The first question: does the Privacy Act apply to your startup?

The Privacy Act 1988 (Cth) applies to "APP entities" — Australian Government agencies and organisations with an annual turnover above $3 million. This threshold catches startups earlier than founders expect. Once you cross $3 million in revenue, all 13 Australian Privacy Principles (APPs) apply in full.

But the threshold does not protect you completely before that point. The Privacy Act always applies to your startup regardless of revenue if you: provide health services and hold health information; buy or sell personal information; are a contractor to the federal government that handles personal information; or provide services to another APP entity that requires you to handle personal information.

Almost every startup that processes personal data about Australian users will eventually be caught, and most are caught sooner than they think. The OAIC's October 2024 guidance makes clear it expects even small entities handling significant amounts of personal information to treat privacy seriously, and the Privacy Act's 2024 amendments introduced tiered penalties that scale with the seriousness of the breach.

What the APPs require for AI startups

If your product uses AI to process personal information, the APPs create specific obligations.

APP 1 — Transparency: You must have a current, accurate privacy policy that explains how you collect, use, disclose, and store personal information. If your AI uses personal data, the policy must explain this. From December 2026, it must specifically address substantially automated decision-making that has a legal or similarly significant effect on individuals.

APP 3 — Collection: Only collect personal information that is reasonably necessary for your product's function. Do not collect information "just in case" or because it might be useful for model training later. If you collect sensitive information — health, biometric, financial, or information about sexual orientation — you generally need the individual's consent.

APP 5 — Notification: Tell users what you are collecting, why, and how at or before collection. This means your onboarding flow and privacy policy cannot be an afterthought.

APP 6 — Use and disclosure: You can only use or disclose personal information for the primary purpose for which it was collected, or for a related secondary purpose the user would reasonably expect. This is the key constraint on using customer data to train AI models — the OAIC's October 2024 guidance specifically addresses this and is unambiguous: training a general-purpose AI model on data collected to provide a customer service function is likely to be a secondary use that requires separate consent or contractual basis.

APP 11 — Security: Take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. For AI startups, this includes the security of your model, your training data, and your production environment.

The Notifiable Data Breaches scheme

The NDB scheme (Part IIIC of the Privacy Act) applies to APP entities. If you suffer a data breach that is likely to result in serious harm to any affected individual, you must notify both the OAIC and the affected individuals. The assessment clock starts when you suspect an eligible data breach may have occurred — you have 30 days to assess whether notification is required. This is not 30 days to decide whether to disclose; it is 30 days to complete the assessment.

AI startups are particularly exposed here because AI systems can fail in ways that expose personal data — model inversion attacks, prompt injection that extracts training data, or misconfigured RAG pipelines that serve the wrong user's data. Build your incident response plan before you need it.

ASIC obligations for fintech AI startups

If your startup provides financial services — lending, investment advice, insurance, superannuation — AI creates specific ASIC obligations. RG 255 (digital financial product advice) makes clear that AI-generated financial advice must meet the same statutory obligations as human advice, including the best interests duty and the requirement not to provide inappropriate advice. If your AI makes credit decisions, ASIC's guidance on responsible lending obligations applies even if the decision is automated.

ASIC takes seriously the risk that AI-generated financial advice is presented as if it is personalised when it is generic, or that algorithmic pricing creates outcomes that disadvantage particular groups. ASIC's October 2024 review of digital advice providers is instructive reading for fintech AI founders.

The ACCC and consumer law

Section 18 of the Australian Consumer Law (Schedule 2 to the Competition and Consumer Act 2010) prohibits misleading or deceptive conduct in trade or commerce. This applies directly to AI product claims. If your marketing says your AI is 98% accurate and it is not, that is potentially a consumer law violation. If your AI produces outputs that mislead consumers, your company may be liable for that misleading conduct even if you did not intend it.

The ACCC has been active on algorithmic pricing, dark patterns, and AI-generated product claims. The ACCC's 2024 digital platforms report and the ACCC's AI scams guidance give strong signals about where enforcement focus is heading.

Cybersecurity Act 2024: ransomware reporting

If your startup has annual turnover above $3 million and experiences a ransomware attack, the Cyber Security Act 2024 (effective 29 November 2024, with ransomware payment reporting from 30 May 2025) requires you to report any ransomware payment to the Australian Signals Directorate via ACSC within 72 hours. Penalties for non-reporting are 60 penalty units ($19,800). Budget early for cybersecurity — AI systems that process personal data are high-value targets.

Is there an Australian AI-specific law yet?

As of May 2026, Australia does not have comprehensive AI-specific legislation equivalent to the EU AI Act. The federal government's mandatory AI guardrails framework — requiring high-risk AI to meet specific safety and transparency requirements — was in consultation as of 2024 but had not been enacted into law. The Department of Industry's voluntary AI Safety Standard (published September 2024) and the OAIC's October 2024 dual guidance on AI and privacy represent the current regulatory posture: technology-neutral laws (Privacy Act, ACL, sector-specific regimes) applied to AI, supported by voluntary standards.

Founders should not interpret the absence of an AI-specific law as absence of obligation. The existing laws are being applied actively to AI systems, and the OAIC, ASIC, and ACCC have each signalled increased scrutiny of AI products in their 2025-26 corporate plans.

Practical priorities for Australian AI startups

In priority order: complete a privacy impact assessment before building any feature that processes personal information; write a privacy policy that actually describes your AI product's data flows; build consent mechanisms for secondary uses including model training; implement data minimisation — collect only what you need; and get your security posture right early. Privacy-by-design retrofitting is expensive and disruptive. Build it in from the start.