Buried in the Privacy and Other Legislation Amendment Act 2024 is a new obligation that quietly takes effect on 10 December 2026: if your business uses a computer program to make — or even substantially help make — a decision that significantly affects someone, your privacy policy must say so. The new requirement, APP 1.7 through 1.9, applies to far more than ChatGPT.

The wording deliberately covers “any computer program” — meaning rule-based scoring engines, machine learning models and Copilot-style AI assistants all qualify. If your business uses software to triage loan applications, screen job applicants, set insurance premiums, decide creditworthiness, allocate hospital appointments or even score lead quality in your CRM, you’re likely in scope. As McCullough Robertson points out, the OAIC’s enforcement powers are now real — civil penalties and infringement notices of up to $66,000 per contravention apply for non-compliant privacy policies.

What you actually need to do before 10 December:

• Map every system in your business that uses personal information to make or support a decision about a person. Don’t forget the third-party SaaS tools your team has signed up for without telling anyone.
• For each, document the types of personal information used and the kinds of decisions made.
• Update your privacy policy to add a clear, plain-English section on automated decision-making — not legal boilerplate that no one understands.
• Decide who in the business owns ongoing review. Models change. Vendors quietly add AI features. This is not a once-and-done.

The reality is most Australian SMBs are now using AI somewhere — usually without realising. Six months is enough time to do this properly. Three months is enough to do it badly. If you’d like a hand auditing what’s in scope, give us a shout.