Compliance · Tradies & Sole Traders

Privacy Act 2026 for Perth Sole Trader Clinics

By Ronald Basawil · Published 1 June 2026 · 6 min read

The short version: Most Australian tradies and sole traders are not covered by the Privacy Act 1988. The small business exemption (annual turnover under $3 million) excludes the majority of single-operator electrical, plumbing, landscaping, cleaning, and similar trades. That includes the new 10 December 2026 automated decision-making transparency rules. But the exemption has carve-outs — and even where it applies, it does not cover the Spam Act, the Do Not Call Register, or contractual obligations you may have inherited from covered customers. This article gives you the plain-English version.

The small business exemption

Under the Privacy Act 1988, a business is generally only an "APP entity" — and therefore bound by the Australian Privacy Principles — if it has an annual turnover of more than $3 million. Most Australian sole traders and small trade businesses fall under this threshold and are exempt.

If you are exempt, the new Privacy Act 2026 changes — including the APP 1.7 automated decision-making transparency requirements commencing 10 December 2026 — do not apply to you directly. Our main Privacy Act 2026 article covers what those rules mean for covered businesses; this article is the version for everyone else.

The carve-outs — when the exemption does not apply

The small business exemption is not absolute. A business under $3 million in turnover is still covered by the Privacy Act if it falls into one of these categories:

1. You handle health information

Any business that provides a health service or holds health information about an individual is covered regardless of turnover. This includes obvious cases (allied health practitioners) and some less obvious ones — for example, a tradie subcontracted to do specialised renovations for a medical practice who holds patient access details, or an NDIS support worker.

2. You provide services to the Australian Government under contract

If you have an Australian Government contract — federal, not state — that requires you to handle personal information, the small business exemption is lost in respect of that contract. Tradies on Defence contracts, federal building works, or government IT projects are common examples.

3. You trade in personal information

Buying, selling, or providing personal information for benefit, service, or advantage removes the exemption. This typically catches lead-generation businesses, list brokers, and marketers — not most tradies — but the threshold is lower than it sounds. A business that sells its customer database to a competitor on exit, for example, may have crossed this line.

4. You are a credit reporting body or credit provider

If you offer credit terms or report credit defaults, parts of the Privacy Act (Part IIIA — credit reporting provisions) apply regardless of turnover. Most tradies do not fall into this, but those running formal payment plans with credit defaults reporting may.

5. You are related to a larger covered business

A small business that is a related body corporate of a larger covered business loses the exemption. Common in franchise structures and group entities.

6. You have opted in

Any small business can voluntarily opt into Privacy Act coverage by notifying the OAIC. Most do not, but some do for reputational or competitive reasons.

What is genuinely on your radar even if exempt

Even if the Privacy Act does not apply to your trade business, three other regulatory frameworks do, and the small business exemption does not protect you from them.

Spam Act 2003

If you send marketing emails or SMS, you must have consent (express or inferred), identify yourself, and provide an unsubscribe option. There is no turnover threshold. Penalties from ACMA can be substantial. For tradies sending booking reminders or "haven't heard from you in a while" follow-ups, this matters.

Do Not Call Register Act 2006

Outbound marketing phone calls must respect the Do Not Call Register, with calling-hour restrictions, accurate caller ID, and proper identification. Inbound calls are not affected. For tradies doing cold outreach (canvassing for new work, follow-up sales calls), this is the regulation to know.

Australian Consumer Law

The ACL applies to all businesses regardless of size. Misleading or deceptive conduct, false representations, and unfair terms in standard form consumer contracts are all enforceable by the ACCC. Privacy policies that overstate your practices are caught by the ACL even if the Privacy Act does not catch you.

Contractual obligations from your customers

The most common way exempt tradies still end up with privacy obligations is through their contracts. When you do work for a covered business — a medical practice, a law firm, a large corporate, a government agency — that customer's own Privacy Act obligations will often extend down to you through the supply contract.

If a medical practice engages you to do facilities maintenance and you receive any patient names, addresses, or appointment details in the course of the work, you become bound by the practice's privacy obligations in respect of that information. The fact that you are independently exempt does not help. Same applies to NDIS providers, aged care providers, government contractors, and many enterprise customers.

The practical implication: read the privacy clauses in any contract with a covered customer. Some will impose ongoing obligations on you that look similar to the Privacy Act.

Should you act anyway?

Even where you are clearly exempt, there are three reasons to behave as if covered:

The exemption may not last. The small business exemption has been under formal review for several years and is widely expected to be narrowed or removed in a future tranche of Privacy Act reform. Building good practices now means you are not scrambling when the rules change.
Customer expectations. Even consumers who do not know what the Privacy Act is expect their plumber, electrician, or landscaper to handle their address, payment details, and property access information responsibly. A simple privacy notice on your website costs nothing and aligns with what customers already assume.
Reputational tail risk. A small business that mishandles customer data may not face Privacy Act penalties, but it can still face media scrutiny, defamation risk, and customer churn. The downside of a data leak is rarely capped by the legal exemption.

If you use an AI receptionist as a tradie or sole trader

For most tradies using an AI receptionist, the compliance picture is straightforward:

Identify the AI as an AI. The AI should introduce itself at the start of every call. This is good practice, expected by customers, and avoids any "misleading conduct" exposure under the ACL.
Secure customer data. Use an AI receptionist hosted in Australia where practical, and confirm that the vendor's security posture is reasonable for the data they handle (call recordings, customer contact details, property access information).
Inbound only, no outbound marketing through the AI. Inbound reception has a light compliance burden. Outbound AI calling triggers the Spam Act and Do Not Call obligations — keep marketing campaigns separate and human-reviewed.
If you serve covered customers (clinics, government, NDIS), inherit their obligations. Check your supply contracts. The AI receptionist needs to handle data in a way consistent with what your covered customers expect.

Want a no-pressure conversation about whether AI reception fits your trade?

We build AI receptionist systems for Australian tradies, sole traders, and service businesses. If you are under $3M turnover and not serving regulated customers, the compliance burden is genuinely light. If you are, we can help you scope a system that respects the obligations you have inherited.

Get in touch

Frequently asked questions

Does the Privacy Act apply to Australian tradies and sole traders?

Most do not. The Privacy Act 1988 has a small business exemption that applies to businesses with an annual turnover of $3 million or less. The majority of Australian tradies, sole traders, and small service businesses fall under this threshold and are not bound by the Australian Privacy Principles or by the new APP 1.7 automated decision-making transparency requirements commencing 10 December 2026. However, the exemption has carve-outs.

When does the small business exemption not apply?

The exemption does not apply if the business handles health information at any point, provides services to the Australian Government under contract, trades in personal information, is a credit reporting body or credit provider, is related to a larger covered business, or has opted into Privacy Act coverage. Tradies who do work for medical centres, NDIS providers, government agencies, or who hold credit information about customers are typically covered regardless of turnover.

If I am exempt, should I still update my privacy practices?

Yes, for two reasons. First, the small business exemption has been under review for several years and remains politically uncertain. Second, customers increasingly expect privacy transparency regardless of legal obligation, and tradies who handle property access details, payment information, and personal contact data benefit reputationally from clear privacy practices. Many tradies also work with covered customers whose own compliance obligations extend down to suppliers.

Does the Spam Act apply to tradies and sole traders?

Yes. The Spam Act 2003 and the Do Not Call Register Act 2006 apply to all Australian businesses regardless of size, with no small business exemption. If you send marketing SMS or email, or make outbound marketing phone calls, you must comply with consent and identification requirements administered by ACMA. This is separate from the Privacy Act and applies to most tradies who do any form of customer outreach.

What about AI receptionists for tradies — are there compliance issues?

For most tradies under the small business exemption, the formal Privacy Act compliance burden for AI receptionists is light. The main considerations are: identifying the AI as an AI on every call, securing customer data adequately, and ensuring any outbound use of the system complies with the Spam Act and Do Not Call Register Act. Tradies who work as suppliers to covered businesses may inherit compliance obligations through their contracts.

This article is a practical guide and is not legal advice. The small business exemption under the Privacy Act has been the subject of ongoing review and may change. Tradies and sole traders with specific concerns about their obligations should consult a qualified privacy lawyer, particularly where they hold contracts with covered businesses, handle health information, or operate at or near the $3 million turnover threshold.

What this looks like for a solo Perth physio or chiro

The most common question I get from sole trader clinic owners in Perth is: "I'm a one-person practice — does this really apply to me?" The answer is yes, specifically because health information triggers the Privacy Act regardless of business size. The practical reality is that the compliance work for a solo clinic is much lighter than for a multi-practitioner centre. The three things a sole trader clinic genuinely needs before 10 December: an updated privacy policy that discloses any AI tools used in the practice, a call opening script that identifies AI use before collecting patient information, and a simple data retention policy that documents how long patient records and call data are kept. For most solo practitioners I work with, this is a half-day of setup — not a months-long compliance project.

Ronald Basawil

Founder, RJ Does AI · Perth, Western Australia

Ronald has 7+ years of experience in logistics and operations, and is the founder of RJ Does AI — a Perth-based agency building AHPRA-aligned AI receptionists for Australian clinics, law firms, and migration agents. He has hands-on experience deploying AI voice systems using Vapi, n8n, Twilio, and GoHighLevel across multiple Australian practice verticals, with a focus on Privacy Act 2026 compliance and after-hours call recovery.