New Privacy Rule: Disclose Your AI Use or Face a $330K Fine
From 10 December 2026, every business using AI in decisions about people must disclose it in their privacy policy. Infringement penalty: $330,000.
The rule and the deadline
From 10 December 2026, any Australian business covered by the Privacy Act that uses a computer program to make decisions significantly affecting individuals must disclose that use in their privacy policy. The obligation covers AI tools, algorithmic systems, and automated processes that use personal information — including features embedded in third-party platforms like Xero, MYOB, or your practice management software.
The rule comes from the Privacy and Other Legislation Amendment Act 2024, which added new provisions (APP 1.7–1.9) to the Australian Privacy Principles. It passed in December 2024 with a 24-month transition period. That period ends in six months. The OAIC can issue infringement notices of up to $330,000 for companies that fail to have a compliant privacy policy — 1,000 penalty units at the current Commonwealth rate of $330 each.
$330K
Infringement penalty for non-disclosure
1,000 penalty units per OAIC notice
6 months
Until the obligation commences
10 December 2026
100K+
Small businesses losing Privacy Act exemption
From 1 July 2026 — three weeks away
The OAIC is reading this broadly
The Office of the Australian Information Commissioner opened a public consultation on the new obligation in May 2026, closing 15 June. The early signals point to a broad interpretation that will capture more businesses than most expect.
Two terms determine whether you're in scope. First: "arranged for." The OAIC's Issues Paper indicates this places responsibility on the organisation that deploys a computer program to make decisions — not necessarily the organisation that built it. If you subscribe to software that uses AI to make or assist decisions about people, you're the one who must disclose it. The fact that Xero or ServiceTitan built the feature doesn't shift the obligation.
Second: "significantly affect rights or interests." This captures decisions about whether to provide services to a customer, whether to grant a job interview, pricing or credit decisions, and access to significant services. The standard is effects-based — both adverse and beneficial outcomes count, according to the OAIC's guidance framework. For a trades business, that likely means automated quoting systems that price based on customer location or history, AI-powered job allocation, and automated customer screening. For an accounting or law firm, it captures AI-driven client risk assessments, automated AML/CTF screening, and algorithmic decisions about which clients to onboard.
Professional services face a double deadline
For accountants, lawyers, conveyancers, and real estate agents — many of whom have operated under the $3 million turnover small business exemption — the situation is sharper. From 1 July 2026, more than 100,000 small businesses in these sectors lose their Privacy Act exemption entirely, as AML/CTF reforms pull them into the regulated entity framework. The OAIC has confirmed this number.
That means: in three weeks, these firms need a privacy policy that complies with the Australian Privacy Principles. Six months later, that privacy policy must also disclose their automated decision-making. If you've been operating without a privacy policy because you were exempt — you now have two obligations to build, on two deadlines, with penalties behind each.
We've written before about building an AI register — first as a governance tool for managing shadow AI, then as evidence for insurance renewals. The same document now has a third job: compliance with the automated decision-making transparency obligation.
Two deadlines for professional services firms under $3M
1 July 2026
Privacy Act applies
Exemption removed for 100K+ firms
10 Dec 2026
AI disclosure required
In your new privacy policy
Three steps before December
First, build your AI register. Every tool in your business that uses personal information in any form of algorithmic or AI-powered decision-making. Include embedded features: your CRM's lead scoring, your HR platform's resume screening, your accounting software's AI categorisation, any automated quoting or scheduling tools. The register is the foundation — you can't disclose what you haven't mapped.
Second, for each tool on the register, ask: does this make or substantially assist in making a decision that significantly affects someone's rights or interests? The answer determines whether it goes in your privacy policy. Client risk screening: almost certainly yes. Internal bank feed categorisation: probably not. Automated quote pricing that varies by customer: likely yes. If you're unsure, err toward disclosure — over-disclosing carries no penalty.
Third, don't wait for the OAIC's final guidance. The consultation closes 15 June 2026, final guidance is expected later this year, but the obligation commences on 10 December whether the guidance is finalised or not. The businesses that start now will have a compliant policy before the deadline. The ones waiting for perfect clarity will be writing their privacy policy in November.
Key takeaways
Sources
OAIC — Consultation on Guidance for Transparency in Automated Decision Making (May 2026)
Helios Salinger — Privacy Reforms to Impact Over 100,000 Small Businesses (March 2026)
▶Assumptions & methodology
- The $330,000 penalty figure is calculated at 1,000 Commonwealth penalty units at the current rate of $330 per unit (effective from 7 November 2024). This is the infringement notice penalty specifically for failing to have a privacy policy compliant with APP 1.7 requirements. The broader civil penalty regime under the Privacy Act allows penalties up to $50 million for serious and repeated interferences with privacy.
- The 100,000+ figure for small businesses losing their Privacy Act exemption from 1 July 2026 is the OAIC's published estimate, cited in multiple law firm analyses. These businesses are brought under the Privacy Act via AML/CTF reforms that make them reporting entities, which automatically removes the small business exemption for personal information handling in connection with AML/CTF obligations.
- The OAIC's broad reading of 'arranged for' and 'significantly affect' is drawn from published commentary by Bird & Bird (May 2026) and Jackson Walker Solicitors on the OAIC's Issues Paper. The OAIC has not yet published final guidance — the consultation closes 15 June 2026 and final guidance is expected later in 2026.
- The broader removal of the $3 million small business exemption (covering all industries, not just those brought in via AML/CTF) has been agreed to in principle by the Australian Government but has not yet been legislated. The December 2026 ADM obligation applies only to businesses that are already APP entities.
Next
Google's AI Will Start Calling Tradies to Book Jobs
Field Notes are general commentary on AI trends for Australian businesses. They don’t constitute professional advice. Talk to your accountant, lawyer, or IT adviser before acting on anything specific to your situation — or talk to us if you want help working out where AI fits.
Not sure which of your AI tools trigger the disclosure requirement?
A short call can map your current AI use against the new obligation and identify exactly what needs to go in your privacy policy before December. Book a call.
Book a call →