Skip to content
Appoly

industry insights

Australian Privacy Act reforms: what software builders need to know

The 2024 reforms reshape what apps and platforms can do with personal data. Plain-English summary of what changes, what doesn''t, and what to do this quarter.

By Appoly 7 min read

The Australian Privacy Act reforms — first tranche legislated in late 2024, second tranche in consultation — meaningfully change how software products can collect, store, use, and share personal data. The implications for app and platform builders are concrete.

This is a plain-English summary. Not legal advice. Your privacy counsel should be doing the formal review.

What's actually changing

The reforms are extensive but a few themes matter most for software:

A statutory tort for serious invasions of privacy

For the first time, individuals can directly sue for serious invasions of privacy. Previously they could only complain to the OAIC. The threshold is high (deliberate or reckless behaviour, serious harm), but the option exists where it didn't before.

What it means for builders: design for the worst case. Your data handling should survive scrutiny in court, not just an OAIC investigation.

A tightened "fair and reasonable" test

The Act now requires that personal data collection and use be both necessary and fair and reasonable in the circumstances. The "fair and reasonable" test is new and broader than the previous purpose limitation.

What it means for builders: data collected "just in case" is now harder to defend. Every field on every form needs a justifiable purpose.

Children's data has specific new protections

A new code (in development as of late 2024) will set explicit rules for products targeting or accessed by under-16s. Expect age assurance requirements, parental consent for some processing, and meaningful restrictions on profiling.

What it means for builders: if your product has any meaningful under-16 user base, you're going to need age verification and a different data handling model for that segment.

A right to erasure

The new framework gives individuals an explicit right to request deletion of their personal information, with limited exceptions. Previously this existed in practice but was patchwork.

What it means for builders: you need a real "delete my account" flow that genuinely deletes, not just disables. And your backend needs to support that across every place the data has propagated to.

Stronger Notifiable Data Breach obligations

The breach notification timeline is being tightened, and the threshold for what constitutes a notifiable breach has been clarified. Post-Optus and Medibank, the OAIC has been visibly more active.

What it means for builders: your incident response plan needs to actually work and be tested. Detection within hours, not weeks. Notification flows pre-prepared.

Direct marketing tightens

The conditions under which you can use personal information for direct marketing are narrowing. Implied consent is becoming less defensible; opt-in is becoming the safe default.

What hasn't changed (yet)

A few areas where reform was discussed but didn't make the first tranche:

  • A statutory definition of "personal information" expanded to clearly include inferred and de-identified data (deferred)
  • The small business exemption (under $3M revenue) — still in place, but politically contested
  • A specific AI-personal-data overlay — not in this tranche, but the EU AI Act–style provisions are increasingly likely

What to do this quarter

If you build software that touches Australian personal data, six things to do now:

  1. Audit your data inventory. What personal data do you collect, where is it stored, who has access, how long do you keep it? If you can't answer all four in writing, that's where to start.
  2. Tighten your collection forms. Every field needs a justifiable purpose. If you can't articulate why you collect it, stop collecting it.
  3. Build a real account deletion flow. It needs to delete from your primary database, backups (within a reasonable retention window), search indexes, analytics tools, and any third-party services you've shared data with.
  4. Test your breach response. Tabletop exercise: simulate a breach this week. Can you detect, contain, assess, and notify within the OAIC's expected timelines? If not, fix that.
  5. Review your data-sharing relationships. Every third-party service you send personal data to is part of your compliance perimeter. Audit which ones you actually need.
  6. Update your privacy policy. Most are out of date. They should reflect the new framework, including the rights individuals have under the reforms.

Where to start if it's overwhelming

Most Australian businesses have technical debt in their privacy posture as well as their code. The right way through is the same as with technical debt: a clear assessment, prioritised fixes, and a rhythm of ongoing improvement rather than a big-bang rewrite.

If you'd like an outside view of where your product sits, book a discovery call. We've been having this conversation a lot.

Want to talk about this in your context?

A 20-minute discovery call with a senior team member.

Book a Discovery Call

More from the studio

How businesses actually unlock growth through AI enablement
business · 10 min read

How businesses actually unlock growth through AI enablement

The gap between "using AI" and "succeeding with AI" is bigger than most boards realise. This is the playbook we use with clients to close it.
A practical guide to AI agents for Australian businesses
ai · 9 min read

A practical guide to AI agents for Australian businesses

AI agents are the most over-hyped and most useful category in enterprise software right now. Here's how to tell the difference for your business.
Why most mobile apps fail the 90-day test
mobile · 7 min read

Why most mobile apps fail the 90-day test

The apps that survive their first three months share a small set of habits. The ones that don't, fall into a familiar pattern. Here's how to tell which you've got.