Two significant Privacy Act deadlines land on 10 December 2026. If your business collects personal data, these changes affect you. Most businesses have been ignoring the signal. By December, ignoring it will cost them time and money to fix.
What’s changing in December 2026
The changes break into three categories.
Automated decision-making transparency
From December, if a system makes a decision that significantly affects a person, you must tell them it is happening, explain how the decision was made, and give them a way to request human review. This applies even if no human was involved in the individual decision. The obligation sits in updated APP 1.7, 1.8, and 1.9 under the Privacy Act.
Children’s Online Privacy Code
The code restricts how you collect data from people under 18. It requires parental consent in some cases and restricts profiling and behavioural tracking. Most Australian businesses collect some data from people under 18 through their website, newsletter, app, or customer base. This probably affects you even if you do not intentionally serve children.
Expanded OAIC enforcement powers
The OAIC can now issue compliance notices faster. Penalties have increased. Enforcement is moving from advisory to punitive. Privacy regulation in Australia is shifting from principle-based (you decide how to comply) to outcome-driven (specific results are required and the bar is measurable).
Who is affected by the Australian Privacy Act reforms 2026
The short answer is any business that collects personal data. Websites that collect email addresses. Email marketing campaigns. Payment systems. CCTV. HR systems. CRMs. Analytics tools. Cloud storage. Every one of these involves personal data and every one of them potentially triggers the new obligations.
The scope is broader than most expect. If you use Google Analytics, you are tracking people. If your CRM scores leads, you are making automated decisions. If you send different emails to different customers based on behaviour, you are profiling. If any tool in your stack segments, scores, or makes recommendations about people, you are in scope.
For businesses with multiple systems managing different parts of the customer journey, the challenge is not understanding the rules. It is mapping where all your automated decisions actually live.
What counts as automated decision-making
Most businesses do not think they use automated decision-making. Then they look closer and find it everywhere.
CRM lead scoring
If your CRM assigns a score to a lead based on their behaviour and your sales team prioritises accordingly, that is automated decision-making. The system decided to treat some leads differently. A human saw the result but did not make the decision.
Dynamic pricing and recommendations
If a customer sees a different price than another customer for the same product based on location, history, or other data, that is automated. If your website recommends products to one customer and not another, that is automated.
Email segmentation and profiling
Sending different emails to different people based on their profile counts. Content recommendation algorithms count. Any system that makes a distinction between people without explicit human intervention for each case is in scope.
HR and hiring tools
CV filtering software that screens resumes and flags candidates is automated decision-making. Loan eligibility checking, insurance pricing, and risk scoring all count. The common thread is that a system made a distinction between people without a human deciding each case individually.
What to do now: a five-step plan
- Map every system making decisions about people. Include your CRM, analytics, website personalisation, email platform, payment system, and any third-party tools you integrate with. For each one, write down: what decision is being made, what data is being used, who gets notified, and who can reverse it.
- Review your privacy policy. Does it explain that automated decision-making is happening? Does it explain how each system works? Does it explain how someone can request human review? If the answer to any of these is no, your policy is not compliant.
- Check whether children are accessing your systems. Not just whether you intentionally serve children, but whether they could be using your website, newsletter, or app. If yes, map where data collection is happening.
- Audit your third-party tools. You use Stripe for payments. Stripe is making automated decisions about fraud. You are liable for understanding what Stripe is doing. Request documentation from vendors about their automated decision-making processes. This includes HubSpot, Salesforce, Xero, and any other tool that touches customer data.
- Identify governance gaps. Can you tell someone how a decision was made about them? Can you retrieve that data? Can you explain it in plain language? Most businesses cannot. That is what needs to be fixed before December.
The timeline
December seems far away. It is not. Your legal advisors are probably already thinking about this. Your vendors are working toward compliance themselves. By October, when most businesses finally take this seriously, the demand for compliance advice and system fixes will be at its peak.
The practical timeline is: now through August to complete the mapping and assessment; August through October to update policies and systems; October through December to document, test, and confirm. That is not a generous runway for a business that has not started.
Final thoughts
The December 2026 Privacy Act reforms are not a compliance exercise for large businesses. The automated decision-making rules, the Children’s Online Privacy Code, and the expanded enforcement powers apply to any Australian business collecting personal data, regardless of size.
The businesses that get through December in good shape will not be the ones who had the most resources. They will be the ones who started the mapping early, fixed their policies before the rush, and understood what their tools were actually doing.
What are the December 2026 Privacy Act changes in Australia?
Three changes take effect on 10 December 2026 under the Australian Privacy Act. First, mandatory automated decision-making transparency obligations requiring businesses to disclose when AI or algorithmic systems make decisions about individuals. Second, the Children’s Online Privacy Code restricting data collection from people under 18. Third, expanded enforcement powers for the OAIC, including faster compliance notices and higher penalties.
What is automated decision-making under the Australian Privacy Act?
Under the updated APP 1.7, 1.8, and 1.9, automated decision-making refers to any system that makes a decision significantly affecting an individual without a human making the decision for each case individually. This includes CRM lead scoring, dynamic pricing, email segmentation, CV filtering software, algorithmic product recommendations, and risk scoring tools. If a system treats one person differently from another based on their data, it is likely in scope.
Does the Australian Privacy Act 2026 apply to small businesses?
The automated decision-making and Children’s Online Privacy Code obligations apply to APP entities, which includes most businesses with an annual turnover above 3 million dollars, as well as certain smaller businesses that handle sensitive data or trade in personal information. Businesses below the turnover threshold may still be affected if they handle health information or operate under a sector-specific code. The OAIC guidelines should be consulted to confirm applicability to your specific business.
What does my business need to do to comply with the 2026 Privacy Act reforms?
The core steps are: map every system in your business that makes decisions about people; review and update your privacy policy to disclose automated decision-making and explain how to request human review; check whether children are accessing your systems; audit third-party tools like payment processors and CRMs to understand their automated processes; and identify gaps in your ability to explain decisions to individuals. The OAIC has published guidance on APP 1 requirements that covers the specific disclosure obligations.
When do the Australian Privacy Act 2026 reforms take effect?
The automated decision-making transparency obligations and the Children’s Online Privacy Code both take effect on 10 December 2026. Businesses should aim to complete their systems mapping and policy updates by October 2026 to allow time for testing and documentation before the deadline.
What is the Children’s Online Privacy Code in Australia?
The Children’s Online Privacy Code is a new code taking effect in December 2026 that restricts how businesses collect, use, and disclose data relating to people under 18. It requires parental consent in certain cases and restricts behavioural profiling of minors. The code applies to businesses that intentionally serve children and, in some cases, to businesses whose services are accessible to children even if not specifically designed for them.
What are the penalties for non-compliance with the Privacy Act reforms in 2026?
The 2026 reforms expand OAIC enforcement powers, including the ability to issue compliance notices more quickly and impose higher civil penalties. Serious or repeated breaches of the Privacy Act can attract penalties in the millions of dollars for organisations. The reforms represent a shift from advisory enforcement to punitive enforcement, meaning the OAIC is expected to act more quickly and more decisively than it has historically.
Ready to Lead with Digital Maturity?
Digital maturity isn’t optional – it’s essential for a resilient, future-ready business. Don’t become the next Blockbuster.
Take the next step:
- Contact us for a consultation.
- Request a Digital IQ Assessment to see where you stand.
- Explore our services and discover how we help businesses thrive.
Let’s build your digital future together.