Skip to main content
Compliance

Privacy Act 2026: 100,000 Small Businesses Just Lost Their Exemption

Cubit Cyber·14 July 2026·8 min read
Privacy Act 2026: 100,000 Small Businesses Just Lost Their Exemption

On 1 July 2026, more than 100,000 Australian small businesses lost a legal protection they didn't know they had, and most of them still don't know it's gone. A change to anti-money laundering law quietly stripped the Privacy Act's small business exemption from five entire industries. If you run a real estate agency, law firm, accounting practice, conveyancing business, or deal in high-value goods like jewellery, the rules that used to apply only to big companies now apply to you too.


What Actually Changed on 1 July

Australia's small business exemption has always worked on a simple idea: if your business turns over less than $3 million a year, the Privacy Act mostly leaves you alone. That threshold hasn't moved. What changed is a separate law that quietly overrides it.

From 1 July 2026, the AML-CTF Act (Australia's anti-money laundering and counter-terrorism financing law) expanded to cover a new group of industries. The rule is straightforward but easy to miss: the moment your business becomes regulated under AML-CTF, your Privacy Act small business exemption disappears with it, regardless of your turnover.

This isn't a proposal or a future date to prepare for. It has already happened.


Is Your Business Now Covered?

The AML-CTF expansion targets businesses that provide what the law calls "designated services." As of 1 July 2026, that includes:

  • Real estate professionals (agents, agencies)
  • Lawyers and conveyancers handling property or client funds
  • Accountants providing designated financial or trust-related services
  • Trust and company service providers
  • Dealers in high-value goods, including jewellers and dealers in precious metals and stones

If your business sits in one of these categories and turns over less than $3 million a year, you were exempt from the Privacy Act on 30 June 2026. You are not exempt now.

This is easy to miss because nothing about your day-to-day work changed. No new sign got put on your door. No regulator called. The obligation simply started applying, and it's on you to notice.


What Being "Covered" Actually Requires

Losing the exemption means the Australian Privacy Principles now apply to how you collect, store, use, and disclose personal information. In practice, that means:

  • A compliant privacy policy that accurately describes what personal information you collect and why, not a generic template copied from another business.
  • Reasonable security safeguards, both technical and organisational. A firewall and antivirus software alone are not considered sufficient anymore. Under the current Australian Privacy Principle 11, that floor now includes multi-factor authentication on every account, documented access controls and audit logs, regular patching, and written data-handling clauses in every contract with a supplier who touches client data, including your practice management software, your conveyancing platform, or an outsourced bookkeeper.
  • A process for handling data breaches, including assessing whether a breach needs to be reported to the OAIC and affected individuals.
  • Proper handling of access and correction requests from clients who ask what personal information you hold about them.

None of this is exotic. It's the same baseline every larger, previously-regulated business has had to meet for years. The difference is you now have to meet it too, starting immediately.


Why This Is a Cyber Security Problem, Not Just a Legal One

Here's the part that gets missed. The same AML-CTF expansion that stripped your Privacy Act exemption also requires you to start collecting and verifying government-issued ID for your clients, things like driver's licences and passports, as part of standard customer due diligence.

That means real estate agencies, law firms, accounting practices, conveyancers, and jewellers are now sitting on exactly the kind of data that fuels identity theft: full names, dates of birth, addresses, and ID document numbers. It's the same category of information exposed in the 2022 Optus breach. The difference is Optus had an enterprise security team. Most of the 100,000 businesses now covered by this change don't, and real estate in particular doesn't have a strong track record on data security, with rental application leaks a recurring problem.

There's genuinely good news buried in the AML-CTF rules themselves: as of 31 March 2026, you're no longer required to keep scanned copies or photocopies of identity documents. You only need to retain the name, date of birth, address, document type and expiry, and the outcome of the verification, not the document itself. If your intake process still involves photocopying a licence and saving it to a shared drive, that's now an unnecessary liability, not a compliance requirement.

Two more things worth building into your process now:

  • Records have to be kept for seven years. Whatever you retain needs to stay encrypted and access-controlled for that whole window, not just at the point of collection. A long retention period means a long-lived target.
  • A data breach can trigger conflicting obligations. If a breach involves a client who was also the subject of a suspicious matter report, the AML-CTF Act's secrecy and "tipping-off" provisions can legally prevent you from notifying that individual, even though the Privacy Act's data breach scheme would normally require it. In that situation, you notify the OAIC, not the client. Any breach response plan you build needs a legal check step, not just an IT one.

The Cost of Getting This Wrong

The penalties attached to the Privacy Act are not symbolic. For serious or repeated breaches, the maximum penalty is the greatest of:

  • $50 million
  • Three times the value of any benefit obtained from the breach
  • 30% of adjusted turnover during the breach period

Very few small businesses will face a penalty at that scale, but lower-level failures carry real teeth too. The OAIC can issue infringement notices of up to $66,000 per contravention for things like failing to maintain a compliant privacy policy, well within reach of an ordinary compliance oversight.

There's also a change that predates this one but compounds the risk: since June 2025, individuals have a statutory right to sue directly for serious invasions of privacy, without needing the OAIC to act first. A mishandled data breach is no longer just a regulatory risk. It's a legal one, brought by the person whose information you lost.


This Is a Preview, Not a One-Off

If your business isn't a real estate agency, law firm, accounting practice, conveyancer, or high-value goods dealer, it's tempting to treat this as someone else's problem. We'd encourage you not to.

The government is progressing a second reform tranche that would remove the general small business exemption entirely, for every industry, not just the five caught by this AML-CTF change. It hasn't been legislated yet, and no firm date has been set, but the policy direction is on the public record. When it lands, it will affect a much larger group of businesses with far less warning than this one gave.

The businesses that come out ahead won't be the ones scrambling when the exemption is finally removed. They'll be the ones who already built the habits this July's change forced on 100,000 of their peers.


What to Do Right Now

Whether you're directly affected today or getting ahead of tomorrow, the steps are the same:

  1. Check if you're in scope. If your business provides any AML-CTF designated service (real estate, legal, accounting, conveyancing, trust services, high-value goods dealing), assume the exemption no longer applies to you.
  2. Audit what personal information you actually hold. Most businesses collect more than they realise, and retain it longer than they need to. You can't protect what you haven't mapped.
  3. Write or update your privacy policy so it reflects what you actually do with client and customer information, not a generic download.
  4. Put real security controls in place. Multi-factor authentication on every account, endpoint protection, encrypted storage, and proper access controls are the baseline now, not a nice-to-have.
  5. Stop keeping copies of client ID documents you don't need. If you're verifying identity under AML-CTF, retain the details of the verification, not a scanned licence or passport sitting in a shared drive.
  6. Build a data breach response plan before you need one, and make sure it accounts for AML-CTF secrecy rules as well as standard notification requirements. Knowing who does what, and who you're legally allowed to tell, in the first 24 hours of a breach is the difference between a manageable incident and a very expensive one.

Summary

A quiet change to anti-money laundering law has pulled more than 100,000 Australian small businesses into full Privacy Act compliance overnight, and it's only the first step in a broader shift. If you're in real estate, legal, accounting, conveyancing, or high-value goods, the obligations apply to you as of now. If you're not, treat this as the warning it is.

Cubit Cyber helps Australian small businesses work out exactly where they stand and what to fix first. To understand where your business stands, we offer a free initial consultation - get in touch.

Free Assessment

How secure is your Microsoft 365?

12 questions. Instant score across 5 security categories. Takes 3 minutes. No login required.

Take the Free Assessment →

Stay sharp

Get practical security tips, monthly.

Plain English. No jargon. No spam. Unsubscribe any time.

Ready to protect your business?

Get a free, no-obligation security assessment quote tailored to your business.