All Articles
Feature image for privacy-act-2024-reforms-what-australian-websites-need-to-change

Privacy Act 2024 Reforms: What Australian Websites Need to Change

Business

The reforms are live and the grace period is closing

The Privacy and Other Legislation Amendment Act 2024 passed in late 2024 as the first tranche of the long-promised overhaul of the Privacy Act 1988 (Cth). Some provisions commenced immediately, others on a staged timeline running through 2025 and 2026. If you run an Australian website, the practical question is no longer whether the reforms affect you. It is whether your current consent flows, privacy policy and breach response plan can survive an OAIC inquiry.

We have been rolling the changes into client builds and audits across the last twelve months. This post is the short version of what matters for web teams. What changed, what to ship, and where the real risk sits.

What actually changed

The amendment package is dense, but five pieces are directly relevant to anyone running a public website that collects personal information.

A statutory tort for serious invasions of privacy

For the first time in Australia, an individual can sue directly for a serious invasion of privacy. Previously, the OAIC was the only meaningful enforcement channel and damages were rare. Now a person whose information was mishandled, through a breach, a careless share or an excessive collection practice, can commence proceedings themselves.

For web operators this means two things. Your exposure has expanded from regulatory fines to direct civil litigation. And class-action firms are actively watching major incidents. Breached mailing lists of meaningful size are commercially interesting to them.

Materially higher penalties

The maximum penalty for a serious or repeated interference with privacy now sits at the greater of AUD 50 million, three times the benefit derived, or 30 per cent of adjusted turnover. These are GDPR-adjacent numbers and they apply to mid-market Australian companies, not just global platforms.

A Children's Online Privacy Code

The OAIC has been directed to develop a Children's Online Privacy Code, with commencement in 2026. Any service likely to be accessed by children, a broader net than services targeted at children, needs age-appropriate design, stronger default settings, and more restrictive data handling for minors. If you run a community site, education product, or anything gamified, this is on your roadmap.

Automated decision disclosure

Where an automated system substantially influences a decision that affects an individual, you must disclose this in your privacy policy. "Substantially influences" is broader than "makes the decision". A credit scoring model that a human rubber-stamps is still in scope. This affects hiring platforms, insurance quoters, finance applications, and any personalisation engine that changes what pricing, terms or access a user sees.

Clarified security obligation

APP 11 has been sharpened. Reasonable steps to protect personal information now explicitly include both technical and organisational measures. The OAIC guidance is moving toward an expectation of measures that would satisfy the ACSC Essential Eight, at least for anything holding meaningful volumes of personal data.

Rewriting your privacy policy

Most Australian privacy policies we audit were written in 2018 for GDPR and never updated. They do not address the new disclosure requirements and they read as legal boilerplate rather than meaningful notice.

The current minimum is a policy that sets out, in plain language:

  • What personal information you collect, separated into categories (contact details, browsing behaviour, payment information, sensitive information)
  • The specific purposes of collection for each category
  • Whether automated decision-making is used and what kinds of decisions it influences
  • How and where the information is stored, including overseas disclosure and the countries involved
  • How long you retain each category, and the trigger for deletion
  • How an individual can access, correct or complain, with a direct email to your privacy officer
  • How you handle information about children if your service is likely to reach them

Date the policy. Version it. Link to it from the footer, the signup form, and any data-collection surface. Policies that cannot be found score badly in OAIC assessments.

Consent UX done properly

The OAIC has made clear that consent needs to be voluntary, informed, current, specific, and given by someone with capacity. In practice that means three web-level changes for most clients.

No more pre-ticked boxes for marketing consent. The Spam Act already required this, but it is now explicit under the reformed privacy framework as well.

Separate consent for separate purposes. Bundling "I agree to the privacy policy and receive marketing emails and allow third-party data sharing" into one checkbox is not legally valid consent for any of the three.

A working withdrawal mechanism. An unsubscribe link in every marketing email is the minimum. You also need an accessible way to withdraw broader consents, usually a preferences centre linked from the policy itself.

Cookie banners deserve their own note. The OAIC position is that non-essential cookies require prior consent, and a "by using this site you agree" banner is not consent. If you run analytics, advertising pixels or session replay tools, a proper consent manager is now effectively required rather than nice to have.

Data mapping, the unglamorous work

You cannot comply with something you have not measured. Before you touch the policy text, build a data map. For each form, integration and pixel on your site, record:

  • What fields are collected
  • Where the data lands (database, CRM, email platform, analytics, ad platform)
  • Who inside the business has access
  • Whether it leaves Australia, and to which countries
  • How long it is kept
  • The legal basis for collection

We run this as a spreadsheet workshop with clients and it routinely surfaces surprises. A legacy Mailchimp list nobody remembers. A Hotjar recording stream still running on checkout. Customer support tickets being copied into a ChatGPT tab. The map is the single most useful artefact for both the policy rewrite and the breach response plan.

Breach response and the notification window

The Notifiable Data Breaches scheme still requires notification to both the OAIC and affected individuals where a breach is likely to result in serious harm. What has tightened is the expectation on timeliness and the willingness of the OAIC to pursue secondary breaches of the notification obligation itself.

Every site that handles personal data needs a written breach response plan that answers four questions in advance. Who decides whether a breach is notifiable. What the technical containment playbook looks like. Who drafts the notification. And who speaks to media if the incident goes public. Run a tabletop exercise annually. The first time you work through these questions should not be during an actual incident.

Where we see the most remediation work

Across the audits we have run for Australian clients in the past twelve months, the most common gaps are, in order: outdated privacy policies missing automated decision disclosure, non-compliant cookie banners, no data map, marketing consent bundled with terms acceptance, and no breach response plan. None of these are expensive to fix. The cost sits almost entirely in the thinking, not the implementation.

If you would like us to run a privacy audit on your site and tell you honestly where the gaps are, get in touch and we will give you a straight assessment and a scoped remediation plan.

Related articles

Feature image for the-hidden-cost-of-generative-ai-features-on-your-website
Business

The Hidden Cost of Generative AI Features on Your Website

The API bill is only the start. Here is the full cost picture of running generative AI features in production, and how to scope one so the ROI holds up.

Read Article
Conceptual illustration of a website project timeline with milestones and waypoints
Business

How Long Does It Really Take to Build a Business Website in 2026?

Timelines for web projects slip more than they should — and rarely because of code. Here's a realistic breakdown of how long each website type takes, where projects actually get stuck, and what you can do before kickoff to halve the schedule.

Read Article
Conceptual illustration of a website performance dashboard showing three speedometer gauges
Business

Core Web Vitals for Small Business Owners: What Google Actually Measures

Google measures three specific things about your website's performance — and failing them quietly costs you rankings and conversions. Here's what LCP, INP, and CLS actually mean in plain English, and how to tell if your site is in trouble.

Read Article

Business services we offer

More ArticlesGet In TouchEmail Us