If you run a small business in accounting, real estate, legal services, conveyancing, or deal in high-value goods like jewellery, mark 1 July 2026 in your calendar. That’s when changes to anti-money laundering laws will strip the Privacy Act’s small business exemption from more than 100,000 Australian businesses, as reported by Helios Salinger.

Here’s what’s happening: the Anti-Money Laundering and Counter-Terrorism Financing Act is expanding to cover a raft of new industries from 1 July. Businesses in those industries that previously flew under the Privacy Act’s $3 million turnover threshold will lose that exemption entirely. The OAIC has confirmed the number affected sits north of 100,000. That’s a lot of small operators who’ve never had to worry about formal privacy compliance suddenly needing policies, procedures, and breach response plans.

The to-do list isn’t trivial. Affected businesses will need a compliant privacy policy meeting APP 1.4 standards, proper collection notices under APP 5, a full audit of how personal data flows through their operations, and staff training on privacy obligations. Three months isn’t a lot of runway for businesses starting from zero. The smart move is to start now — assess what personal information you collect, where it’s stored, who has access, and whether your current practices would survive a regulator’s review.

Need help getting your IT systems and data handling practices audit-ready before July? All IT Services can help small businesses assess their technology stack and plug compliance gaps before the deadline hits.