A plain-English guide to the Australian Privacy Act changes for WA small business, current as of mid-2026. Covers the statutory tort for serious invasions of privacy (in force since 10 June 2025 and not limited by the small business exemption, so even exempt businesses can be sued), the new automated decision-making transparency requirement (privacy policies must disclose significant automated or AI-driven decision-making from 10 December 2026), and the status of the small business exemption (still in place, its removal proposed and being progressed as part of a second tranche but not yet law and with no confirmed date as of mid-2026). Ends with practical steps: map the personal information you hold, review your privacy policy, and tighten security, since most privacy trouble begins as a data breach. General information, not legal advice.

    Compliance Guide
    What WA small business needs to know

    What the Privacy Act changes mean for WA small business

    Australia's privacy law is having its biggest shake-up in decades. One change is already live, another lands in December 2026, and a bigger one is circling. Here is what actually affects a small business in WA, and what to do about it.

    StartCloud14 July 20268 min read
    The short version

    The short version

    A statutory tort for serious invasions of privacy is already law. Since 10 June 2025, people can sue over serious privacy invasions, and this one is not blocked by the small business exemption. Even an exempt business can be sued.

    From 10 December 2026, privacy policies must disclose automated decision-making. If you use AI or automated systems to make decisions that significantly affect people, your policy has to say so.

    The small business exemption is under review, not gone. Removing it is proposed and being progressed, but as of mid-2026 it is not law and has no confirmed date. Prepare for it; do not panic about it.

    Already live

    The privacy tort you can already be sued under

    This is the change most small businesses have missed. Since 10 June 2025, Australia has had a statutory tort for serious invasions of privacy. In plain terms, an individual can now take you to court if you seriously invade their privacy, either by intruding on their private affairs or by misusing information about them, where that was done intentionally or recklessly and the invasion was genuinely serious.

    Here is the part that matters for smaller operators. The old $3 million small business exemption limits many Privacy Act obligations, but it does not shield you from this new tort. So a business that has always assumed privacy law does not apply to it can now find itself defending a privacy claim brought directly by an individual.

    Think about your everyday handling of personal information. Customer records, staff data, security camera footage, marketing lists. Careless handling that would once have carried little legal risk for a small business now sits inside reach of a personal claim.

    Deadline: 10 December 2026

    Automated decisions must be disclosed

    The second change has a firm date. From 10 December 2026, if your business uses a computer program, and that includes AI tools, to make or substantially assist decisions that could significantly affect a person's rights or interests, your privacy policy has to disclose it. Specifically, it needs to explain the kinds of personal information those systems use and the kinds of decisions they make.

    This is more relevant to small business than it first sounds. Automated tools now sit behind hiring shortlists, credit and payment terms, dynamic pricing, and fraud checks. If any of that is running in your business, your privacy policy almost certainly needs updating before the date. It is a modest job if you start now, and a scramble if you leave it to the last minute.

    On the horizon

    The small business exemption, and where it is heading

    For a long time, businesses under $3 million in annual turnover have been exempt from most Privacy Act obligations. That exemption is one of the most criticised features of Australian privacy law, and the government has flagged its removal as part of a second tranche of reforms. When that happens, an estimated couple of million small businesses would come under the full set of obligations for the first time.

    The honest status, as of the middle of 2026, is that this is proposed rather than passed. The relevant legislation has not been introduced to Parliament and no commencement date has been set. It would be a mistake to treat it as a fixed deadline, and just as big a mistake to assume it is not coming. The sensible read is that the exemption is living on borrowed time, so the businesses that quietly get their house in order now will have the easiest transition when it goes.

    Some businesses have already lost the exemption. Separate reforms have started bringing specific sectors under the Privacy Act regardless of size. If you are in a newly regulated industry, do not assume the $3 million line still protects you. Check where your sector stands.

    Getting ready

    What to do now

    None of this requires a compliance department. For a typical WA small business, three practical moves cover most of the ground.

    Know what you hold

    Map the personal information your business collects, where it lives, and who can reach it. You cannot protect or disclose what you have never mapped.

    Review your privacy policy

    If you use any automated or AI-driven system to make decisions about people, your policy will need to say so by 10 December 2026. Start the review now, not in November.

    Tighten your security

    Most privacy trouble starts as a data breach. The Essential Eight basics, MFA and tested backups, are also your best privacy protection.

    That last point is the one we would underline. Privacy and security are the same conversation from two angles. A business that has done the Essential Eight basics and can recover from an incident is also a business that is far less likely to ever cause the kind of breach that turns into a privacy claim.

    Verdict

    The takeaway

    The direction of travel is clear: privacy is becoming everyone's responsibility, not just the big end of town's. One change is already law and reaches businesses that thought they were exempt. Another has a hard date in December 2026. And the biggest of all, the end of the small business exemption, is a question of when, not if.

    You do not need to solve all of it today. You do need to know what personal information you hold, keep it secure, and make sure your privacy policy tells the truth about how you use it. Getting the security foundations right is where we help, and it is the part that protects you no matter which way the law lands next.

    FAQ

    Common questions

    Does the Privacy Act even apply to my small business?

    Traditionally, businesses with annual turnover under $3 million have been exempt from most Privacy Act obligations, with some exceptions (health service providers, businesses that buy or sell personal information, and government contractors, among others). That exemption still exists for now, but it is under active review and some sectors have already been pulled in through separate reforms. The safe assumption is that this will apply to you sooner rather than later.

    What is the new privacy tort, and can a small business be sued under it?

    Since 10 June 2025, Australia has a statutory tort for serious invasions of privacy. Individuals can sue where someone seriously invades their privacy, either by intruding on their seclusion or by misusing their information, and the invasion was intentional or reckless. Importantly, this cause of action is not limited by the small business exemption, so even an otherwise exempt small business can be on the receiving end of a claim.

    What do I have to do about automated decision-making?

    From 10 December 2026, if your business uses computer programs (including AI) to make or substantially help make decisions that could significantly affect someone's rights or interests, your privacy policy must disclose it. That means saying what kinds of personal information the systems use and what kinds of decisions they make. If you use automated tools for things like credit, hiring, or pricing decisions, this is one to sort out ahead of the date.

    Is the small business exemption being removed?

    Not yet, and not on a fixed date. The government has said it is progressing a second tranche of privacy reforms that is expected to remove the exemption, but as of mid-2026 that legislation has not been introduced to Parliament and there is no confirmed commencement date. Treat it as a strong signal of where things are heading, not as a deadline you can circle on the calendar.

    I'm in WA. Is there a separate state privacy law for my business?

    For private businesses, the rules that matter are the federal Privacy Act, which applies right across Australia including WA. Western Australia's own privacy legislation is aimed at the state public sector, so a typical WA small business should be focused on the federal changes described here.

    This article is general information, not legal advice, and privacy law is changing quickly. For how these obligations apply to your specific business, check the current guidance at oaic.gov.au or speak to a qualified adviser.

    StartCloud Assistant

    Online

    G'day! 👋 I'm the StartCloud Assistant. How can I help you today?