This is an independent compliance guidance tool. It is not affiliated with the Australian Government or the OAIC. For official information visit oaic.gov.au
Run Free Check →
Free Tool · Privacy Act 1988 (Cth)

Is Your Small Business
Ready for Australia’s
New Privacy Laws?

Australia’s Privacy Act is changing. The $3 million small business exemption is being removed. Use our free checker to see exactly where your business stands against the 13 Australian Privacy Principles — no legal jargon, no signup required.

Start Free Compliance Check See How It Works

Key Dates & Deadlines

  • In Force Now
    Statutory tort for serious privacy invasions — individuals can sue your business directly in court.
  • Active Now
    OAIC compliance sweeps underway. Fines up to $66,000 for non-compliant privacy policies.
  • 1 July 2026
    First wave of small businesses regulated under the Privacy Act for the first time.
  • 10 December 2026
    Automated decision-making transparency required. Children’s Online Privacy Code registered.
  • Tranche 2 — 2027
    Further reforms expected. Small business exemption fully removed for most businesses.
Check My Business Now →
2M+
Australian SMBs affected by exemption removal
$50M
Maximum fine for serious or repeated breaches
13
Australian Privacy Principles we check against
5 min
Average time to complete the checker

How It Works

Three Steps to Know Your Compliance Status

No legal knowledge needed. No account required. Answer plain-language questions about your business and get a clear compliance report in minutes.

1

Answer Questions About Your Business

Tell us what type of business you run, what personal information you collect, how you use it, and whether you share it with third parties or overseas services.

2

We Map Your Answers to the 13 APPs

Your responses are checked against all 13 Australian Privacy Principles under the Privacy Act 1988, plus the Notifiable Data Breaches scheme requirements.

3

Get a Clear Report With Next Steps

You receive a colour-coded compliance report showing what you’re doing well, where your gaps are, and specific plain-English actions to fix each issue.

What We Check

All 13 Australian Privacy Principles Covered

The checker assesses your business against every principle in the Privacy Act 1988. Here is what each one covers.

APP 1
Open & Transparent Management
Do you have a current, accessible privacy policy?
APP 2
Anonymity & Pseudonymity
Can people interact with you without identifying themselves?
APP 3
Collection of Solicited Information
Do you only collect what you genuinely need?
APP 4
Unsolicited Information
Do you have a process for data you didn’t ask for?
APP 5
Notification of Collection
Do you tell people what you’re collecting and why?
APP 6
Use or Disclosure
Do you only use data for the purpose it was collected?
APP 7
Direct Marketing
Are your marketing practices compliant with opt-out rights?
APP 8
Cross-Border Disclosure
Do you protect data sent to overseas services like Google or Xero?
APP 9
Government Identifiers
Do you handle Tax File Numbers or Medicare numbers correctly?
APP 10
Quality of Personal Information
Do you keep customer data accurate and up to date?
APP 11
Security of Personal Information
Do you have technical and organisational security measures?
APP 12
Access to Personal Information
Can customers access the data you hold about them?
APP 13
Correction of Personal Information
Can customers correct inaccurate data you hold about them?
NDB
Notifiable Data Breaches
Do you have a breach response plan and reporting process?

Who Needs This

Built for Australian Small Business Owners

If your business collects any personal information — a name, an email address, a phone number — you need to understand your obligations under the Privacy Act. This tool is built for:

🏥
Health & Allied Health
🏪
Retail & E-commerce
🔧
Tradies & Contractors
🏠
Real Estate Agents
🍽️
Cafes & Hospitality
⚖️
Professional Services
💻
Tech & SaaS
📚
Education & Coaching
💈
Beauty & Wellness
🚗
Auto Services
📦
Logistics & Delivery
🏗️
Construction & Building

What Happens if You Don’t Comply?

Australia’s privacy regulator — the OAIC — is actively investigating and fining businesses right now. The penalties are not theoretical. Since June 2025, individuals can also sue your business directly in court without involving the regulator.

The OAIC’s first-ever compliance sweep began in January 2026. Real estate agencies, car rental businesses, and any business collecting information in person were targeted first.

Sources: OAIC.gov.au · Privacy and Other Legislation Amendment Act 2024

$66,000
OAIC infringement notice per contravention for a non-compliant or missing privacy policy
$2.97M
Maximum civil penalty per serious interference with privacy for a body corporate
$50M
Maximum penalty for serious or repeated breaches — or 30% of adjusted turnover
Direct Court Action
Since June 2025, individuals can sue for serious privacy invasions — no regulator required

Frequently Asked Questions

Common Questions from Australian SMBs

The $3 million exemption is being phased out. Even before it is fully removed, some small businesses are already covered — including health service providers, businesses that trade in personal information, and Commonwealth contractors. The exemption removal is expected by late 2026 or 2027, meaning most Australian SMBs will be covered regardless of turnover. Use our checker now to understand your current position.
No. This tool provides general compliance guidance based on the 13 Australian Privacy Principles. It is designed to help you understand where you may have gaps. For specific legal advice about your business situation, you should consult a qualified Australian privacy lawyer or compliance professional.
The Notifiable Data Breaches (NDB) scheme requires businesses covered by the Privacy Act to notify the OAIC and affected individuals when a data breach is likely to result in serious harm. This has been law since February 2018. As the Privacy Act expands to cover more SMBs, the NDB obligations will apply to those businesses too. Our checker assesses whether you have a breach response plan in place.
Yes. Under APP 8, if you send personal information to an overseas recipient — including cloud services hosted outside Australia — you are responsible for ensuring those services handle the data in a way that is consistent with the APPs. This applies to virtually every Australian small business using modern SaaS tools. Your privacy policy must also disclose which countries your data is sent to.
The OAIC began its first-ever active compliance sweep in January 2026, reviewing privacy policies across multiple sectors. Businesses found to have non-compliant or missing privacy policies can receive infringement notices of up to $66,000 per contravention. The sweep signals that the regulator has moved from passive enforcement to active monitoring. Even if your business is not currently required to comply, the direction of regulation is clear.
Most business owners complete the checker in under 5 minutes. You will need to know roughly what personal information your business collects, whether you share it with third parties, and whether you have a privacy policy in place. No technical or legal knowledge is required.
Important: This tool provides general compliance guidance only. It is not legal advice. Results are based on your responses and reflect general principles under the Privacy Act 1988 (Cth). For advice specific to your circumstances, consult a qualified Australian privacy lawyer or the Office of the Australian Information Commissioner (oaic.gov.au). This tool is not affiliated with the Australian Government or the OAIC.

Check Your Business Compliance in 5 Minutes — Free

No account. No legal jargon. No obligation. Just a clear picture of where your business stands.

Start Free Compliance Check