Small businesses with under AUD 3 million annual turnover have been exempt from Australia’s Privacy Act terms to date, but that has been taken off the table in a new round of reforms that could become law in 2024.
The Australian government has agreed to expand the Privacy Act to cover all small businesses, something that a review has acknowledged could put a “disproportionate burden” on them. Any change of this nature would be subject to further consultation before becoming law, however, and would include an “appropriate” transition period to help make the situation more feasible.
Privacy Act expansion targets previously exempt small businesses
Small businesses were previously exempt from the Privacy Act in the belief that the potential impact on privacy did not outweigh the burden the added regulation would create, but the government has changed its outlook as of the latest review (which contains 116 new proposals in total). If the change to the law goes forward as-is, about 2.3 million small businesses in the country would be impacted; this represents about 95% of all businesses in Australia.
Should the new proposals stay in place, the government has plans to consult with small businesses well in advance of Privacy Act changes to determine how the rules can feasibly be applied without causing undue damage. This could include “government support,” though the exact nature of this support has not been outlined as of yet.
This area of the Privacy Act has not been updated since 2000, when it established that only certain small businesses with a higher risk associated with data theft would have to follow the rules: those in the health care sector, those with Commonwealth contracts, and those that do the bulk of their business trading in personal information, for a few major examples. The new proposals clear the way for all businesses of any size to be required to comply, which is could add thousands to tens of thousands of dollars to annual expenses for even the smallest of them.
The new proposals do call for an impact analysis to be undertaken in advance of rule changes, in addition to the promises of support and consultations.
Australia’s small businesses could see impact as soon as 2024
The current Privacy Act terms don’t put any particular data security obligations on small businesses, and they are also not subject to breach reporting terms. These businesses would not only be looking at these new obligations, but also an expanded definition of “personal information” that would require them to secure any user IP addresses and device identifiers that are logged and account for any cookies used. The Children’s Online Privacy Code would also be updated with stronger protections for the personal information of minors.
There are also special shorter-term rules that apply to small businesses handling biometric information. While most small businesses will likely have a long lead time to come into compliance with the new terms, those handling things like facial recognition and fingerprints would be rushed into all of this much more quickly as they would immediately join the existing categories of business that are required to comply regardless of their size or income.
The termination of the Privacy Act exemption for small businesses has something of a partisan bent, finding more support with the ruling Labor party than the Coalition. Independents also tend to support stronger protections for marketing to children, but want to see this paired with requirements that political parties have the full Privacy Act terms applied to them as well. The Labor side points to entities such as real estate agents, that are generally too small to be covered by existing terms yet hold an assortment of highly sensitive personal and financial data that they are not obligated to secure.
The government agreed to many other new Privacy Act proposals suggested by the recent review, a number of which might also impact small businesses. Businesses making use of relatively simple tools such as Google Analytics may now need to ensure that they are collecting consent in compliance with the law, even if they are not employing any sort of targeted advertising. They will also need to ensure they are not falling within the realm of “dark patterns” in the design of their websites, and will have to take stock of any personal information they may collect for marketing purposes and ensure that customers can access and opt out of it.
In the wake of the massive data breaches of Optus and others in the past year, there will also be new restrictions on how long personal data can “reasonably” be kept before it has to be destroyed. A “right to be forgotten” similar to the one provided by the EU’S GDPR is also on the table.