Australian Privacy Law and AI: What Small

AI tools are genuinely useful for small business. But before you start feeding customer data into ChatGPT or automating your client communications with AI, it’s worth understanding your obligations under Australian privacy law.

This isn’t meant to scare you off using AI: it’s meant to help you use it confidently and responsibly. The rules aren’t as complicated as they might sound, and most small businesses can comply without major effort.

Important note: This article is general information only and not legal advice. If you have specific concerns about your privacy obligations, speak with a qualified Australian legal professional.

The Basics. What Is the Privacy Act?

The Privacy Act 1988 is the main federal law governing how personal information is collected, stored, used, and shared in Australia. It’s administered by the Office of the Australian Information Commissioner (OAIC).

At the heart of the Privacy Act are 13 Australian Privacy Principles (APPs): a set of rules about how organisations must handle personal information.

Personal information means any information that identifies a person or could reasonably identify them. This includes names, email addresses, phone numbers, photos, health information, financial details, and even IP addresses in some cases.

Does the Privacy Act Apply to Your Business?

Here’s where many small business owners breathe a sigh of relief: and where others need to pay attention.

The small business exemption: Businesses with an annual turnover of less than AU$3 million are generally exempt from the Privacy Act. If your business is under that threshold, the Act doesn’t directly apply to you in most cases.

However: there are important exceptions. The exemption does NOT apply if your business:

Provides health services (doctors, dentists, physios, psychologists, gyms, etc.)
Trades in personal information (buying or selling customer data)
Is a contracted service provider to the federal government
Is related to a larger business that is covered by the Act
Operates a residential tenancy database

Even if you’re exempt, state and territory privacy laws may still apply: and the Privacy Act is currently under review, with reforms proposed that could remove the small business exemption entirely. It’s worth getting ahead of this now.

What Does This Mean for Using AI Tools?

Whether or not the Privacy Act strictly applies to your business, using AI tools responsibly means thinking carefully about what information you’re sharing with them.

The Key Question: Where Does Your Data Go?

When you type something into ChatGPT or another AI tool, that information is sent to servers: typically overseas, in the United States. OpenAI, Google, Microsoft, and most major AI providers store and may use that data to improve their models.

This matters if you’re inputting:

Customer names, emails, or contact details
Client financial information
Employee personal details
Health or sensitive information of any kind
Confidential business information

Practical Rules to Follow

1. Don’t paste identifiable customer data into AI tools.
If you’re using ChatGPT to draft an email response to a customer complaint, you don’t need to include the customer’s full name, address, and account number in your prompt. Describe the situation in general terms instead. The AI doesn’t need the personal details to help you write the email.

2. Anonymise where possible.
If you need to use real data as an example: say, to ask an AI tool to analyse a pattern in your customer records: remove or replace identifying details before pasting it in. Use “Customer A” instead of a real name. Replace real email addresses with placeholders.

3. Read the privacy policy of any AI tool you use.
Not the whole thing: but understand the key points: where is data stored, how long is it retained, is it used for training, and can you opt out? Most major AI providers have enterprise or business tiers with stronger privacy protections if that’s a concern.

4. Be transparent with customers.
If you’re using AI tools that interact directly with customers: like a chatbot on your website: it’s good practice (and in some cases legally required) to disclose this. A simple note like “This chat is handled by an AI assistant” is sufficient in most cases.

5. Have a basic privacy policy on your website.
Even if the Privacy Act doesn’t technically apply to your business, having a privacy policy builds trust and sets clear expectations. It should explain what information you collect, how you use it, and how customers can request access or deletion. You can use ChatGPT to draft a starting point: just make sure it reflects Australian law and have a lawyer review it before publishing.

The Proposed Privacy Act Reforms

The Australian Government has proposed significant reforms to the Privacy Act that could have a real impact on small businesses. Key proposals include:

Removing the small business exemption: meaning all businesses, regardless of turnover, could be covered
A new right to erasure: customers could request that businesses delete their personal information
Stronger consent requirements: more explicit consent needed before collecting and using personal data
Increased penalties for serious or repeated privacy breaches

These reforms haven’t been fully enacted at the time of writing, but the direction is clear: privacy obligations for small businesses are likely to increase, not decrease. Getting your practices right now puts you in a much stronger position.

A Simple Privacy Checklist for Small Business AI Users

✅ Don’t input identifiable customer or employee data into AI tools
✅ Anonymise data before using it as examples in AI prompts
✅ Disclose to customers when they’re interacting with an AI tool
✅ Have a privacy policy on your website
✅ Know where the AI tools you use store their data
✅ Check whether your business falls under any Privacy Act exceptions
✅ Stay across the proposed Privacy Act reforms: they may affect you

The Bottom Line

Using AI tools responsibly doesn’t require a law degree. It mostly comes down to common sense: don’t share personal information you don’t need to share, be transparent with your customers, and keep an eye on how the rules are evolving.

The businesses that will be caught out aren’t the ones who tried to do the right thing and got a detail wrong. They’re the ones who ignored privacy entirely. Don’t be in that group.

📖 The Small Business Owner’s Guide to AI: Where to Start →
📖 See our full AI tools roundup →

📖 How Accountants Are Using AI to Help Their SME Clients →

Last updated: March 2026. This article is general information only and not legal advice. Privacy laws are subject to change: consult the Office of the Australian Information Commissioner or a qualified legal professional for advice specific to your situation.

Sources

📊 Compare AI tools side by side | 💼 Free resources & AI prompt packs

Frequently Asked Questions

Does the Privacy Act Apply to Your Business?

What Does This Mean for Using AI Tools?

The Key Question: Where Does Your Data Go?

Important note: This article is general information only and not legal advice. If you have specific concerns about your privacy obligations, speak with a qualified Australian legal professional.

Practical Rules to Follow?

The Privacy Act 1988 is the main federal law governing how personal information is collected, stored, used, and shared in Australia. It’s administered by the Office of the Australian Information Commissioner (OAIC).

Australian Privacy Law and AI: What Small Businesses Need to Know

The Basics. What Is the Privacy Act?

Does the Privacy Act Apply to Your Business?

What Does This Mean for Using AI Tools?