← Field Notes
·11 July 2026·4 min read

From December, Every AI Decision About a Client Needs Disclosure

The Privacy Act now requires disclosure of automated decision-making by December 10. Your CRM, AI phone agent, and quoting tools are likely in scope.

If any software in your business makes or substantially assists a decision about a client — and uses their personal information to do it — you must disclose that in your privacy policy by 10 December 2026. That is five months from today.

The Privacy and Other Legislation Amendment Act 2024 introduced a new automated decision-making (ADM) transparency obligation under Australian Privacy Principle 1. The OAIC published its consultation paper on 18 May 2026, closed submissions on 15 June, and will release final guidance by September. The obligation is not proposed or pending. It is law. The only question is whether your business is ready.

For the hundreds of thousands of Australian businesses now adopting AI tools — the phone agents, scheduling platforms, CRM systems, and quoting software we have written about all year — this is the compliance layer that follows the adoption. The technology is working. Now the regulator wants to know you are telling clients about it.

The disclosure requirement applies when three conditions are met simultaneously. First, you have arranged for a computer program to make, or do something substantially and directly related to making, a decision about an individual. Second, that decision could reasonably be expected to significantly affect the individual's rights or interests. Third, personal information about the individual is used in the operation of that program.

The OAIC interprets 'computer program' broadly. It includes AI and machine learning, pre-programmed rule-based processes, generative AI tools like chatbots, and even algorithmic formulas your business may have used for years. This is not limited to sophisticated AI. A scoring formula in a spreadsheet that determines client priority could be in scope if it uses personal information and significantly affects the client.

For trades businesses, think: an AI phone agent that decides whether a caller gets booked or told you are at capacity. An AI scheduling tool that prioritises certain clients over others based on their history. An automated quoting system that adjusts pricing using client data. For professional services firms: CRM platforms that score leads, AI tools that triage client requests, or automated systems that determine service levels.

10 Dec

Disclosure deadline

Privacy and Other Legislation Amendment Act 2024

100K+

Professional services firms newly under Privacy Act

Via AML/CTF Tranche 2 from 1 July 2026

$50M

Maximum penalty for serious interference

Or 30% of turnover — whichever is greater

This is not a future threat. In January 2026, the OAIC commenced its first privacy policy compliance sweeps — a targeted review of approximately 60 businesses across six industries including real estate agents, pharmacies, and car dealerships. They checked whether privacy policies met the existing APP 1 requirements. The ADM obligation adds a new layer to what those policies must contain.

Penalties for non-compliant privacy policies reach $66,000 per breach at the administrative end. For serious or repeated interference with privacy, the maximum is the greater of $50 million, three times the benefit obtained, or 30 per cent of adjusted turnover. The OAIC has flagged automated decision-making as a priority area following the December 2026 commencement.

For professional services firms, the timing compounds. Accountants, lawyers, conveyancers, and real estate agents lost the small business exemption on 1 July 2026 via AML/CTF Tranche 2. We covered those obligations ten days ago. Those 100,000-plus businesses are now APP entities — meaning the December ADM transparency requirement applies to them too, regardless of turnover. Two major compliance obligations landing within six months of each other.

The requirement is transparency, not prohibition. Nobody is telling you to stop using AI. You need to update your privacy policy to disclose three things: the kinds of personal information used in your automated systems, the kinds of decisions made solely by computer programs, and the kinds of decisions where programs do things substantially related to making the decision. That is it.

Start by mapping every tool in your business that touches client data and could affect their experience or rights. Your AI phone agent. Your CRM lead scoring. Your scheduling algorithm. Your automated quoting. Your chatbot. For each one, document what personal information it uses and what decisions it makes or assists. The OAIC guidance in September will clarify edge cases, but the mapping exercise is the same regardless.

Then update your privacy policy before 10 December. If you do not currently have a privacy policy — and many small businesses with new Privacy Act obligations do not — you need one. This is an admin leverage problem that a well-structured compliance workflow solves once. Build it right and it updates as you add new tools, rather than requiring a fresh audit every time.

Key takeaways

From 10 December 2026, every APP entity using automated decision-making must disclose it in their privacy policy — including what personal information is used and what decisions are made or assisted by computer programs.
The OAIC interprets 'computer program' broadly: AI, machine learning, rule-based systems, chatbots, and even spreadsheet formulas that score or classify clients are potentially in scope.
100,000-plus professional services firms became APP entities on 1 July 2026 via AML/CTF Tranche 2. The December ADM disclosure deadline is their second major compliance obligation in six months.
The OAIC commenced privacy policy compliance sweeps in January 2026 and has flagged ADM as a priority. Penalties reach $50 million or 30 per cent of turnover for serious interference.

Sources

OAIC — Consultation on Guidance for Transparency in Automated Decision Making (May 2026)

Allens — Automated decision-making transparency: What APP entities need to know (June 2026)

OAIC — Privacy compliance sweep to put privacy policies under the spotlight (January 2026)

Assumptions & methodology
  1. The automated decision-making transparency obligation was introduced by the Privacy and Other Legislation Amendment Act 2024 (Cth), which passed Parliament in late 2024. The ADM provisions commence 10 December 2026 under section 2 of the Act.
  2. The three-limb test (computer program making/assisting a decision, significant effect on rights/interests, personal information used) is from sections 187J and 187K of the amended Privacy Act 1988 as described in the OAIC's May 2026 Issues Paper and confirmed by Allens' June 2026 analysis.
  3. The OAIC's broad interpretation of 'computer program' — including pre-programmed rule-based processes, AI and machine learning, generative AI tools, and simple algorithmic formulas — is from the OAIC's Issues Paper published 18 May 2026 as reported by Allens in their June 2026 analysis of the APP 1 amendments.
  4. The 100,000-plus professional services firms figure and their loss of the small business exemption via AML/CTF Tranche 2 (effective 1 July 2026) is from AUSTRAC's published estimates and multiple legal analyses confirming these businesses became APP entities on that date.
  5. The OAIC's January 2026 compliance sweep covered approximately 60 businesses across six industries (real estate, pharmacies, licensed venues, car rental, car dealerships, pawnbrokers). The $66,000 per-breach administrative penalty and $50 million maximum penalty are from the Privacy Act 1988 penalty provisions as amended.
  6. The OAIC consultation on ADM guidance opened 18 May 2026 and closed 15 June 2026. Final guidance is expected by September 2026, per the OAIC's published timeline.

Next

Nearly Two Million Tradies Work Without a Desk. AI Just Caught Up.

Read →

Field Notes are general commentary on AI trends for Australian businesses. They don’t constitute professional advice. Talk to your accountant, lawyer, or IT adviser before acting on anything specific to your situation — or talk to us if you want help working out where AI fits.

Don't miss the next one

Get each new Field Note in your inbox as it publishes — short, practical AI intelligence for Australian business owners.

Not sure which of your AI tools trigger the new disclosure?

Book a call and we will map your tools against the three-limb test, identify what needs disclosing, and help you build a privacy policy that covers your current stack and scales as you add new AI capabilities.

Book a call →