Almost everything written about 1 July 2026 is about AUSTRAC: enrol, write a program, do CDD, lodge reports. That is the loud obligation. There is a quieter one that arrived on exactly the same day, and most firms have not noticed it.
The moment you became a reporting entity by providing a designated service, you also lost the Privacy Act small business exemption for the personal information you handle for AML. A solo conveyancer, a sole-trader accountant, a single-agent real estate office: from 1 July 2026 you are bound by the Australian Privacy Principles (APPs), even if your turnover is well under $3 million.
The exemption that used to cover you
For years, most small Australian businesses sat outside the Privacy Act entirely. The "small business operator" exemption (turnover of $3 million or less) meant a two-person accounting practice had no APP obligations at all. That is why so many small firms have never had a privacy policy and never needed one.
That exemption did not survive Tranche 2. Under section 6E(1A) of the Privacy Act 1988, inserted by the AML/CTF Amendment Act 2024, a small business that becomes a reporting entity is treated as an organisation bound by the APPs in connection with its AML/CTF activities. Turnover is irrelevant. The regulator is blunt about it. The OAIC states that all reporting entities "are also required to comply with the Privacy Act when handling personal information for the purposes of, or in connection with, their AML/CTF obligations," and that "this includes those which are small businesses with an annual turnover of less than $3 million." (OAIC, privacy guidance for reporting entities)
The dates track the AML commencement: existing reporting entities from 31 March 2026, and Tranche 2 entities (accountants, tax agents, lawyers, conveyancers, real estate agents, dealers in precious metals and stones) from 1 July 2026. The OAIC estimates this brings more than 100,000 small businesses under the Privacy Act for the first time.
The scope nuance that keeps it sane
Here is the part that stops this from being as overwhelming as it first sounds, and it matters, so do not skip it.
The exemption is lifted only for personal information you handle for, or in connection with, your AML/CTF obligations: customer due diligence, ongoing monitoring, reporting, and record keeping. It does not automatically make you a fully regulated APP entity for everything else your firm does. Your CDD file on a client is captured. Your general bookkeeping for that same client, done outside the AML process, is a separate question.
In practice most firms will find it simpler to run one privacy program across the whole business rather than draw a fine line through their own files. But the legal trigger is scoped, and anyone telling you "you are now regulated for absolutely everything" is overstating it.
What you actually have to have now
Being an APP entity is not abstract. It is a short list of concrete things a regulator expects to see:
- A privacy policy (APP 1). A clearly expressed, up to date document setting out what personal information you collect, why, how it is held, how someone can access or correct it, how to complain, and whether anything goes overseas. This is the document most small firms simply do not have yet.
- A collection notice (APP 5). At or before the point you collect a client's identity information, you tell them specific things: who you are, that collection is required under the AML/CTF Act, why, what happens if they do not provide it, and who you might disclose it to. The OAIC publishes a free template collection notice written specifically for reporting entities. (OAIC AML/CTF collection notice template) One wrinkle to get right: the AML tipping-off rules can modify what you are allowed to say in a notice, so a generic template used blind can actually put you offside. (The tipping-off rules)
- A data breach response plan (APP 11 and the NDB scheme). Once you are an APP entity you are inside the Notifiable Data Breaches scheme. If client identity data is lost or exposed and it is likely to cause serious harm, you have to assess it and, where it qualifies, notify both the OAIC and the affected individuals. (OAIC, data breaches and the Privacy Act) A plan you wrote before the incident is worth ten written during one.
- Security and a retention schedule (APP 11). Reasonable steps to protect the information, and a rule for destroying or de-identifying it when it is no longer needed.
The retention twist you will recognise
If you have already worked through AUSTRAC record keeping, you have met half of this. The AML/CTF Act requires you to keep CDD records for seven years after the customer relationship ends. The Privacy Act (APP 11.2) pulls the other way: destroy or de-identify personal information once you no longer need it.
They reconcile cleanly. APP 11.2 has an exception for information you are required by an Australian law to retain, and the seven-year AML rule is exactly that. So the answer is not "keep forever" and not "delete now." It is: hold it for the seven years the AML/CTF Act demands, then the destruction duty revives and you get rid of it. That single sentence is most of your retention policy. (What to keep and what to destroy)
There is a related habit worth forming: you collect a lot of sensitive identity data now (photo ID, dates of birth, addresses), and holding a shoebox of licence scans you no longer need is exactly the kind of thing the regulator and every breach headline points at. Verify, keep the record you are required to keep, and stop hoarding the raw copies.
Why the stakes went up at the same time
Two things landed alongside this. The Notifiable Data Breaches scheme now applies to you, so a breach is a reporting event, not just a bad day. And the Privacy and Other Legislation Amendment Act 2024 introduced a statutory tort for serious invasions of privacy, in force from June 2025, which raises the downside of getting data handling badly wrong. (Privacy and Other Legislation Amendment Act 2024) None of this is aimed specifically at small firms, but small firms are now inside the tent.
The honest part
The OAIC is not hiding the ball. It publishes the collection notice template, a Privacy Essentials Checklist for AML/CTF reporting entities, and plain guidance for businesses new to the Act. If you have the time, you can build a serviceable baseline from those alone, and you should read them either way.
The work that the free templates do not do for you is the tailoring: filling them with your actual entity details, the specific information you collect, where it is stored, who you disclose it to, and keeping all of that current as the law shifts (and privacy law is shifting fast right now). A blank template is a starting point. A privacy policy that is wrong about your own business is worse than none.
Two questions worth asking this week
First: do you have a privacy policy and a collection notice at all, and do they actually describe how you handle client identity data, or are they a generic download that mentions cookies and a website? Second: if a laptop with client ID scans went missing tomorrow, do you know within the hour whether that is a notifiable breach and who you have to tell?
If the answer to either is "not really," that is the Tranche 2 obligation nobody put on the poster. It is smaller than the AML program, but it is not nothing, and 1 July has already been and gone.
This is general information about the reforms, not legal advice. Confirm how the APPs apply to your specific practice with a qualified adviser.
