Australian privacy compliance: four key developments in 2026

Australian privacy law is not standing still. In 2026, businesses face a wave of new compliance obligations: mandatory disclosure requirements for automated decision-making systems, a Children’s Online Privacy Code that reaches far beyond kids’ apps, and a landmark tribunal decision that redefines what ‘collection’ means for even the most fleeting data processing. The stakes are real, and the deadlines are close. Privacy Awareness Week is the moment for organisations to cut through the noise, assess their exposure, and take decisive action.

New mandatory disclosure obligations for automated decision-making

The clock is ticking. From 10 December 2026, APP entities that use computer programs in decision-making where those decisions may have a significant impact on an individual’s rights and interests, must meet mandatory new disclosure requirements. These include explaining what automated decision-making (ADM) systems they deploy, what decisions those systems make, and what personal information they process.

Compliance will require a range of preparatory work. Many organisations have deployed ADM systems across a range of functions like customer onboarding, credit assessments, fraud detection and HR screening, without necessarily cataloguing those systems or the data that they use.

Before the obligations come into effect, organisations should conduct an ADM audit, working through five key steps: 

• identify all ADM systems in use;
   
• assess the decisions those systems make;
   
• map the personal information they process;
   
• implement the mandatory disclosures; and
   
• consider whether human-in-the-loop safeguards are appropriate. 

Early movers will have the time to embed disclosure into existing privacy governance frameworks. Those who wait risk scrambling to retrofit compliance under deadline pressure.

The Children's Online Privacy Code: not just for kids' apps

Perhaps the most widely misunderstood aspect of the new regulatory framework is the scope of the Children's Online Privacy Code. Many organisations assume the Code applies only to services clearly directed at children: kids' apps and games, streaming platforms for minors, educational software, and social media for under-18s. That assumption is wrong.

The Code will apply to any digital service that is ‘likely to be accessed by children’, even if that service was designed for a general or adult audience. General social media platforms, search engines and online marketplaces are all likely to be included. 

The Code’s obligations go well beyond a simple privacy policy. It puts children's best interests front and centre, requiring child-friendly language, limits on direct marketing, deletion rights and real choices about age assurance.

The Code’s commencement date has not yet been specified, but it will be registered by 10 December 2026. Organisations should not treat the absence of a start date as breathing room; the groundwork needs to begin now.

A practical first step is to map digital services by audience type and identify the specific changes each service will need to meet the Code’s heightened privacy standards.

Data privacy under scrutiny in cross-border transactions

Cross-border disclosure of personal information under Australian Privacy Principle 8 (APP 8) remains a persistent source of compliance risk, and the root cause is almost always the same: misconceptions about how the obligation actually operates.

Three assumptions in particular deserve to be challenged. First, many organisations incorrectly assume that transferring personal information to an overseas parent company or subsidiary is merely an ‘internal transfer’ to which APP 8 does not apply. 

Second, organisations frequently assume that storing data on an overseas cloud service does not require disclosure, however, APP 8 can still apply. 

Third, many organisations believe the employee records exemption covers offshore transfers of staff data. In practice, that exemption is considerably narrower than most realise.

None of these are theoretical risks. Each represents a live enforcement exposure. The fix is straightforward: a careful review of existing data flows and vendor arrangements will surface most issues before a regulator does.

Collection happens, even when data is fleeting

Bunnings Group Limited v Privacy Commissioner [2026] ARTA 130 is now the authority for the principle that transient processing of personal information can constitute ‘collection’ under the Privacy Act.

Where collection is established, however briefly (including where data is automatically deleted after being handled), Privacy Act obligations apply, including ensuring there is a lawful basis for collecting personal information, notifying individuals of that collection, and keeping that information secure.

To address this, organisations should:

• map all data flows end-to-end including where the handling of data occurs fleetingly;
   
• update APP 5 notices to cover transient or instantaneous collection of personal information;
   
• assess consent pathways for the collection of sensitive information such as biometrics; and
   
• build vendor and data protection impact assessment clauses that address transient processing and deletion verification. 

A privacy action plan for 2026

General Counsel and privacy leads should treat the following as an ongoing working action plan.

1. Map transient data flows end-to-end and record where APP collection occurs.
    
2. Update privacy policies and collection notices to explain fleeting data collection, its purposes, retention and deletion settings, and ADM use cases.
    
3. Review consent pathways for sensitive information, including biometrics and health data.
    
4. Review handling of children's personal information for compliance with the new Code and broader privacy laws.
    
5. Conduct Privacy Impact Assessments for data matching, analytics, and AI use cases.
    
6. Strengthen vendor terms to incorporate APP 8 cross-border checks, deletion or return of data on disengagement and audit rights. 

A call to action on privacy

The compliance picture for 2026 is demanding. ADM disclosure obligations, the Children's Online Privacy Code, a landmark ruling on transient data collection, and persistent misconceptions about cross-border transfers all require urgent attention, and several of the deadlines are already fixed.

Organisations that act now by auditing ADM systems, mapping data flows end-to-end, and pressure-testing cross-border transfer assumptions, will not only meet the immediate requirements but will be better positioned for the further reforms still to come. The question is not whether to act, but how quickly.