
Quick Answer: The Australian Privacy Act 1988 governs how organisations collect, use, store, and disclose personal information. It applies to most Australian Government agencies and private sector organisations with an annual turnover above AUD $3 million, though many smaller entities are also captured. The Act's 13 Australian Privacy Principles (APPs) form the operational backbone of compliance, and recent 2026 amendments have significantly increased penalties and enforcement powers.
Key Takeaways
- The Privacy Act 1988 is administered by the Office of the Australian Information Commissioner (OAIC) and applies to "APP entities", most federal agencies and qualifying private organisations.
- The 13 Australian Privacy Principles cover the full data lifecycle: collection, use, disclosure, quality, security, and individual access rights.
- Maximum civil penalties for serious or repeated breaches have been significantly increased under recent amendments, aligning Australia closer to GDPR-level enforcement [4].
- The Notifiable Data Breaches (NDB) scheme requires affected entities to notify both the OAIC and impacted individuals when a breach is likely to cause serious harm [5].
- A statutory tort for serious invasions of privacy was introduced under the Privacy and Other Legislation Amendment Act 2024, giving individuals a direct legal remedy [4].
- Automated decision-making transparency requirements take effect on 10 December 2026, requiring APP entities to disclose how algorithms affect individuals [1].
- A draft Children's Online Privacy Code was released on 31 March 2026, with enforcement slated for December 2026 [2].
- The OAIC ruled in June 2026 that health providers using third-party tracking pixels without consent breached the Privacy Act [3].
- Small businesses under the $3 million turnover threshold may still be covered if they handle health information, trade in personal data, or provide certain contracted services.
- A privacy policy is legally required for all APP entities and must meet specific content standards under APP 1.
What Are the Australian Privacy Principles and How Do They Work
The 13 Australian Privacy Principles (APPs), set out in Schedule 1 of the Privacy Act 1988, are the primary rules governing how APP entities handle personal information. Each principle addresses a distinct phase or aspect of data handling, and non-compliance with any one of them can trigger regulatory action.
The APPs are grouped into five functional clusters:
| Cluster | APPs Covered | Focus Area |
|---|---|---|
| Consideration of personal information privacy | APP 1-2 | Open management, anonymity |
| Collection of personal information | APP 3-4 | Lawful collection, unsolicited data |
| Dealing with personal information | APP 5-8 | Notification, use, disclosure, overseas transfer |
| Integrity of personal information | APP 9-10 | Quality, security |
| Access and correction | APP 11-13 | Identifiers, access, correction |
How they work in practice: An organisation collecting a customer's email address must comply with APP 3 (only collect what is necessary), APP 5 (notify the individual of the collection), APP 6 (only use it for the primary purpose unless an exception applies), and APP 11 (keep it secure). Violating any of these in isolation constitutes a breach.
Who Has to Comply with the Australian Privacy Act
The Privacy Act applies to "APP entities," which include Australian Government agencies and private sector organisations with an annual turnover above AUD $3 million. However, the threshold is not the only trigger.
Organisations below $3 million turnover are still covered if they:
- Handle health information for a fee
- Trade in personal information (buying or selling data)
- Are a contracted service provider to the Australian Government
- Operate a residential tenancy database
- Are related to a body corporate that is itself covered
Edge case: A startup earning $800,000 annually that sells user data to a third-party analytics firm is almost certainly covered, regardless of its turnover.
What Counts as Personal Information Under Australian Privacy Law
Personal information is any information or opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not. This is a broad, technology-neutral definition.
Examples that qualify:
- Full name, date of birth, address, phone number
- IP addresses and device identifiers (in many contexts)
- Health records, financial details, biometric data
- Photographs and voice recordings
- Opinions about a person (even if false)
Sensitive information is a subset carrying higher protections and includes health data, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, and criminal records. Collecting sensitive information generally requires explicit consent.
How Do I Know If My Business Needs to Follow the Australian Privacy Act
Start with the turnover test: if your Australian business has an annual turnover above AUD $3 million, you are almost certainly an APP entity. If you fall below that threshold, check the category-based triggers listed above.
Decision rule:
- Turnover above $3M: covered, full stop.
- Turnover below $3M but you handle health records, sell data, or hold a government contract: covered.
- Turnover below $3M, none of the above: likely exempt, but review the OAIC's full exemption list before assuming so.
Note that state and territory privacy laws may impose additional obligations not covered by the federal Act, particularly in New South Wales, Victoria, and Queensland.
What's the Difference Between the Privacy Act and the APPs
The Privacy Act 1988 is the overarching federal legislation. The Australian Privacy Principles are the specific, enforceable rules that sit within that legislation and tell organisations exactly what they must and must not do with personal information.
Think of the Privacy Act as the statute and the APPs as its operational rulebook. An organisation "complies with the Privacy Act" by meeting all 13 APPs, among other obligations such as the NDB scheme and the forthcoming automated decision-making requirements [1].
What Are the Penalties for Breaking the Australian Privacy Act
Penalties have escalated substantially. For serious or repeated interferences with privacy, the maximum civil penalty for a body corporate is the greater of: AUD $50 million; three times the value of the benefit obtained; or 30% of the entity's adjusted turnover during the breach period [4][5].
For individuals, the maximum civil penalty for serious breaches is AUD $2.5 million. The OAIC also has expanded investigation and enforcement powers, including the ability to conduct own-motion investigations and accept enforceable undertakings [4].
The 2024 amendments also introduced a statutory tort for serious invasions of privacy, allowing affected individuals to sue directly in court without first going through the OAIC [4].
How Do I Handle a Data Breach Under Australian Privacy Law
Under the Notifiable Data Breaches (NDB) scheme, an APP entity that experiences an "eligible data breach" must notify the OAIC and affected individuals as soon as practicable [5]. An eligible data breach is one that is likely to result in serious harm to any of the individuals whose information was involved.
Response steps:
- Contain the breach immediately (revoke access, isolate affected systems).
- Assess whether the breach meets the "likely serious harm" threshold.
- If yes, notify the OAIC by submitting a statement via the OAIC's online portal.
- Notify affected individuals directly, including the nature of the breach and recommended protective steps.
- Review and remediate the vulnerability that caused the breach.
Common mistake: Delaying notification while conducting a lengthy internal investigation. The Act does not permit indefinite assessment periods, if serious harm is likely, notify promptly.
What Rights Do Australians Have Under the Privacy Act
Australians have several enforceable rights under the APPs. APP 12 gives individuals the right to access their personal information held by an APP entity. APP 13 gives them the right to request correction of inaccurate, outdated, or incomplete information.
Additional rights include:
- The right to remain anonymous or use a pseudonym where lawful and practicable (APP 2)
- The right to know what information is collected and why (APP 5)
- The right to opt out of direct marketing (APP 7)
- The right to complain to the OAIC if rights are not respected
How to Get Your Data Deleted Under the Australian Privacy Act
The Privacy Act does not contain an explicit "right to erasure" equivalent to GDPR's Article 17. However, APP 11.2 requires organisations to destroy or de-identify personal information that is no longer needed for any purpose for which it may be used or disclosed.
Practical path for individuals: Submit a written request to the organisation's privacy officer. If the organisation refuses or fails to respond within 30 days, lodge a complaint with the OAIC. The OAIC can investigate and, if appropriate, direct the organisation to take corrective action.
How Long Can Organisations Keep Personal Data Under Australian Privacy Law
There is no single statutory retention period in the Privacy Act. APP 11.2 requires organisations to take reasonable steps to destroy or de-identify personal information once it is no longer needed. However, other laws, including the Corporations Act, tax legislation, and industry-specific regulations, impose their own minimum retention periods that take precedence.
Practical guidance: Map your data against both the Privacy Act's "no longer needed" test and any sector-specific retention mandates. Where a legal retention obligation exists, keep the data for that period and no longer.
What Should Be in a Privacy Policy Under Australian Law
APP 1.3 requires every APP entity to have a clearly expressed and up-to-date privacy policy. The OAIC is currently conducting a compliance sweep of privacy policies across industries to assess whether they meet this standard [1].
A compliant privacy policy must include:
- The kinds of personal information the entity collects and holds
- How personal information is collected and held
- The purposes for which it is collected, held, used, and disclosed
- How an individual can access and seek correction of their information
- How the entity deals with complaints
- Whether personal information is disclosed to overseas recipients, and if so, which countries
2026 update: From 10 December 2026, privacy policies must also disclose the use of automated decision-making processes that significantly affect individuals, including the types of personal information involved [1].
What's the Process for Making a Privacy Complaint in Australia
Individuals must first complain directly to the organisation involved and allow 30 days for a response before escalating to the OAIC. If the organisation does not resolve the complaint satisfactorily, the individual can lodge a formal complaint with the OAIC at no cost.
The OAIC may attempt conciliation, conduct a formal investigation, or make a determination. If a breach is found, the OAIC can order the organisation to take corrective action, apologise, or pay compensation to the complainant.
How Does the Australian Privacy Act Compare to GDPR
The Australian Privacy Act and the EU's General Data Protection Regulation (GDPR) share common goals but differ in scope, rights, and enforcement. The table below summarises the key distinctions.
| Feature | Australian Privacy Act | GDPR |
|---|---|---|
| Explicit right to erasure | No (APP 11.2 only) | Yes (Article 17) |
| Data portability right | No | Yes (Article 20) |
| Consent as primary basis | One of several bases | Central, but not exclusive |
| Max penalty (corporate) | AUD $50M or turnover-based | EUR 20M or 4% global turnover |
| Supervisory authority | OAIC | National DPAs per member state |
| Territorial reach | Australian entities primarily | Global if targeting EU residents |
Australia does not currently have an adequacy decision from the EU, meaning data transfers from the EU to Australia require additional safeguards under GDPR.
Do Small Businesses Need to Follow the Australian Privacy Act
Small businesses under AUD $3 million annual turnover are generally exempt from the Privacy Act, but the exemption has meaningful carve-outs. Any small business that handles health information, trades in personal data, or provides services under a contract with the Australian Government loses its exempt status entirely.
Choose the exempt path only if: your business is under the threshold, does not handle health data, does not sell or buy personal information, and has no government contracts. When in doubt, treating the APPs as a compliance baseline is sound risk management regardless of legal obligation.
Managing Consent and Tracking Technologies in 2026
Consent management has become a frontline compliance issue. In June 2026, the Privacy Commissioner determined that health providers Medmate Australia and Monash IVF breached the Privacy Act by deploying third-party tracking pixels that collected sensitive health information without user consent [3]. The OAIC's published report, "Your life, pixelated," sets out specific recommendations for any organisation using tracking technologies on health-related platforms [3][6].
For website operators and marketing agencies, this determination establishes a clear precedent: tracking pixels, analytics tags, and behavioural advertising tools that touch sensitive information require explicit, informed consent before activation. A consent management platform (CMP) that captures and stores consent records is no longer optional for regulated entities, it is a practical necessity. Biscotti CMP is designed to help APP entities meet these consent obligations by providing granular, auditable consent records aligned with Australian privacy requirements.
FAQ
Q: Does the Australian Privacy Act apply to foreign companies? A: Yes, if the foreign company carries on business in Australia and collects or holds personal information from Australians, the Privacy Act applies, regardless of where the company is headquartered.
Q: Is a privacy policy legally required for all businesses in Australia? A: Only for APP entities. However, businesses that are technically exempt may still benefit from having one for consumer trust and to pre-empt future regulatory changes.
Q: What is an "eligible data breach" under the NDB scheme? A: A data breach involving personal information where there is a real risk of serious harm to affected individuals, for example, unauthorised access to financial account credentials or health records.
Q: Can individuals sue organisations directly for privacy breaches? A: Since the Privacy and Other Legislation Amendment Act 2024, individuals can bring a statutory tort claim for serious invasions of privacy without going through the OAIC first [4].
Q: Are employee records covered by the Privacy Act? A: Private sector employee records held by an employer and used directly in relation to the employment relationship are generally exempt under the employee records exemption.
Q: What is the Children's Online Privacy Code? A: A draft code released by the OAIC on 31 March 2026 that will impose specific obligations on online services that collect children's data, with enforcement beginning 10 December 2026 [2].
Q: Do tracking pixels require consent under Australian law? A: Where pixels collect sensitive information (such as health data), yes, the June 2026 OAIC determination confirmed that deploying such pixels without consent breaches the Privacy Act [3].
Q: What does "automated decision-making transparency" mean from December 2026? A: APP entities must disclose in their privacy policies when computer programs make decisions that significantly affect individuals' rights or interests, including what personal information is used [1].
Q: How long does the OAIC take to resolve a complaint? A: Timelines vary. The OAIC aims to resolve straightforward complaints within 90 days, but complex investigations can take considerably longer.
Q: Is there a fee to lodge a complaint with the OAIC? A: No. Complaints to the OAIC are free of charge for individuals.
Conclusion
The Australian Privacy Act: A Guide to the APPs and Data Compliance is not a static reference, it is a living framework that has undergone its most significant transformation in decades. The 2024 and 2026 amendments have raised the stakes considerably: higher penalties, a statutory tort, mandatory automated decision-making disclosures, and a Children's Online Privacy Code all demand active compliance programs rather than passive checkbox exercises.
Actionable next steps for organisations in 2026:
- Audit your privacy policy against the APP 1.3 requirements and the OAIC's current compliance sweep criteria [1].
- Review all tracking technologies on your website and ensure explicit consent is obtained before any sensitive data is collected [3][6].
- Prepare for the December 2026 deadlines, automated decision-making disclosures and the Children's Online Privacy Code both take effect then [1][2].
- Test your data breach response plan against the NDB scheme's notification requirements [5].
- Implement a consent management solution such as Biscotti CMP to capture, store, and demonstrate consent records that satisfy Australian privacy obligations.
- Seek qualified legal advice if your organisation handles sensitive information, operates across borders, or is uncertain about its APP entity status.
Compliance is not a one-time project. The OAIC's expanding enforcement posture in 2026 makes ongoing review a business necessity.
References
[1] Australian Privacy Law Update What App Entities Need To Know In 2026 - https://www.landers.com.au/legal-insights-news/australian-privacy-law-update-what-app-entities-need-to-know-in-2026?utm_source=openai
[2] Draft Childrens Online Privacy Code Released 31 03 2026 - https://ministers.ag.gov.au/media-centre/draft-childrens-online-privacy-code-released-31-03-2026?utm_source=openai
[3] Privacy Commissioner Finds Privacy Breaches In Third Party Tracking Pixel Investigation - https://www.oaic.gov.au/news/media-centre/privacy-commissioner-finds-privacy-breaches-in-third-party-tracking-pixel-investigation?utm_source=openai
[4] Australian Privacy Act Reform - https://cybernion.com.au/insights/australian-privacy-act-reform/?utm_source=openai
[5] Privacy - https://www.ag.gov.au/rights-and-protections/privacy?utm_source=openai
[6] Australia Pixel Perfect The Regulator Addresses Use Of Tracking Pixels - https://privacymatters.dlapiper.com/2026/06/australia-pixel-perfect-the-regulator-addresses-use-of-tracking-pixels/?utm_source=openai