • granting access to something valuable, like a subscription or membership.

  • sending out automated newsletters after they purchase an item.

  • using an AI chatbot to direct your client to certain services or products.

If you answered yes to any of the bullet points above, you’ll need to:

  • add clear explanations to your privacy policy about how you use personal data for these decisions; and.

  • identify which decisions are automated and how they impact customers.

Businesses have up to two years to comply with this change, but it’s worth starting now to avoid last-minute stress, particularly as things like AI become so ingrained in our day-to-day business operations.

Increased Penalties

The penalties for breaching privacy laws have become tougher, with three levels (serious, moderate and minor):

  • serious breaches: Up to $50 million in fines or 30% of your annual turnover.

  • moderate breaches: Up to $660,000.

  • minor breaches: Up to $66,000.

Even simple mistakes, like not having a clear privacy policy (or a privacy policy at all!) or failing to let customers opt out of marketing, can now result in fines.

The regulator (the Office of the Australian Information Commissioner, or OAIC) can issue penalties directly, without needing to go through the courts.

What you can do:

  • make sure your privacy policy is up to date and easy to understand.

  • regularly review your practices for collecting, storing, and using personal information.

  • train staff to handle data securely.

Serious Privacy Breaches

The new laws introduce a way for individuals to sue businesses for “serious invasions of privacy.” This applies if:

  • personal information was misused intentionally or recklessly (not accidentally); and

  • the invasion of privacy caused distress or harm to the person’s dignity.

While proof of financial damage isn’t required, the breach must meet a high threshold. This change is likely to lead to more legal claims, so it’s crucial to tighten your privacy practices now, and that includes making sure your privacy policy is up to date. 

Doxxing

Doxxing, or publishing someone’s personal information online to threaten, harass, or embarrass them, is now a criminal offence.

Doxxing includes sharing details like:

  • names, addresses, or phone numbers.

  • photos or email addresses.

  • information about someone’s workplace or school.

This applies to individuals and businesses, and there are no exemptions for small businesses or employee-related matters. As a small business, you must avoid sharing personal details about someone without their consent, especially in public or online settings, including on your website, social media, or other places.

Data security

The new laws clarify that “reasonable steps” to protect personal information should include:

  • technical measures: examples include encryption, strong passwords, and secure networks; and

  • organisational measures: this includes training and having a clear data protection policy.

What this means for your small business:

  • review how your business stores and protects personal data.

  • be prepared for data breaches by having a response plan in place.

Things that have stayed the same

Some big issues haven’t been included in this round of reforms but may appear in the next phase expected later in 2025. These include:

  • Small business exemptions: Right now, businesses with an annual turnover under $3 million are generally exempt from privacy laws. This will likely change in the future, so it’s wise to start preparing. And in any event, the Doxxing laws apply to all businesses, regardless of business size right now.

  • Employee records: There are no new rules yet about how businesses handle employee information, but changes are expected.

  • Direct marketing: Stricter rules around using personal data for advertising are also on the horizon.

Next steps

With changes already in place and more changes on the horizon, we have prepared a 5 step checklist to get you started:

 

Step 1: Update your privacy policy

Make sure your privacy policy is current, clear, and accurate.

Your privacy policy should include details about the changes to automated decisions (where applicable) and doxing at a minimum.

 Step 2: Audit your practices

Map out the customer journey and review how you collect, store, and use personal information to identify any gaps in compliance. Then fix those gaps!

Step 3: Train your team

Ensure you and your team understand what constitutes a privacy breach and how to spot and protect potential risks.

 Step 4: Plan for the future

In addition to updating for changes that have already happened, start preparing for changes that will likely happen later in 2025, especially if you are a small business or handle employee records.

 Step 5: Keep updated

Stay informed! Subscribe to our newsletter or make sure to read government updates and and when they come out.

Action plan

The new privacy laws signal a significant shift in how Australian businesses handle personal information. While these changes may seem overwhelming, they are an opportunity to build trust with your customers and strengthen your business practices.

Take action now to ensure your business complies with the current rules and is ready for the next phase of reforms. By staying informed and proactive, you can turn privacy compliance into a competitive advantage.

 

At Ready to Boss Legal you can find our updated privacy policy here (and updated website terms of use and privacy policy bundle here).

 

Emma Heuston
Next

Planting the seeds of success: how to future proof your business