Privacy Law Is Changing: Does Your Business Need to Update Its Privacy Policy Before July 2026?

Do the new privacy law amendments affect your business? Read on to find out if the Privacy Act applies to your business and what you need to do to comply.

With the digital landscape changing rapidly, Australia’s privacy laws are changing to ensure they keep up with the ever-expanding use of artificial intelligence (AI) and the risks that come with digital currency, money laundering or terrorism. The need to protect an individuals’ personal information, given the rapid pace of digital expansion, is paramount.

The Office of the Australian Information Commissioner announced that Australia’s privacy regulator will start its first-ever compliance sweep in 2026, conducting a targeted review of selected businesses’ privacy policies to ensure they meet the strict requirements.

Although this is a targeted review of real estates, chemists, pharmacists, licenced venues, car rental companies, car dealerships, or pawnbrokers and second-hand dealers, the changes to privacy concerning Anti-Money Laundering and Counter-Terrorism Financing and the use of AI and Automated Decision Making (ADM) software covers a broad range of businesses that must be prepared come 1 July 2026 and 10 December 2026 when these laws come into force.

Quick Snapshot

If your business:

1. is covered by the Privacy Act 1988 (Cth) (Privacy Act); and
2. uses ADM software and personal information (as defined in the Privacy Act) for decisions that will reasonably be expected to significantly affect the rights or interests of an individual, as defined in the Privacy and Other Legislation Amendment Act 2024 (Cth) (Privacy Amendment Act). For example, using personal information and ADM software for decisions for recruitment or decisions for employees or customers that are expected to significantly affect their rights or interests; or
3. is a reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML Act); or
4. uses face or fingerprint scanning on time clocks for employee clocking,

your privacy policy and collection notice need to be updated now and your staff should receive internal training so they understand how to comply with your privacy obligations and what to do if a privacy breach occurs.

Who does the Privacy Act apply to?

Broadly, the Privacy Act covers:

1. organisations with an annual turnover of more than $3 million. Organisations are defined in the Privacy Act as:
   1. an individual, including a sole trader (although generally the Privacy Act does not apply to an individual acting in a personal capacity);
   2. a body corporate;
   3. a partnership;
   4. any other unincorporated association; or
   5. a trust,

(subject to some exceptions);

2. regardless of turnover, the following types of businesses:
   1. health service providers including but not limited to medical practitioners, pharmacists or naturopaths, chiropractors, gym or weight loss clinics or child care centres;
   2. a business trading in personal information as defined in the Privacy Act and outlined further in this article;
   3. a contractor that provides services under a Commonwealth Contract;
   4. an operator of a residential tenancy database like a real estate;
   5. a credit reporting body;
   6. a reporting entity for the purposes of the AML Act including but not limited to:
      1. financial services, gambling services, dealers in precious metals or stones like jewellers, digital currency exchange providers or money transfer services;
      2. legal practitioners;
      3. accountants;
      4. conveyancers;
      5. real estate professionals; and
      6. trust and company service providers;
   7. employee associations registered or recognised under the Fair Work (Registered Organisations) Act 2009 (Cth) such as unions, the Australian Retail Council or Hair and Beauty Australia, for example;
   8. a business that the Privacy Act covers;
   9. a credit reporting business;
   10. a business that has opted in to be covered by the Privacy Act; and
   11. a business accredited under the Consumer Data Right system including but not limited to the banking sector and energy sector;
   12. any other business that is covered by the Privacy Regulation 2013 (Cth) (Privacy Regulations) not mentioned above; and
3. Australian Government agencies.

If covered by the Privacy Act, the Australian Privacy Principals (APP) and Privacy Guidelines apply, including obligations under the AML Act and some other specific matters, like the handling of an individuals’ tax file number information.

What changes are coming and when?

1. AML Act requirements – 1 July 2026

From 1 July 2026, AML obligations will now apply to certain services, including (in addition to banks and other designated services that have previously been required to comply with the AML Act):

1. real estate professionals – such as real estate agents, buyer’s agents and property developers;
2. conveyancers;
3. dealers in precious metals, stones and products, like jewellers;
4. lawyers;
5. accountants; and
6. trust and company service providers.

2. Privacy Amendment Obligations – 10 December 2026

From 10 December 2026, if your business:

1. is an APP entity; and
2. uses automated decision-making (ADM) software to assist or replace judgement of human decision makers for:
   1. decisions that involve personal information as defined in the Privacy Act; and
   2. that could “reasonably be expected to significantly affect the rights or interests of an individual”,

you must ensure your privacy policy and collection notice are up to date to ensure you are transparent about:

1. the kinds of personal information you use in the ADM software;
2. what decisions are made solely using the ADM software; and
3. the kinds of decisions where ADM software performs functions substantially and directly related to making a decision.

3. Biometric Information/Templating and GPS use in time clocks or in the workplace generally – An ongoing obligation

As an ongoing obligation under the Privacy Act but a timely reminder to employers, if your business uses a time clock or human resource software that:

1. stores or uses biometric information or templating of your employees, such as a facial scan, a fingerprint scan or facial recognition software where the system takes a photo of your employees face and processes it via a biometric template, you must ensure your privacy policy and collection notice:
   1. allow collection of the biometric information and/or templates as they are defined as sensitive information under the Privacy Act; and
   2. you must obtain consent to collect the sensitive information before collection.

It is not enough for the consent to be ‘buried’ in your policy or collection notice.

4. If you use GPS in your time sheet software, you must ensure you have a surveillance policy in place to govern the use of such surveillance in the workplace.

Biometric consent and GPS surveillance should be covered in your employment agreements and workplace policies to assist you with compliance. Collection of personal or sensitive information in an employment context is not excluded in the employee records exception until that individual is an employee of your business. This means, any personal or sensitive information collected at recruitment or prior to employment must be compliant with the Privacy Act obligations if you are an APP entity.

If you require assistance with understanding or complying with your privacy obligations, reach out to our employment team on 07 4616 9831 and we can arrange a consultation to discuss your workplace needs.

This article was written by Jade Scheuerle, Senior Workplace Lawyer.