In 2025, privacy compliance is a business-critical issue – not just a legal formality.
The Australian Government has passed significant reforms to the Privacy Act 1988 (Cth) (Privacy Act) through the Privacy and Other Legislation Amendment Act 2024 (Cth) (Amendment Act) aimed at giving consumers more control over their personal data and forcing organisations to improve transparency, security, and accountability.
Whether you’re a tech startup, e-commerce business, healthcare provider, or small business collecting basic customer info, these reforms likely affect how you collect, store, and use personal data.
In this article, our privacy and data lawyers, break down what’s changed, what’s expected of your business, and how you can avoid hefty fines or legal action.
Key Takeaways
- The updated Privacy Act introduces stricter consent rules, new data rights, and significantly higher penalties
- Businesses must now allow consumers to request data deletion (“right to be forgotten”)
- Fines can reach up to $50 million for serious data breaches
- You may need to update your privacy policy, internal procedures, and staff training
- Non-compliance can result in investigations by the Office of the Australian Information Commissioner (OAIC)
Key Privacy Law Changes in 2025
The Privacy Act has been modernised through the Amendment Act to align more closely with international frameworks like the EU’s General Data Protection Regulation (GDPR). These changes aim to address the evolving cyber risks for Australians.
While not all changes will come into effect straight away, key changes to be implemented include:
1. Right to Erasure
Individuals can now request that your business delete their personal data where it’s no longer necessary, consent has been withdrawn, or the data has been unlawfully collected.
Businesses must implement processes to identify, assess, and action data deletion requests in a timely manner.
2. Stricter Consent Requirements
- freely given
- specific and informed
- unambiguous
Pre-ticked consent boxes, vague wording, or bundled consent will no longer cut it.
Businesses should review all consent mechanisms—particularly for marketing, third-party data sharing, and sensitive data collection.
3. Increased Penalties for Serious Breaches
The OAIC can now impose penalties of:
- up to $50 million, or
- 30% of the business’s turnover during the relevant period (whichever is greater)
Businesses will need to ensure robust data protection systems are in place to avoid breaches—and be ready to respond if one occurs.
4. New Consumer Rights
Customers can now:
- request access to their data
- ask for corrections
- transfer data to another provider (data portability)
- lodge complaints directly with the OAIC
Consider updating your internal procedures and privacy policies to support these rights.
Does This Apply to Your Business?
These changes will apply to businesses that:
- turn over $3 million or more annually
- handle sensitive information (e.g. health, biometrics)
- buy or sell consumer data
- provide credit reporting services
- operate in sectors like finance, healthcare, marketing, tech, or retail
Even smaller businesses may be caught under certain conditions.
Risks of Non-Compliance
OAIC enforcement powers are stronger than ever, with the power to issue infringement notices. Businesses can face substantial financial penalties.
Further, data breaches could result in formal investigations, loss of customer trust, reputational damage and even class action lawsuits.
Compliance Tips for Businesses
To comply with the 2025 reforms, your business should:
1. Review Your Privacy Policy
Ensure it clearly:
- outlines data collection and usage practices
- explains consumer rights
- reflects updated consent and erasure obligations
2. Update Your Internal Processes
Businesses should implement new workflows for handling access and deletion requests, create data breach response protocols and assign a privacy officer (if not already done)
3. Conduct a Data Audit
This means:
- mapping what data you collect, where it’s stored, and who has access
- identifying any third-party data processors (e.g. cloud providers, marketing agencies)
- checking contract terms for privacy compliance
4. Train Your Team
Privacy compliance is a team effort. Be sure to educate your staff on what constitutes personal information, how to handle consumer data and what to do if a breach occurs.
Frequently Asked Questions
How do I know if the new laws apply to my business?
If you collect or handle personal information, there’s a good chance they do. We recommend seeking legal advice for clarity.
Do I need to update my privacy policy?
Yes. Most existing policies will need revision to reflect new consumer rights and obligations under the Privacy Act.
What if my business uses overseas software providers?
You’re still responsible for how your customers’ data is handled, even by third-party providers. Contracts should reflect this.
Can I be fined if I don’t respond to a customer data request?
You must notify affected individuals and the OAIC as soon as possible. Having a Data Breach Response Plan is essential to help your business follow the correct procedures.
