Privacy Act Tranche 1, the foundation shift
The first structural overhaul of the Privacy Act in decades is staging in through December 2026. Three changes matter directly to marketing and analytics teams.
The Privacy and Other Legislation Amendment Act 2024 received Royal Assent on 10 December 2024. It is the first structural overhaul of the Privacy Act 1988, and its provisions are staging in through December 2026. Three changes matter directly to marketing and analytics teams.
Automated decision-making transparency
From 10 December 2026, organisations must disclose in their privacy policies the types of personal information used in substantially automated decisions, the nature of those decisions, and where they could reasonably be expected to significantly affect individuals’ rights or interests.
This captures algorithmic ad targeting, personalisation engines, lead scoring, dynamic pricing, and any AI-driven marketing decisioning. If your marketing stack includes programmatic advertising, recommendation engines, or predictive analytics, those systems need to be audited and documented before the obligation commences (and most marketing stacks I’ve seen are nowhere near ready).
Children’s Online Privacy Code
The OAIC must develop and register a Children’s Online Privacy Code by 10 December 2026. Direct marketing to children will only be permitted where consent is obtained, the activity serves the child’s best interests, and the data is collected directly from the child. Any audience segment that includes minors is now subject to specific constraints on data collection and targeting.
Statutory tort for serious invasion of privacy
Individuals can now pursue damages for serious privacy breaches. This creates direct financial liability exposure for organisations whose data handling causes harm, a risk that did not previously exist in Australian law. Marketing teams are now a primary source of privacy risk, not a peripheral one.
What this means for your marketing operations
Every organisation using automated systems in marketing needs to do three things before December 2026.
Audit every automated decision-making system in the marketing stack. Document how each works, what data it uses, and what decisions it makes.
Rewrite privacy policies to disclose ADM practices in plain language. The disclosure obligation sits on the organisation, not the vendor.
Review any audience segments or campaigns that include minors. Assess compliance against the incoming Children’s Code and adjust before the code is registered.
The enforcement framework now carries GDPR-scale penalties (the greater of AUD 50 million, three times the value of any benefit obtained, or 30% of adjusted turnover). The Privacy Act is now a material business risk, not a compliance formality, and the December 2026 dates are not negotiable.