The Privacy Act Is No Longer a Law You Can Ignore
For decades, most Australian small and medium businesses treated the Privacy Act 1988 as background noise — a law written for banks, telcos, and government departments. That era is over.
Three waves of reform have changed the landscape:
- The 2022 amendment raised the maximum penalty for serious or repeated privacy breaches to $50 million or 30% of turnover, whichever is greater. Privacy went from a slap on the wrist to a company-ending risk overnight.
- The Privacy and Other Legislation Amendment Act 2024 — "tranche 1" of the government's reform program — gave the regulator, the Office of the Australian Information Commissioner (OAIC), sharper enforcement tools, including new penalty tiers and infringement notices for less serious breaches. No more "only the mega-breaches get punished."
- Since June 2025, a statutory tort for serious invasions of privacy is in force. For the first time, individuals can sue a business directly for intentional or reckless invasions of their privacy — no regulator required.
And a second tranche of reforms is on the way, expected to touch the two things SMB marketers have quietly relied on: the small business exemption and the loose rules around how personal information gets used for marketing.
If you run marketing for an Australian business — ads, email, lead generation, analytics — this guide covers what's already law, what's coming, and what to change now.
Why This Matters Right Now
Here's the honest version: the OAIC is not about to raid your local plumbing business over a Facebook pixel. But three things have genuinely changed the risk calculation for SMB marketing.
The penalties are real. Up to $50 million or 30% of turnover for serious or repeated interferences with privacy. Even the new mid-tier penalties for lesser breaches are far beyond what most SMBs could absorb.
Individuals can now sue you. The statutory tort in force since June 2025 means a person who suffers a serious invasion of privacy — say, their sensitive data was collected and shared for ad targeting in a way they never agreed to — can take you to court directly. Your privacy exposure is no longer just "will the regulator notice?"
The regulator has moved from education to enforcement. The OAIC has published targeted guidance for advertisers (including specific guidance on tracking pixels), and the 2024 reforms handed it the ability to issue compliance notices and on-the-spot infringement notices instead of relying solely on lengthy court proceedings.
For most Australian SMBs, though, the biggest risk isn't a fine. It's trust. Customers increasingly expect businesses to handle their data properly, ad platforms are tightening their own data rules in parallel, and being publicly named in a privacy investigation does more damage than any penalty.
The Small Business Exemption: Don't Bet Your Marketing on It
Right now, most businesses with an annual turnover of $3 million or less are exempt from the Privacy Act. If that's you, you might be tempted to stop reading. Don't. Three reasons:
- The exemption is on the chopping block. The government has agreed in principle to remove the $3M small business exemption, and it's expected to be part of tranche 2 of the reforms. It's not law yet and there's no confirmed date — but the direction is clear, and rebuilding your data practices takes far longer than a transition period.
- The exemption already has holes. Businesses that trade in personal information, health service providers, and several other categories are covered regardless of turnover. And from 1 July 2026, businesses caught by the new anti-money laundering (AML/CTF) reporting rules must handle personal information in line with the Australian Privacy Principles for those purposes — even if they'd otherwise be exempt.
- The Spam Act has no small business exemption. The rules governing email and SMS marketing (more below) apply to every business in Australia, from day one, at any turnover.
Our advice: build your marketing as if the Privacy Act fully applies to you. If it doesn't yet, you lose nothing. When it does, you're already done.
What This Means for Data Collection
The Australian Privacy Principles (APPs) — the 13 rules at the heart of the Privacy Act — set the baseline for how covered businesses collect personal information. Two of them matter most for marketers:
- Collect only what you reasonably need. That 14-field lead form asking for date of birth and home address to send a quote? Each field you collect is now a liability, not an asset. Trim forms to what the transaction actually requires.
- Tell people what you're doing. When you collect personal information, you're expected to notify people about who you are, why you're collecting it, and who it may be disclosed to — usually via a collection notice and a privacy policy that reflects reality, not a template from 2015.
In practice, for a typical SMB marketing operation:
- Lead forms and lead magnets are fine — they're direct, transparent collection. Just say what you'll do with the details ("we'll email you the guide and occasional tips — unsubscribe anytime") and honour it.
- Buying lists and scraping contact data is where the risk concentrates. You're acquiring personal information the person never gave you, for a purpose they never anticipated. Between the Privacy Act, the Spam Act, and the statutory tort, third-party data is the most legally fraught asset in Australian marketing.
- "We've always had this database" is not a strategy. If you can't say where a contact came from, you can't demonstrate you're allowed to market to them.
What This Means for Ad Targeting
Remarketing and Tracking Pixels
Standard remarketing — showing ads to people who visited your own website — remains legal. But the OAIC published specific guidance on third-party tracking pixels in late 2024, and it puts the responsibility squarely on you, the business deploying the pixel, not on Google or Meta:
- You're expected to do due diligence — understand what data your pixels actually send to the ad platform, not just paste the code and forget it.
- Data minimisation is the standard. Configure pixels to collect the minimum needed. Don't pass form field contents, health information, or financial details through a pixel because "it was on by default."
- No set-and-forget. The OAIC expects periodic review of tracking technologies as your site and the platforms change.
Practical translation: audit your GTM container. Most SMB sites accumulate years of tags nobody remembers installing. Know what fires, what it sends, and why.
Customer Match and Custom Audiences
Uploading email lists to Google Ads (Customer Match) or Meta (Custom Audiences) means disclosing personal information to a third party for marketing. If your list is first-party — people who gave you their details directly and were told marketing was part of the deal — you're on solid ground. If the list was purchased, scraped, or "inherited" from somewhere you can't document, uploading it multiplies your exposure: questionable collection and questionable disclosure.
The rule of thumb: only upload audiences you could comfortably explain to the people on them.
Sensitive Audiences
Health conditions, religious beliefs, sexual orientation, political views — this is "sensitive information" under the Privacy Act and gets the strictest treatment, generally requiring consent. If your targeting or your pixel data effectively reveals sensitive attributes (a fertility clinic's remarketing list, for instance), treat it as high-risk and get specific advice. The OAIC's pixel guidance singles this category out.
What This Means for Email Marketing
The Spam Act Is Still the Front Line
Day to day, email and SMS marketing in Australia is governed less by the Privacy Act than by the Spam Act 2003, enforced by ACMA — and ACMA has been the most active marketing regulator in the country, handing multi-million-dollar penalties to household-name brands in recent years. The three pillars:
- Consent. You need consent (express, or inferred from an existing relationship) before sending commercial electronic messages. Express consent — a form fill, a ticked box, a clear verbal yes — is the standard ACMA expects you to aim for, and the burden of proving it sits with you. Keep records.
- Identification. Every message must accurately identify your business and how to contact you.
- Unsubscribe. Every message needs a functional unsubscribe that doesn't require logging in or handing over more data — and you must action it within 5 business days. A large share of ACMA's enforcement actions have been for exactly this: messages sent after someone unsubscribed.
APP 7: The Privacy Act's Direct Marketing Rules
For businesses covered by the Privacy Act, APP 7 adds a second layer: personal information can generally only be used for direct marketing when the person would reasonably expect it, and every marketing communication must offer a simple, free way to opt out — which you must honour. The rules get stricter when the data came from a third party rather than the person themselves: you need consent, or at minimum a prominent statement about how they can opt out.
Notice the pattern — the law keeps drawing the same line the platforms and deliverability filters draw: data people gave you directly, for marketing they expect, is fine. Everything else is a problem.
Purchased Lists: Legally Fraught, Commercially Worse
Buying an email list in Australia today means: consent you can't prove (Spam Act problem), collection the person never knew about (Privacy Act problem), and a first touch that reads "a company you've never heard of bought your data" (deliverability and brand problem). Even before the reforms, purchased lists underperformed; now they combine poor ROI with genuine legal exposure.
The alternative is the boring one that works: build your own list with lead magnets, useful content, and campaigns that capture intent. Our complete guide to lead generation in Australia covers the first-party playbook end to end.
What This Means for Analytics and AI Tools
Analytics feels harmless — it's aggregate, right? Mostly, but two developments deserve attention:
- Analytics tools are tracking technologies too. The same OAIC expectations apply: know what your analytics setup collects, turn off features that capture more personal information than you need (like recording form inputs in session replay tools), and make sure your privacy policy actually describes what's running on your site.
- Automated decision-making transparency arrives 10 December 2026. Under the 2024 Amendment Act, businesses covered by the Privacy Act must disclose in their privacy policy when they use computer programs to make decisions that could significantly affect someone's rights or interests. Routine ad targeting won't usually meet that bar — but automated eligibility decisions, AI-driven pricing, or lead scoring that decides who gets access to a service or offer may. If you're deploying AI in your funnel, put this date in your calendar.
One structural point worth making: the more your marketing stack runs on tools you control, the easier compliance gets. This is part of why we build custom Mini SaaS tools for clients instead of stitching together a dozen third-party trackers — when your lead capture, quoting, and follow-up run on your own system, you know exactly what data is collected, where it lives, and who can see it. Compliance stops being an audit of strangers' software.
Quick Reference: Common Marketing Activities Under the Current Rules
| Marketing Activity | Main Rules in Play | Where You Stand |
|---|---|---|
| Remarketing to your own website visitors | Privacy Act (APPs), OAIC pixel guidance | Fine — with a pixel audit and an accurate privacy policy |
| Customer Match / Custom Audiences from your own list | APPs (use & disclosure) | Fine if first-party and people expected marketing |
| Uploading purchased or scraped lists to ad platforms | APPs, platform policies | High risk — don't |
| Email to people who opted in on your site | Spam Act, APP 7 | Fine — keep consent records, honour unsubscribes in 5 business days |
| Cold email to purchased lists | Spam Act, APPs | Consent problem + collection problem — effectively dead |
| Lead forms and lead magnets | APPs (collection & notification) | Fine — collect only what you need, say what you'll do |
| Session replay / analytics capturing form inputs | APPs, OAIC guidance | Risky by default — configure for data minimisation |
| Targeting based on health, religion, or other sensitive traits | APPs (sensitive information) | Strictest rules — consent territory, get advice |
| AI lead scoring that gates access to offers or services | APP 1 automated decision-making rules (from 10 Dec 2026) | Disclose in your privacy policy |
The pattern across the whole table: first-party data, collected transparently, used the way people expect — fine. Third-party data and silent tracking — increasingly untenable.
The Privacy Compliance Checklist for Australian Marketers
Work through this over a couple of weeks. None of it requires a law degree.
1. Map Your Data
- List every place personal information enters your business (forms, ads, phone, partners, tools)
- Mark each source as first-party (person gave it to you) or third-party (you got it elsewhere)
- Delete or quarantine contacts whose source you can't identify
2. Audit Your Ad Stack
- Open your GTM container and account for every tag, pixel, and script
- Check what data each pixel actually sends (especially on form and checkout pages)
- Confirm every Customer Match / Custom Audience list is built from first-party data
- Remove any audience or tag you can't explain
3. Fix Your Email Practice
- Verify you hold provable consent for everyone on your marketing list
- Test your unsubscribe flow — it must work without a login and take effect within 5 business days
- Check every template identifies your business correctly
- Stop any purchased-list or scraped-data outreach
4. Update Your Privacy Policy
- Rewrite it to describe what you actually collect and which tools you actually use
- Cover remarketing, analytics, and any data shared with ad platforms
- Explain how people can access, correct, and opt out
- Diarise 10 December 2026 if you use automated decision-making
5. Vet Your Tools and Partners
- Review data-sharing arrangements with referral partners and lead sources
- Check where your CRM, email platform, and analytics tools store data and what they do with it
- Prefer tools that let you configure data minimisation — and switch those settings on
6. Prepare for What's Coming
- If you're under the $3M exemption, plan to comply anyway — tranche 2 is expected to remove it
- Watch for the "fair and reasonable" test flagged for tranche 2 — it would judge data use by expectations, not fine print
- Nominate one person to own privacy — most SMB failures are nobody's-job failures
What Growin Is Doing About It
We publish real campaign performance data on this website because transparency builds trust — and the direction of Australian privacy law validates that approach at a legal level.
For our clients across Australia and New Zealand:
- We build campaigns on first-party data and direct search intent — people actively looking for what you sell. No purchased lists, no cold outreach with third-party data, ever.
- We audit the tracking setup in every client's ad account and website so every pixel and conversion tag is doing exactly what it should — and nothing more.
- We keep Customer Match lists first-party only, built from people who gave their details directly.
- We design lead capture that collects the minimum needed to qualify and follow up — which happens to convert better too.
- We publish plain-English guidance (like this article) so clients understand what's changing and why.
The honest summary: if your marketing is built on first-party data and genuine intent, these reforms barely touch you. They mostly outlaw the tactics that already didn't work.
Frequently Asked Questions
Does the Privacy Act require consent before I collect someone's details?
Not in most marketing situations — the APPs are built around collecting what's reasonably necessary and notifying people, not blanket consent. Consent becomes essential for sensitive information (health, religion, and similar) and for email/SMS marketing under the Spam Act, which is a separate consent-based regime.
My turnover is under $3 million — does any of this apply to me?
The Spam Act applies to you fully, right now — consent, identification, and unsubscribe rules have no small business exemption. The Privacy Act mostly doesn't (unless you're in an already-covered category, or handling data under the new AML/CTF rules from 1 July 2026), but the exemption's removal is expected in tranche 2 of the reforms. Comply now and the transition costs you nothing.
What is the statutory tort, and should marketers actually care?
Since June 2025, individuals can sue directly for serious invasions of privacy that are intentional or reckless. Ordinary marketing mistakes won't qualify — but knowingly using data people never agreed to share, or recklessly exposing sensitive information through tracking, is exactly the territory it was written for. It changes who can come after you: not just the regulator, but the person in the data.
Can I still use Google Ads remarketing?
Yes. Remarketing to your own site visitors is legal — the OAIC's concern is how pixels are configured. Do a pixel audit, minimise what's collected, describe it accurately in your privacy policy, and review it periodically rather than setting and forgetting.
Can I still upload Customer Match lists?
Yes, if the list is first-party — built from people who gave you their details directly in a context where marketing was a reasonable expectation. Don't upload purchased, scraped, or unattributable lists.
What are the actual penalties?
For serious or repeated privacy interferences: up to $50 million or 30% of turnover, whichever is greater, under the 2022 amendment. The 2024 Act added lower penalty tiers and infringement notices so the OAIC can act on smaller breaches too. Separately, ACMA has issued multi-million-dollar penalties under the Spam Act — historically the more active enforcement risk for SMB marketers.
What happens on 10 December 2026?
The automated decision-making transparency rules from the 2024 Amendment Act take effect. If a computer program makes decisions that could significantly affect people's rights or interests — automated eligibility, AI-driven pricing, lead scoring that gates access to services — your privacy policy must disclose it.
When is tranche 2 coming, and what will it change?
The government has confirmed it's progressing tranche 2 but hasn't set a timeline as of mid-2026. The expected headline items for marketers: removal of the $3M small business exemption and a "fair and reasonable" test for how personal information is collected and used — meaning data practices would be judged against what people would reasonably expect, regardless of what your terms and conditions say.
Is this Australia's GDPR?
Directionally similar, structurally lighter — for now. The APPs are principles-based rather than consent-based, and there's no general requirement for cookie banners or lawful-basis assessments. But each reform wave moves closer to international standards, and the proposed fair-and-reasonable test would be a significant step in that direction. Building GDPR-grade data hygiene now is a reasonable bet.
Does any of this cover SMS and phone marketing?
SMS marketing sits under the same Spam Act rules as email: consent, identification, and a working opt-out. Telemarketing calls are governed by the Do Not Call Register. Same principle across every channel — permission first.
Get Ahead of It
None of this is cause for panic. If your marketing already runs on first-party data — people who found you, gave you their details, and expect to hear from you — Australia's privacy reforms mostly confirm you built it right.
But if any part of your funnel relies on purchased data, mystery lists, or tracking nobody has looked at in years, fix it now, while it's a tidy-up rather than an enforcement response. The reform program isn't finished: the small business exemption is expected to go, the fair-and-reasonable test is coming, and the December 2026 automated decision-making deadline is already fixed.
The businesses that come out ahead will treat this the way they'd treat any structural market shift: clean up early, build direct customer relationships, and turn "we handle your data properly" into a selling point.
Not sure where your marketing stands? Book a free compliance check with our team. We'll audit your data sources, your pixels, and your email practice, flag anything risky, and give you a clear action plan — usually inside a week.


