For years, most family businesses have run on a quiet assumption: the Privacy Act is something big companies worry about, not you. That assumption held because of the small business exemption, which lets businesses under $3 million in turnover stay outside most of the Act. The exemption hasn’t been abolished. It is being chipped away, one industry at a time, and the first group loses it on 1 July 2026.
What is actually changing
From 1 July 2026, the second tranche of Australia’s anti-money-laundering reforms brings a new set of professions into the AML/CTF regime: real estate agents, lawyers, conveyancers, accountants, and dealers in precious metals and stones. The detail that matters for privacy is the flow-on effect. Once a business becomes a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act, it has to handle personal information under the Australian Privacy Principles, even if its turnover would otherwise keep it under the small business exemption.
Â
So the exemption now has holes in it. If you are in one of those named trades, the size of your business no longer keeps you out.
Â
The broader question, whether the general small business exemption is removed for everyone, is still open. The Office of the Australian Information Commissioner supports removing it, and consultation is continuing, but no general start date has been set. The direction is clear even if the timeline isn’t.
What it means for you
If you are a manufacturer, wholesaler, or contractor, you are not on the 1 July list. That does not make this irrelevant to you. It tells you which way the wind is blowing. The exemption that has covered the customer database on your office computer is being removed in stages, and the policy intent is broad coverage, not a permanent carve-out for businesses your size.
Â
The owners who get caught out will be the ones who treated “we’re too small for the Privacy Act” as a permanent fact rather than a temporary one. Most family businesses hold more personal information than they realise: customer contact lists, supplier records, staff files, payment details, years of it, often in spreadsheets and inboxes with no real control over who can see it.
Â
There is also a transferability angle worth keeping in mind. A buyer running due diligence on your business will look at how you handle data, and weak data practices are the kind of thing that quietly knocks money off a price or stalls a deal while it gets fixed. A business that already treats customer information carefully is simply easier to hand over, whether to a buyer or to the next generation.
Â
You don’t need to become a compliance department this week. You do need to stop assuming the exemption is forever. Knowing what personal information you hold, and where it lives, is the groundwork that makes everything that follows manageable.
Sources: Sprintlaw — Upcoming privacy changes in AustraliaÂ