Blogbox

Policy

Privacy reform comes for the corner store: Tranche 2 and the SMB exemption

Australia's small-business exemption from the Privacy Act has been a quirk for a quarter of a century. Tranche 2 reforms remove it. The operational shift is larger than most small business owners think.

By Tom Nguyen , Policy correspondent · 5 min read
A large shield with a keyhole, rendered in paper and ink on a dark field
The exemption under the Privacy Act for businesses under $3m in turnover has existed since 1988. It is now scheduled for removal. · Blogbox illustration

The Australian Privacy Act 1988 has, for most of its life, left the majority of the country’s small businesses alone. The exemption for businesses with annual turnover under $3 million meant that a dentist, a corner cafe, or a four-person e-commerce store operated outside the reach of the Australian Privacy Principles. That exemption has been a quirk of the Australian privacy regime that no other comparable jurisdiction has retained.

Tranche 2 of the reform programme, which Attorney-General Mark Dreyfus committed to in September 2023 and which the Attorney-General’s Department flagged for legislative action in 2025-26, removes it.

The reform is not in force as at the time of writing. It is, however, close enough to force that every small business in Australia should be preparing for it. The Privacy and Other Legislation Amendment Act 2024 (Royal Assent 10 December 2024) already delivered tranche 1: a statutory tort for serious invasions of privacy, doxxing offences, and strengthened Office of the Australian Information Commissioner enforcement powers including tiered civil penalties.

The penalties, stated

The civil penalties sharpened by tranche 1 now reach $50 million for body corporates, or 30 per cent of adjusted turnover, or three times any benefit obtained, whichever is greater. Those numbers are not aimed at small business in their upper bound, but they are not small-business-proofed in their lower bound either.

Privacy Commissioner Carly Kind publicly stated in 2025 that the small-business exemption is “out of step with consumer expectations.” That is the regulator signalling, through the appropriate channels, that the exemption is ending.

$ 3 m
The turnover threshold below which Australian businesses have been exempt from the Privacy Act for 25 years. On the current reform trajectory, gone.

Why the exemption is less protective than it looked

The practical effect of the small-business exemption has never been as clean as the statute suggests. Any small business that handles health information, runs a residential tenancy database, or provides contracted services to an exempted category is already in the Act. Over time, those carve-outs have pulled most retail-adjacent and services businesses within the APPs regardless.

The removal of the exemption therefore affects the remaining unambiguously-exempt category: the single-owner services businesses, the small e-commerce operators, the category of business that has genuinely operated outside the Act.

For that category, the shift is larger than most owners expect. The APPs require, among other things: documented privacy policies, a transparent data-collection notice at point of collection, lawful purpose and consent for sensitive information, a process for responding to data-access requests, breach notification within 30 days for incidents above the seriousness threshold, and defined retention and deletion protocols.

Most small businesses in the exempt category have none of those in writing.

527 breaches across the six months, with health and finance leading. The pattern will not change when the small-business exemption ends. The reporting obligation will.

OAIC Notifiable Data Breaches Report, Jan-Jun 2025

The cost, in operational terms

The real cost of this reform for small business is not fines. Most small businesses will never face a penalty at the statutory ceiling; the OAIC’s practice is to enforce through determinations and undertakings, not body-corporate fines.

The real cost is the operational retrofit.

  • CCTV on premises. An Australian cafe, retailer or trades business with security CCTV will, post-reform, need a documented CCTV policy, a notice at the entrance, a retention schedule, and a process for responding to subject-access requests in relation to the footage.
  • Customer databases. Any business running an email list, loyalty program or appointment system will need a privacy policy that describes what data is held, where it is stored, who it is shared with, and how to request deletion.
  • Employee records. The employee-record exemption remains contested; the shape of its replacement is not yet settled. But small employers should not assume HR data falls outside the regime.
  • Service-provider contracts. Contracts with the platforms and software providers that hold small-business customer data will need to include data-handling terms that most small businesses do not currently read, let alone negotiate.

The Council of Small Business Organisations Australia and the Australian Small Business and Family Enterprise Ombudsman both called through 2024-25 for a transition period of at least 24 months, with templated compliance guidance. Whether the government accepts those calls will determine how disruptive the reform is in practice.

The likely timeline

On the current trajectory, tranche 2 legislation could be introduced through 2026-27, with a commencement date in 2027 or 2028. That is a year or more away from binding small businesses. It is also short enough that the operators who move early will be operating inside the regime before their competitors are aware of it.

The small business owners I have spoken to through the early months of 2026 fall into two groups. The first has heard of the reform but not read anything about it. The second has started. The second group is small. It is also the group whose 2028 will look different.

The reasonable preparation

The three things a small business can do now, before any specific commencement date, are modest:

  1. Write a plain-English privacy policy describing what customer data the business collects and what it does with it. Publish it. Most customers will not read it. Regulators will.
  2. Review the service providers holding customer data. Check whether their standard terms allow use of that data for purposes the business would not agree to.
  3. Establish a process, even a simple one, for responding to a customer who asks what data the business holds about them. The process does not have to be sophisticated. It has to exist.

These are small interventions. They are also, for most of the businesses that will be inside the regime by 2028, the ones that will be least costly to implement now, and most costly to implement under time pressure later.

The exemption has outlasted several governments. It will not outlast this reform programme.