The Structure of the Privacy Act in 2026

The Privacy Act is the primary federal data protection statute in Australia, supported by the Australian Privacy Principles (APPs) that operationalize its requirements. The 2024 and 2025 reform tranches restructured several key elements without rewriting the Act from scratch.

What the First Tranche Changed

The first reform tranche, which took effect through 2024, introduced several long-awaited changes:

• Substantially increased maximum penalties for serious or repeated interferences with privacy, bringing Australian penalties closer to GDPR levels
• New powers for the OAIC to conduct investigations on its own motion and to issue infringement notices
• The Children's Online Privacy Code, which imposes specific obligations on services likely to be accessed by children
• Strengthened breach notification requirements, including faster notification timelines

What the Second Tranche Changed

The second reform tranche, in force through 2025 and into 2026, addressed the more architectural issues:

• The statutory tort of serious invasions of privacy, giving individuals a direct cause of action for serious privacy breaches
• Expanded definitions of personal information to clarify the treatment of online identifiers and inferences
• Enhanced consent requirements for direct marketing and targeted advertising
• New transparency obligations for automated decision-making, including a right to a meaningful explanation
• Updated cross-border data flow rules with reformed reasonable-steps obligations

Who Is Regulated

The Privacy Act applies to most Australian Government agencies and to private-sector organizations with annual turnover above a threshold (currently AUD 3 million). It also applies extraterritorially to foreign organizations that carry on business in Australia and that collect or hold personal information in Australia. Foreign publishers serving Australian users through localized sites or programmatic inventory bought against Australian IPs are typically in scope, and the OAIC has invoked the extraterritorial provision in several recent matters.

What Counts as Personal Information

The Privacy Act's personal information definition was clarified in the reform process to address the long-standing uncertainty about online identifiers.

The Updated Definition

Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable, regardless of whether the information is true or whether it is recorded in a material form. The 2025 reforms clarified that this includes online identifiers, technical data, and inferences drawn from behavioral data when these can be tied to an individual either directly or by combination with other information.

Sensitive Information

The Act designates a category of sensitive information that includes health information, racial or ethnic origin, political opinions, membership of political associations, religious beliefs, philosophical beliefs, membership of professional or trade associations, membership of trade unions, sexual orientation or practices, criminal record, biometric information, and biometric templates. Processing sensitive information requires explicit consent and triggers heightened obligations.

Why This Matters for Cookies

A cookie that stores a routine identifier is personal information. A cookie that feeds an audience segment touching the sensitive list — health interests, political alignment, religious affiliation — is sensitive information processing and requires the heightened consent flow rather than the general advertising consent. Publishers running audience segments that overlap the sensitive list should be auditing their consent flows specifically against this boundary.

Cookie Consent Under the Reformed Privacy Act

The reform process clarified consent requirements for direct marketing and targeted advertising in ways that move Australia closer to a GDPR-style opt-in model than the historical Australian regime.

The Updated Consent Standard

Consent under the reformed Privacy Act must be:

• Voluntary — given without coercion or undue pressure
• Informed — the individual understands what data is collected, why, and how it will be used and disclosed
• Current — the consent is fresh enough to be meaningful for the proposed processing
• Specific — tied to clearly identified purposes rather than blanket umbrella consent
• Unambiguous — expressed through a clear affirmative act rather than inferred from inactivity

What a Compliant CMP Looks Like

A CMP configured for Australian traffic in 2026 should present:

• A visible banner before any non-essential cookie or tracker fires
• Equal visual prominence for Accept, Reject, and Customize — the OAIC has signaled increased attention to dark-pattern banner designs
• Granular toggles per purpose: analytics, advertising, personalization, cross-border transfer, and any sensitive-information processing
• A separate, clearly-labelled flow for sensitive information processing, gated behind its own action
• A persistent, easily-accessible mechanism to withdraw consent
• An English-language privacy policy with full APP-aligned disclosures including the OAIC complaint channel

Consent Records

The reform increased the OAIC's appetite for evidence-based enforcement, and consent records have been cited in several recent matters. Exportable, timestamped consent logs are the baseline expectation, and inadequate consent records have been called out in formal determinations.

Cross-Border Disclosures Under the Reformed Regime

The Privacy Act has historically taken a different approach to cross-border data flows than the GDPR — the focus is on the disclosing organization's accountability rather than on prior authorization of the receiving jurisdiction. The 2025 reforms refined this approach without abandoning it.

The APP 8 Reasonable Steps Obligation

Australian Privacy Principle 8 requires that before disclosing personal information to an overseas recipient, the disclosing organization take reasonable steps to ensure the recipient does not breach the APPs. This typically means a contractual mechanism, due-diligence review of the recipient's privacy practices, or reliance on a substantially similar legal regime in the destination country.

The Accountability Backstop

If the overseas recipient does breach the APPs in connection with the disclosed information, the Australian disclosing organization is treated as having engaged in the breach. This accountability backstop is the practical enforcement lever for cross-border flows and is what makes the contractual mechanism not merely a documentation exercise.

The Practical 2026 Approach

For most foreign publishers in 2026, the working approach is to execute APP-compliant data transfer agreements with overseas processors, document the transfer in the privacy policy, and maintain a vendor-due-diligence record that demonstrates the reasonable-steps obligation has been met. This is meaningfully simpler than the GDPR's prior-authorization approach but no less rigorous in substance.

Data Subject Rights and Automated Decision-Making

The reformed Act expands the rights individuals can exercise.

The Core Rights

• Right of access to personal information held by the organization
• Right of correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading information
• Right to opt out of direct marketing
• Right to know to whom personal information has been disclosed
• Right to a meaningful explanation of automated decisions producing significant effects
• Right to complain to the OAIC

Response Timelines

The Act sets reasonable-period response timelines, and OAIC guidance interprets reasonable as typically not exceeding 30 days for access requests. Operational readiness for this window — with tooling and runbooks tuned to Australian-specific processes — is a common gap for foreign publishers.

The Children's Online Privacy Code

The Code, which took effect through 2024, applies to online services likely to be accessed by children and imposes specific obligations including age-appropriate design, restricted profiling and targeted advertising, default high privacy settings, and parental engagement requirements. Publishers whose audiences include significant under-18 traffic need age-aware flows, restricted processing for the minor segment, and Code-aligned defaults — none of which are off-the-shelf for most foreign publishers.

Penalties and Enforcement Posture in 2026

The OAIC's enforcement activity has escalated meaningfully through 2024 and 2025, and 2026 is on a similar trajectory.

Maximum Penalties

For serious or repeated interferences with privacy, the maximum penalty is the greatest of AUD 50 million, three times the value of the benefit obtained from the conduct, or 30 percent of the organization's adjusted turnover in the relevant period. This brings Australian penalties decisively into the GDPR range and removes the gentle-regime characterization that previously applied.

The Statutory Tort

The 2025 statutory tort of serious invasions of privacy gives individuals a direct cause of action for damages, separate from the regulatory enforcement. Class actions are an emerging avenue, and several have been filed against major platforms in late 2025 and early 2026.

Enforcement Themes

The OAIC's recent matters cluster around recurring issues: dark-pattern consent banners, inadequate breach notification, cross-border disclosures without documented reasonable steps, sensitive-information processing without explicit consent, and failure to respond to access requests within the reasonable-period window.

Audit Checklist for Australian Traffic in 2026

• CMP banner with Accept, Reject, and Customize at equal visual prominence
• Consent purposes are granular and separate sensitive-information processing behind explicit consent
• Privacy policy is APP-aligned with full disclosure of overseas recipients, purposes, retention, and OAIC complaint channel
• APP 8 cross-border disclosure agreements are in place with all overseas processors, with documented vendor due diligence
• Consent logs are timestamped, exportable, and retained for the applicable retention period
• Data subject access workflow can respond within the reasonable-period window end-to-end
• Children's Online Privacy Code obligations are addressed where the audience includes minors, including age-appropriate design and restricted profiling
• Automated decision-making explanations are available where significant decisions are made using such systems
• Breach notification runbook is tuned to the reformed timelines
• Vendor list has been reviewed for necessity, with unused or redundant vendors removed to reduce the disclosure surface

The 2026 Outlook

Australia's privacy regime has finally moved from a long reform process into a credible enforcement posture. The maximum penalties are now in the GDPR range, the OAIC has the powers it needs to enforce them, the statutory tort gives individuals a direct cause of action, and the Children's Online Privacy Code raises the floor for any service that touches under-18 audiences. For publishers already running a GDPR-grade consent stack, the gap to Privacy Act compliance is operational rather than architectural: APP-aligned privacy policy, APP 8 documentation, the Children's Code defaults, and the access-request response cadence. The gap can be closed in weeks if it is prioritized. The publishers who treated Australia as a relatively gentle market through 2023 are finding 2026 meaningfully more expensive, and the trend will continue. The good news is that the gap to compliance is small for any publisher who has done the European work; the bad news is that most publishers underestimate just how much the reformed Australian regime expects of them.