AI has quietly become your unpaid intern. It writes your emails, sorts your customer enquiries, drafts your proposals, maybe even runs a chatbot on your site. It's saving you hours every week.
Here's the part most business owners miss. The moment you feed customer information into an AI tool, Australian privacy law is in the room with you. And the rules are tightening, not loosening. Let's walk through what actually applies to you.
Table of Contents
- How AI privacy law in Australia applies to small business
- The personal information you are feeding AI without thinking
- The small business myth that could catch you out
- The new privacy risks landing in 2025 and 2026
- Five steps to use AI without breaching privacy
- FAQ
- Get your privacy house in order
- A Simple Way to Picture Your Responsibility
How AI Privacy Law in Australia Applies to Small Business
Start with the foundation. The Privacy Act 1988 and the Australian Privacy Principles govern how businesses handle personal information. Personal information is anything that can identify a person, like a name, email, phone number, or photo.
The regulator, the OAIC, has made the position clear. The Australian Privacy Principles apply to personal information you put into an AI system, and to the information an AI system generates or infers that identifies someone. In plain terms, your privacy obligations don't switch off because a clever tool is doing the work. They follow the data wherever it goes.
So if you collect someone's details and then run them through AI, you're still responsible for how that information is used, stored, and protected. The AI is your tool. The responsibility stays yours.
The Personal Information You Are Feeding AI Without Thinking
This is where it gets real, because it's already happening in your business.
You paste a client email into ChatGPT to draft a reply. You upload a customer list to get help with a campaign. You ask AI to summarise feedback that names real people. Each of those moves sends personal information into a third-party system, often one based overseas. That can trigger obligations around how you handle and disclose that data.
None of it feels like a privacy event. It feels like getting work done. That's exactly why it's risky. The habit forms before the awareness does, and by then your customers' details have been scattered across tools you don't control.
The Small Business Myth That Could Catch You Out
You may have heard that small businesses are exempt from the Privacy Act. For now, many businesses turning over under three million dollars a year sit outside parts of it. So you relax.
Don't get too comfortable. The Government has agreed in principle to remove that small business exemption, which would bring millions of businesses fully into the Privacy Act. It hasn't happened yet, but the direction is set. Building good privacy habits now means you're not scrambling when the rules change.
There's also a catch even today. The exemption has holes. Businesses that handle health information, trade in personal information, or provide certain services can already be covered regardless of size. Not only that but many service providers e.g. Meta, Google etc expect you to have a privacy policy irrespective of the size or nature of your business. Assuming you're exempt is a gamble that can quietly stop being true.
The New Privacy Risks Landing in 2025 and 2026
Two changes deserve your attention, because they widen the risk beyond the old rules.
First, a statutory tort for serious invasions of privacy commenced on 10 June 2025. In plain English, individuals can now sue directly for a serious invasion of their privacy. That reaches further than before, and small businesses are not automatically out of range.
Second, from 10 December 2026, privacy policies will need to address certain uses of AI in automated decisions that significantly affect people. We unpack that change in our guide on whether your privacy policy mentions AI. The pattern is clear. Using AI with personal information is becoming something you have to disclose and manage, not something you can do quietly.
Five Steps to Use AI Without Breaching Privacy
-
Don't paste identifying details into AI unless you've thought about consent and security. Strip names where you can.
-
Check the tool's data settings. Know whether your inputs train the model or are stored, and turn that off where possible.
-
Have a current Privacy Policy that reflects how you actually use data, including AI.
-
Get consent where you're collecting or using personal information in new ways.
-
Read the OAIC's guidance on using commercially available AI products so you know the regulator's expectations.
FAQ
Does the Privacy Act apply to my small business if I use AI?
It depends on your situation, but relying on the small business exemption is risky, and the Government plans to remove it. Meta and Google and other similar providers expect you to have a privacy policy. If you handle personal information through AI, the safest move is to operate as though the Privacy Principles apply.
Is it illegal to put customer data into ChatGPT?
It isn't automatically illegal, but it can create privacy obligations and risks depending on the data and the tool. Strip identifying details, check the tool's settings, and get advice for anything sensitive.
What is the serious invasion of privacy tort?
A new right, in force since 10 June 2025, that lets individuals sue directly for a serious invasion of their privacy. It broadens who can be held accountable.
Get Your Privacy House in Order
AI is a genuine gift for a small business. It also quietly raises the stakes on how you handle people's information. The businesses that win are the ones that use the tools and respect the rules at the same time.
A current, properly drafted Privacy Policy is your starting point. It sets out how you handle personal information, helps you meet your obligations, and shows customers you take their data seriously. Or purchase the full Website Kit and your site is covered front to back.
Sort your privacy before the new rules land.
A Simple Way to Picture Your Responsibility
If the legal language feels slippery, use this picture instead. Treat every piece of customer information like something a client handed you to look after.
You wouldn't leave it on a train, photocopy it for strangers, or post it overseas without a thought. Feeding it into an AI tool can be a version of exactly that, just faster and invisible. The information is still theirs, you're still the custodian, and the duty of care still sits with you.
Hold that idea and most decisions get easier. Would the customer be comfortable if they watched you do this? If the honest answer is no, strip the identifying details, check the tool's settings, or keep that data out of AI altogether. Good privacy isn't complicated. It's mostly the discipline to pause before you paste.
About the Author
Riz is the Founder & Director of Foundd Legal, a lawyer with 20+ years' experience and a long history of building online and ecommerce businesses.
She helps creatives and online business owners protect and grow their businesses with clear, practical legal tools that actually make sense.
SIGN UP TO OUR FREE BUSINESS CHECKLIST
Disclaimer
We do our best to keep this content accurate and up to date, but laws change, interpretations evolve, and the internet isn't perfect. Occasionally, information may be outdated or contain errors.
This content is for general information only and isn't legal advice. If you choose to rely on it, you do so at your own discretion. For advice specific to your business, you'll need support tailored to your situation.
All rights reserved. © Foundd Legal Pty Ltd
