AI Is Making Your Decisions β From December You Have to Say So
From 10 December 2026, businesses using AI in decisions that affect customers must disclose it in their privacy policy. Government data shows most aren't ready.
From 10 December 2026, a new obligation under the Privacy Act takes effect that will catch more Australian businesses than most expect. If you use a computer program β including AI β to make, or substantially help make, decisions about people, and those decisions could reasonably be expected to significantly affect their rights or interests, your privacy policy must now describe what personal information the program uses and what kinds of decisions it makes. The trigger isn't whether you call the tool "AI". It's whether software is shaping decisions about your customers, applicants or clients.
The timing is awkward for most businesses. National AI Centre data from early 2026 shows that while around half of Australian businesses using AI check its outputs before they affect customers, practices around being transparent with customers about AI use lag well behind. The new rule lands precisely where Australian businesses are weakest.
What the new rule actually requires
The change comes from the Privacy and Other Legislation Amendment Act 2024, which inserts new clauses β APP 1.7, 1.8 and 1.9 β into the Australian Privacy Principles. From the December commencement date, an organisation covered by the Privacy Act must add information to its privacy policy if it has arranged for a computer program to use someone's personal information to make a decision, or do something substantially and directly related to making a decision, that could significantly affect that person.
The policy needs to set out the kinds of personal information the program uses, the kinds of decisions made solely by the program, and the kinds of decisions where the program does something substantially connected to a human-made decision. The OAIC gives concrete examples of decisions that count: granting or refusing a benefit such as a housing entitlement, a decision affecting someone's rights under a contract such as a life insurance policy, and a decision affecting access to a significant service such as healthcare. Importantly, the obligation applies whether the decision helps or harms the individual.
Why "we don't use AI" won't get you off the hook
The definition is deliberately broad, and that's where many businesses will be caught off guard. As legal analysts at Johnson Winter Slattery have noted, the wording could capture almost any software that plays a meaningful part in a decision β not just systems that decide entirely on their own. This is a wider net than the European GDPR, which targets decisions based solely on automated processing.
In practice, that means a tool which shortlists job applicants, an automated quoting or eligibility check, dynamic pricing that varies by customer, or an AI assistant that triages enquiries could all fall within scope, even where a human signs off at the end. The OAIC's own examples include decisions as everyday as whether to grant a job interview or whether to provide services to a customer. The question to ask isn't "do we run AI?" but "does software influence decisions we make about people, and could those decisions matter to them?"
Map where software touches decisions about people
Before December, list the decisions your business makes about customers, applicants and clients β pricing, eligibility, shortlisting, approvals, service access. For each one, note whether any software, scoring tool or AI assistant feeds into it and what personal information that tool uses. This map tells you which decisions are in scope and gives you the raw material to update your privacy policy. Start with the decisions that carry the most weight for the person on the receiving end.
The transparency gap most businesses haven't closed
The compliance risk is real. Once the rules commence, the OAIC's powers to issue infringement notices and compliance notices apply to a privacy policy that fails to meet the new automated decision-making requirements, and civil penalties can follow. Yet the National AI Centre's research suggests customer-facing transparency is exactly the area businesses have neglected. Around 65% of businesses not adopting AI cite distrust in AI decision-making or a preference to keep humans in control β a sign that customers care a great deal about how decisions affecting them are made, and whether anyone will tell them.
There's an opportunity hidden in the obligation. A clear, plainly written explanation of how and where you use automated decisions is the kind of assurance that addresses the trust gap directly. The risk runs the other way too: faced with a broad definition and the threat of penalties, some businesses will dump dense, defensive text into their policies. The OAIC's guidance on privacy policies is consistent on this point β policies should be clear, current and easy to understand, not padded.
The OAIC ran a consultation on its draft guidance in mid-2026 and expects to publish detailed guidance later in the year, so the finer points of scope will become clearer before the deadline. That's not a reason to wait. The work of mapping your decisions and identifying which tools use personal information takes time, and it's the same work whatever the final guidance says. Businesses that start now will be updating a privacy policy in December; those that don't may be scrambling to understand their own systems while the clock runs down.