WebsiteScanner.ai
SECURITY AUDITS
Privacy and Compliance · 8 min read

Privacy Act 2024 amendments: what every Australian website owner needs to do

What the Privacy and Other Legislation Amendment Act 2024 actually changes for Australian website owners, what is still being debated in tranche 2, and the five practical things every site should review this quarter.

A
Andre Reis

The Privacy and Other Legislation Amendment Act 2024 changed Australian privacy law in three practical ways for website owners: higher maximum penalties, criminal doxxing offences, and a new statutory right for individuals to sue for serious invasions of privacy. More changes are coming through tranche 2, which the government is still drafting. This article covers what is already in force, what is on the way, and the five things every Australian website owner should review on their site this quarter.

What the 2024 amendments actually changed

In late 2024, parliament passed the first tranche of long-promised reforms to the Privacy Act 1988. The changes that matter for businesses with a website are below.

Increased penalties (in force since late 2022)

The maximum penalty for serious or repeated privacy breaches is now AUD $50 million, three times the value of the breach, or 30% of adjusted turnover, whichever is greater. This isn't actually new in 2024, but it's worth restating because most small businesses still operate as if the old AUD $2.2 million cap applies. It doesn't. The penalty band has shifted by an order of magnitude.

Doxxing offences (in force from December 2024)

It is now a criminal offence to publish personal information online with the intent to cause harm. Maximums of six years imprisonment, or seven years where the target was selected based on race, religion, sex, sexual orientation, gender identity, intersex status, or disability.

This applies to any individual, but it has consequences for forums, comment sections, and any user-generated-content area on your site. If you allow user comments, you have a duty to act on doxxing content promptly when notified. Build a takedown path into your moderation policy. Even if your site never hosts doxxing, the law's existence means visitors will sometimes ask you to act on content you didn't realise was harmful, and ignoring those requests is now a lot riskier.

Statutory tort for serious invasions of privacy (in force June 2025)

Individuals can now sue for serious invasions of privacy directly. Two patterns matter for websites:

  1. Misuse of information: collecting or sharing personal information in a way the individual would find serious enough to be objectionable.
  2. Intrusion upon seclusion: less relevant for most websites unless you record sessions, track users covertly, or use heat-mapping tools without disclosure.

The damages cap on general damages is around AUD $478,550, plus aggravated and exemplary damages on top in serious cases. The threshold for "serious" is intentionally high, but the practical effect is that affected individuals can now bypass the OAIC and take you straight to court.

Automated decision-making transparency (commencing late 2026)

If your website uses automated decisions that materially affect a user (loan approval, insurance pricing, hiring shortlist, credit check, access to services), your privacy policy must disclose:

  • The kinds of personal information used in the decision.
  • How the decision is made (the logic, broadly).
  • Whether a human reviews it before the decision is final.

This applies to "substantially automated" decisions, not human decisions augmented by software. The line between those will be argued for years, but the safe assumption is: if your system makes a material decision largely without a human, treat it as in scope and disclose.

Children's online privacy code (under development)

The OAIC is required to develop a binding Children's Online Privacy Code for online services likely to be accessed by children. Until the final code is registered, you can't fully prepare. But if your site is likely to attract children (under 18, on a broad reading), expect future requirements around design defaults, age-appropriate language, and stricter consent rules for behavioural advertising.

What is still being debated (tranche 2)

The 2024 amendments were tranche 1. Tranche 2 reforms are still being drafted and consulted on. The four most consequential proposals for small businesses:

  1. Removing the small business exemption. Today, businesses with annual turnover under AUD $3 million are exempt from most Privacy Act obligations. Tranche 2 will likely remove that exemption, putting roughly 95% of Australian businesses inside the Act for the first time.
  2. A "fair and reasonable" requirement. A new overarching obligation that personal information handling must be fair and reasonable, even where technically permitted by an APP. This raises the floor on what businesses can do with consent.
  3. Direct right of action. Individuals would be able to bring privacy complaints directly to court rather than only through the OAIC.
  4. Right to erasure. Individuals could request deletion of their personal information, similar to GDPR's right to be forgotten.

None of these are law yet. Watch the Attorney-General's Department's privacy reform updates for current status. If your business has under AUD $3 million in turnover, the responsible move is to start operating as if the Act applies anyway, because you may be inside it within a year or two.

Five things every Australian website owner should do this quarter

1. Update your privacy policy

The 2024 changes mean your existing policy may be out of date even if you wrote it in 2024. Specifically check that it covers:

  • The categories of personal information you collect and the purpose for each.
  • Whether any of it is sent overseas (Google Analytics, Stripe, Mailchimp, Brevo, and most cloud tools all do).
  • How users access, correct, or complain about their information.
  • Your contact details for privacy enquiries.
  • A reference to the OAIC complaint process.

If you use any automated decision-making that affects users, even something as small as automated quote pricing or eligibility filtering, add a section disclosing it. Late 2026 is the legal deadline; nothing stops you doing it now.

2. Make cookie consent actually work

The Privacy Act doesn't have an explicit cookie law like the EU's ePrivacy Directive, but the OAIC has consistently said that non-essential cookies (advertising, analytics, social plugins) require informed consent. A "by using this site you accept cookies" banner doesn't meet that standard.

A cookie banner that does meet the standard:

  • Loads with no non-essential cookies set.
  • Lets users accept, reject, or customise their choices on the first interaction.
  • Stores the user's choice for future visits.
  • Provides a way to change the choice later.

If you use Cookiebot, Klaro, Cookie Consent, or Iubenda properly configured, you're probably fine. If you're using a hand-rolled banner that just hides itself when clicked, you're probably not.

3. Get Notifiable Data Breaches ready

Under the NDB scheme (in force since 2018, unchanged in 2024), you must notify the OAIC and affected individuals within 30 days of becoming aware of an "eligible data breach". Most small businesses have no plan and discover this requirement during the breach itself, which is the worst possible time.

A two-page incident response plan, stored where everyone on your team can find it:

  • Who decides whether a breach is "eligible" (typically the director).
  • What evidence to collect (logs, affected accounts, scope of data).
  • The OAIC notification form (download it now from the OAIC site).
  • A template customer notification email.
  • Contacts for your hosting provider, mail provider, and payment processor account managers.

You'll never use it on a calm Monday. You'll use it at 11pm on a Sunday when something has clearly gone wrong.

4. Practise data minimisation

The Privacy Act requires that you collect only personal information reasonably necessary for your business activities. The reforms strengthen this. Audit every form on your website:

  • Contact form: do you really need a phone number, or is email enough?
  • Newsletter signup: do you really need a postcode and date of birth, or just an email?
  • Account registration: which fields are actually necessary on day one versus things that can be filled in later?

Each unnecessary field is a future breach risk and a hard-to-defend collection if challenged. Cut what you don't need.

5. Audit your third-party data flows

Every third-party tool on your website handles your visitors' personal information in some form. Common ones:

  • Google Analytics 4: page views, IP-derived location, device fingerprint.
  • Stripe: payment details, billing address.
  • Mailchimp, Brevo, Postmark: email addresses, behaviour data.
  • Hotjar, Microsoft Clarity, FullStory: full session recordings, possibly including form input.
  • Meta Pixel: page views, conversions, often with hashed email if your forms pass it.

Make a list. Confirm each vendor is named in your privacy policy. Check that any that send data overseas are documented as such, with the country listed where practical. For session recording specifically, confirm that input masking is on so passwords and credit card numbers are never recorded.

Are you covered by the small business exemption today?

The exemption applies if your annual turnover is under AUD $3 million AND you don't fit any of the carve-outs. The carve-outs include:

  • Health service providers.
  • Trading in personal information.
  • Contractors providing services to government.
  • Operators of residential tenancy databases.
  • Credit reporting bodies and credit providers.
  • Employee associations and superannuation trustees.

If you fit a carve-out, you're already covered regardless of turnover. If you don't fit one and you're under the threshold, you're exempt today. But tranche 2 is likely to remove the exemption, so this is an excellent time to start operating as if the Act applies.

How to update your privacy policy yourself

If you're not engaging a lawyer, a defensible approach:

  1. Start from the OAIC's "APP Privacy Policy Guidelines" (search "OAIC privacy policy guide" on the OAIC site).
  2. Use the OAIC's free privacy policy template as a starting point.
  3. Customise it for your actual data collection. Don't paste boilerplate that lists categories you don't actually collect; that's misleading and itself a Privacy Act issue.
  4. Add the specific 2024 changes that apply: doxxing in your community guidelines if you allow user content, automated decision-making if applicable, children's privacy if your audience includes minors.
  5. Date the policy and commit to reviewing it annually. Customers notice when the date hasn't moved in three years.

Your privacy policy isn't a legal-only document. Customers do read it during purchasing decisions, especially in B2B. A clean, plain-English policy is a small competitive advantage.

Run the free scan

Run our free scanner on your domain to see whether your website's email security, encryption, and headers meet the modern privacy baseline. The scan won't replace a privacy review by a lawyer, but it will surface the technical issues most likely to cause a breach worth notifying.

Free scan

Want to know if any of this applies to your domain?

Run a free 30-second scan to see what your website and email setup actually look like.

Run free scan →