Australian Businesses Must Disclose AI Decisions by December 2026

On 10 December 2026, new transparency obligations under the Privacy and Other Legislation Amendment Act 2024 come into effect. If your business uses personal information in automated or semi-automated decision-making — and the decision could significantly affect someone’s rights or interests — you must disclose that in your privacy policy. Not in vague terms. You need to state what personal information your software uses and what types of decisions it makes or assists with.

Most Australian SMEs have no idea this is coming. Data from the federal government’s AI Adoption Tracker, cited in an Indeed Hiring Lab analysis published this week, shows 60% of small businesses (5–19 employees) are now using AI tools. Medium businesses sit at 72%. That’s a lot of businesses that may need to comply and haven’t started preparing.

The definition is broader than most people expect. It covers any decision made by a computer program, or any decision where a computer program does something “substantially and directly related” to making the decision. That includes AI tools that assist human decision-makers — which is how most SMEs use AI today.

For trades businesses, think about: job management software that auto-assigns technicians based on skills and location. CRM tools that score or prioritise customer leads. Quoting engines that calculate prices based on historical job data. Route optimisation that determines which customers get seen first.

For professional services firms, the list is longer: accounting software that auto-categorises transactions and flags anomalies. Legal document review tools. Client risk assessment scoring. HR platforms that screen job applicants. Any tool that uses personal data to recommend, filter, or rank a decision that a human then acts on.

The test isn’t whether the software makes the final call. It’s whether the software substantially shapes the decision — and whether that decision could “significantly affect the rights or interests of an individual.” Deprioritising a customer, screening out a job applicant, adjusting a quote based on postcode history — all of these qualify.

The Privacy Act applies to businesses with annual turnover above $3 million. For trades, that’s most established businesses with five or more staff. For accounting and law firms, the threshold is rarely an issue. Health service providers and businesses that trade in personal information are caught regardless of turnover.

Non-compliance can result in infringement notices of $62,600 per offence, per Macpherson Kelley’s analysis of the legislation. For serious or repeated interference with privacy, penalties escalate to the greater of $50 million, three times the benefit obtained, or 30% of adjusted turnover. Those headline numbers are designed for large corporations. But an infringement notice, a compliance notice, or even an investigation is enough to consume weeks of management time and thousands in legal fees — for a requirement you could have met by updating a document.

First, audit your software stack. List every tool that uses personal information to make or assist a decision. Your job management platform, your CRM, your accounting software, your HR tool. If it scores, ranks, categorises, assigns, or recommends based on customer or employee data, it’s likely in scope.

Second, talk to your software vendors. Ask them: does this product use AI or automated processing to make decisions that affect individuals? What personal information does it use? Most vendors should be able to answer this by now. If they can’t, that’s a red flag worth noting.

Third, update your privacy policy. The law requires you to describe the kinds of personal information used and the kinds of decisions made. You don’t need to reveal proprietary algorithms — just be transparent about what data goes in and what decisions come out. As Jackson Walker Solicitors note in their analysis, the language should be “clear, succinct, and accessible to consumers.”

We wrote recently about the mandatory AI rules hitting government agencies in June — that covers how agencies must govern their own AI use. This December deadline is the private-sector companion: how every business explains its AI use to customers. Between the two, the regulatory landscape for AI in Australia has shifted materially in the past twelve months.

Key takeaways

Not sure which of your tools are in scope?

A short call is enough to map your AI exposure and work out what needs to change before December.