In our current digital era, Australians use technology for many aspects of their lives, including work, education, healthcare, and shopping. Consequently, there is a mounting expectation that personal data handed over should receive robust protection. The way personal data is handled in Australia is about to undergo some big changes, and it’s important for small businesses to be ready for what’s coming.

Attorney-General Mark Dreyfus has confirmed the government’s commitment to implementing most of the recommendations outlined in a comprehensive review of the Privacy Act, which was released in February 2023.

We cover a few of the key reforms below:

·      Removal of Small Business Exemption

The government has given its initial approval to remove a long-standing exception from the Privacy Act that previously applied to businesses with an annual turnover of $3 million or less. These changes are substantial, and the government recognizes that they may present challenges for small businesses. Therefore, they have established a transition period, providing small businesses with the time necessary to adapt and make the required adjustments to their data management practices.

·      Informed Consent

One of the significant changes brought about by these reforms is the requirement for organisations to obtain informed consent when handling personal information. In simpler terms, this means that individuals must now be fully informed about how their data will be used, and they need to clearly agree to it. This change marks the end of the era where people often skip reading long and complicated terms and conditions without really understanding them. Instead, the focus is on ensuring that people understand what’s happening with their data and agree to it in a straightforward and transparent manner.

·      Enhanced Safeguards for Children

Another crucial aspect of these reforms is the introduction of a Children’s Online Privacy Code. This code is specifically created to provide stronger protections for children when they are online. Its main goal is to guarantee that personal information about children is handled with the utmost care and security to keep them safe while they use the internet.

·      Accountability and Destruction of Data

Moving forward, organizations will have a responsibility to manage information more carefully. In practical terms, this means that businesses are responsible for safeguarding personal data and, just as importantly, securely disposing of it when it’s no longer necessary. This shift is all about ensuring that sensitive information isn’t retained in databases for longer than necessary, reducing the risk of data breaches.

·      Clarification on Privacy Protection

The aim of these reforms is straightforward: to ensure strong protection of individual privacy, especially when handling personal information on behalf of others. This newfound clarity is designed to assist businesses in gaining a better grasp of the often-complex world of data protection.

·      Fair and Reasonable Information Collection

In addition to the obligation to obtain consent when collecting date, upcoming changes in the law will establish a “fair and reasonable” standard for data collection, even when individuals haven’t given their explicit agreement. This important amendment is designed to tackle the common practice where people simply click checkboxes to agree to lengthy privacy statements without fully understanding what they entail.

·      Broadening the Scope of Personal Information

The definition of personal information is expanding to include cookie identifiers and IP addresses. This means that even if someone’s identity isn’t directly disclosed, if there’s a reasonable possibility they could still be recognised, their data will be protected.

·      Legal Recourse for Privacy Violations

The government has provisionally endorsed the concept of a legal recourse mechanism to tackle significant breaches of privacy. The amendment will grant individuals the right to pursue legal action in the courts when their privacy is violated. This will include the introduction of a new legal avenue specifically designed to address cases of severe invasions of privacy.

Government Support

The government has given its support to 36 of the review’s suggestions and has tentatively agreed to 68 others. Additionally, it has taken note of 10 proposals. Some of these include recommendations to allow people to choose not to receive personalized advertisements and to prevent political parties from targeting voters based on sensitive information or characteristics.

In summary, the forthcoming Privacy Act reforms are set to bring about significant changes in how personal information is handled in Australia, with a particular emphasis on safeguarding individual privacy.

For small businesses, who have not previously been subject to the Act, these amendments may pose a notable challenge, requiring them to acquaint themselves with their new responsibilities. Although a transition period will be in place for adjustment, the underlying message is unmistakable: safeguarding personal data holds paramount significance in the digital era.

Seeking Further Guidance? 

If you need further guidance on how these changes might affect your business, please feel free to get in touch with our knowledgeable legal team at Ardor Legal.

Ardor Legal can assist you with drafting a privacy statement and privacy policies for your business that are in line with your legal obligations.

Contact us today via phone at (07) 3161 2847 or email us at

Stay informed, stay compliant, and prioritize the privacy of your customers’ data as you navigate these transformative changes.