The Privacy Act 1988 and the Australian Privacy Principles (APPs) generally apply to businesses with an annual turnover of $3 million or more. However, several categories of small businesses are covered regardless of turnover: health service providers, businesses that trade in personal information, contractors under Commonwealth government contracts, and businesses related to a larger organisation that is covered.
Even if you're under the threshold, there are strong practical reasons to handle customer data responsibly. Data breaches damage trust and reputation. State-based consumer protection laws may still apply. And the threshold may be lowered in future — the Privacy Act Review Report (2022) recommended extending coverage to all businesses.
If the APPs apply to you, the key obligations include: collecting only personal information that is reasonably necessary for your functions, providing a privacy policy explaining how you handle information, taking reasonable steps to protect information from misuse and unauthorised access, allowing individuals to access and correct their information, and notifying the OAIC and affected individuals of eligible data breaches.
At minimum, every small business should: secure customer data (encryption, strong passwords, access controls), have a basic privacy policy on your website, only collect data you actually need, and dispose of data you no longer need securely.