Automated decision privacy Australia online business checkout laptop
AI · Australia · automated decisions · Privacy Act ·

Is AI Making Decisions About Your Customers? The 2026 Rule Online Businesses Keep Missing

Picture this. A customer tries to check out, and your fraud filter quietly declines the order as "high risk." She did nothing wrong. A real sale just vanished, and no human ever looked at it. The system decided.

That little moment, repeated across checkouts, chatbots, and sign-up forms, is exactly what a new set of Australian privacy rules is about. And most online businesses have not clocked it yet.

You may have seen our post on whether your privacy policy mentions AI. That one covers what the law expects your policy to say. This one is about something more practical and easier to miss: how to spot the automated decisions already happening in your business, and what to actually do about them.

Table of Contents

What counts as an "automated decision"

In plain English, it is when you set up software to make a decision about a person, or to do most of the work of making it, using their personal information, and that decision could meaningfully affect them.

From 10 December 2026, new clauses in the Australian Privacy Principles (APP 1.7 to 1.9) bring these decisions into the open. The idea is simple and fair: people have a right to know when a system is making calls about them, not a human.

Does your business use any?

Most online businesses do, without realising it. Here are the most common ones:

  • Fraud filters: software that flags or blocks orders based on risk scores
  • Chatbots: automated responses that decide what information to give (or withhold) from a customer
  • Email segmentation: tools that decide which customers get which offers
  • Application or waitlist processing: software that scores or ranks applicants
  • Pricing or discount logic: dynamic pricing based on customer data

If your software is using customer data to make or substantially influence a decision that affects them, this rule is for you.

What do you actually need to do?

The requirement is disclosure. Your privacy policy needs to tell people, in plain language, that you use automated decision-making, what kinds of decisions are made, and the kinds of data used to make them. You do not need to switch off your tools. You need to be upfront about them.

The new rules also give people the right to request a review of significant automated decisions. So if someone is denied a purchase, loan, or service by software alone, they may be able to ask for a human to look at it.

If you already have Foundd Legal templates

Your templates are kept up to date as laws change and interpretations evolve, which is the whole point of buying properly drafted Australian templates rather than a one-off copy that ages the moment the law moves. Worth checking your account for the latest version, and if your stack does not yet include website legals, the Website Kit bundles your privacy policy, terms, and disclaimer together.

If your documents came from somewhere else, this is what the AI Add-On Clause Pack is for. Not everyone bought their contracts and policies from us, and that is fine. The AI Add-On Clause Pack gives you lawyer-drafted AI clauses you can bolt straight onto the contracts, website terms, and privacy policy you already have, wherever they came from. It includes a section written specifically for your privacy policy that covers using AI to handle personal information, overseas disclosure, and automated decision-making, in line with the Australian Privacy Principles. Each clause comes with the exact wording to copy plus a short note on where it goes and what it does. And like our templates, it comes with future updates as AI and privacy laws change.

Here is the honest pitch for it. You could spend hours trying to get ChatGPT or Claude to draft this for you, second-guessing whether the output is current, Australian, and actually safe to rely on. (Spoiler: that is its own risk, which is why we wrote 3 reasons not to use ChatGPT to draft your contract.) Or you grab a plain-English, cost-effective pack that was written by lawyers for exactly this, drop the clauses in, and get on with running your business. If you use AI in client work too, pair it with why your contract needs an AI clause.

Where to start this week

  1. List the spots where software makes a real decision about a person in your business: checkout, support, applications, pricing, lead handling.
  2. Open your privacy policy and see whether it honestly reflects any of it. Most do not.
  3. Sort it the easy way: update your Foundd templates to the current version, or add the AI Add-On Clause Pack if your documents came from elsewhere. Do it before the 2026 date, not the week of it.

Your business is already letting software make calls about real people. That is not a problem to hide from, it is just one to be honest about, in plain language, in the document that is meant to do exactly that. Get it sorted once, keep it current, and let the back end of your business be as legit as the front.

AI Clause Pack

FAQ

Do I have to disclose automated decisions in my privacy policy?

From 10 December 2026, if your business uses software to make, or substantially help make, a decision about a person using their personal information, and that decision could significantly affect them, the new APP 1.7 to 1.9 rules expect your privacy policy to be upfront about it. Even where the exact rule does not capture you, your policy should still honestly reflect any AI or automation that touches personal information.

Does a chatbot or fraud filter count as an automated decision?

It can. The rules are written broadly enough to cover AI tools and plain rule-based software. The question is whether the tool makes a decision that affects a person using their information, not whether it is “AI.”

I did not buy my documents from Foundd. What is the quickest fix?

The AI Add-On Clause Pack is built for exactly that. It gives you lawyer-drafted AI clauses, including a privacy policy section on automated decision-making, that you bolt onto the contracts and policies you already have.

Shop Our Templates

About the Author

Riz McDonald - Founder of Foundd Legal

Riz is the Founder & Director of Foundd Legal, a lawyer with 20+ years' experience and a long history of building online and ecommerce businesses. She helps creatives and online business owners protect and grow their businesses with clear, practical legal tools that actually make sense.

LEARN MORE ABOUT RIZ

SIGN UP TO OUR FREE BUSINESS CHECKLIST

We do our best to keep this content accurate and up to date, but laws change, interpretations evolve, and the internet isn't perfect. Occasionally, information may be outdated or contain errors. This content is for general information only and isn't legal advice. If you choose to rely on it, you do so at your own discretion. For advice specific to your business, you'll need support tailored to your situation. All rights reserved. © Foundd Legal Pty Ltd

Back to Legal Resources blog

You may also like

View all
AI image commercial use rights Australia designer laptop AI tools
Do You Actually Own What Canva, Midjourney and ChatGPT Make for You?
AI confidentiality NDA Australia consultant laptop confidential document
Putting Client Secrets into ChatGPT? How AI Use Can Break an NDA
Automated decision privacy Australia online business checkout laptop
Is AI Making Decisions About Your Customers? The 2026 Rule Online Businesses Keep Missing
Australian small business owner with branded shopfront considering a trade mark
Trade Marks for Australian Small Business: A Plain English Guide
AI marketing Australian Consumer Law laptop ad draft desk
AI Marketing That Could Get You in Trouble: Fake Reviews, Inflated Claims and the ACL
Privacy policy AI disclosure Australia December 2026 laptop
Does Your Privacy Policy Mention AI? New Rules Land December 2026
Page Bg

Explore our legally legit templates!

Page Bg
Shop all templates