CRM and the Privacy Act: What Australian Businesses Must Know in 2026

Every Australian business that stores customer data in a CRM is operating under the Privacy Act 1988 — whether they realise it or not. The Act, together with its 13 Australian Privacy Principles (APPs), dictates how personal information must be collected, used, disclosed, stored and destroyed. For most businesses, the CRM is the single largest concentration of personal information they hold: names, phone numbers, email addresses, purchase histories, support conversations, and increasingly AI-generated profiles and scores. That makes your CRM the frontline of your Privacy Act compliance obligation.

The problem is that most Australian SMBs treat privacy as a policy document rather than an operational discipline. A privacy policy on the website is necessary but nowhere near sufficient. The Privacy Act demands specific, auditable practices around how data enters your system, who can access it, where it physically resides, how long you keep it, and what happens when something goes wrong. The 2024–2025 legislative reforms have sharpened the penalties and broadened the scope — and for any business running a CRM, the time to get this right is now, not after the OAIC comes knocking.

What the Privacy Act 1988 actually requires of your CRM

The Privacy Act applies to all "APP entities" — organisations with annual turnover above $3 million, plus health service providers, businesses that trade in personal information, and government contractors, regardless of size. The small-business exemption that historically shielded smaller operators is firmly on the reform agenda, meaning the prudent approach in 2026 is to comply regardless of your turnover. Every customer record, every lead, every contact in your CRM falls under this framework.

At its core, the Act requires you to:

• Collect only what you need. APP 3 limits collection to information "reasonably necessary" for your business functions. A CRM form that demands a date of birth, government ID, and home address to download a whitepaper is collecting beyond what the interaction requires.
• Tell people what you are doing. APP 5 requires a clear notice at or before the point of collection — who you are, why you are collecting, who you might share with, and how to access or correct the data.
• Use data only for its stated purpose. APP 6 restricts secondary use. If you collected an email for a sales enquiry, you cannot silently pipe it to a third-party AI model for scoring without fresh consent.
• Keep it accurate and secure. APPs 10 and 11 require reasonable steps to ensure data quality and to protect against misuse, interference, loss, and unauthorised access.
• Let people see and correct their records. APPs 12 and 13 give individuals the right to access what you hold about them and to have inaccuracies corrected.

Every one of these obligations maps directly to a CRM configuration decision. The Act is not abstract law sitting in a binder — it is a set of requirements your CRM either satisfies or violates, every day, with every record.

The 2024–2025 reforms: what changed and why it matters

The Privacy Act has been under sustained reform since the Attorney-General's Department review. The changes that have landed or are imminent in 2026 include:

• Dramatically increased penalties. The maximum civil penalty for serious or repeated interference with privacy is now the greater of $50 million, three times the benefit obtained, or 30% of adjusted turnover during the breach period. These are not theoretical — the OAIC has shown willingness to pursue substantial penalties.
• Expanded scope. The small-business exemption is being wound back. Businesses previously exempt because they fell under the $3 million threshold should plan for full compliance.
• Strengthened individual rights. Individuals will have clearer rights to erasure and to object to certain processing, moving Australia closer to a GDPR-style rights framework.
• Tighter rules on automated decision-making. AI-driven profiling, scoring and automated decisions about individuals face new transparency requirements — directly relevant to any CRM using AI agents or predictive analytics.

For CRM operators, the practical impact is clear: the cost of non-compliance has gone from "inconvenient" to "existential." A data breach affecting customer records in a non-compliant CRM can now generate penalties that dwarf the revenue the business earns. The reforms also mean that CRM security and data protection is no longer a nice-to-have IT concern — it is a board-level risk.

Where most CRMs fall short on Privacy Act compliance

The challenge is not that businesses refuse to comply — it is that the dominant CRM platforms were not built with the Privacy Act in mind. They were built for the US market and retrofitted with regional toggles. Three structural gaps recur across almost every offshore CRM deployment:

1. Data residency and cross-border disclosure

APP 8 requires that before personal information leaves Australia, you take reasonable steps to ensure the overseas recipient handles it consistently with the APPs — and you remain accountable for what they do. The major US-headquartered CRM platforms replicate data across global regions, route backups offshore, and increasingly pipe records through overseas AI model providers. Each of those data flows is a cross-border disclosure you are legally responsible for. Many businesses cannot even answer the question "where does my CRM data physically reside?" — which means they cannot demonstrate compliance with APP 8.

2. Consent and purpose limitation

APP 6 is where AI features create the most modern risk. If your CRM vendor uses customer data to train machine learning models, or routes conversations through a third-party AI for summarisation, that is a secondary use the customer likely never consented to. The line between "using AI to help you sell" and "disclosing personal information to a third-party processor for a purpose the individual was not told about" is thinner than most vendors admit.

3. Access and deletion

When a customer exercises their APP 12 right to access their data, you need to produce everything you hold about them — quickly, completely, and without charging excessive fees. When deletion rights strengthen under the reforms, you will need to erase them comprehensively. A CRM with fragmented records spread across modules, integrations and third-party sub-processors makes both tasks unreliable at best and impossible at worst.

How to configure your CRM for Privacy Act compliance

Compliance is not a checkbox exercise — it is a set of ongoing configuration and operational disciplines. Here is the practical checklist for any Australian business running a CRM in 2026:

Collection and consent

• Audit every form, chatbot and signup flow that feeds your CRM. Each must have a clear collection notice at the point of entry.
• Only collect fields you can justify as "reasonably necessary." Remove mandatory fields you do not actually use.
• Track consent as a first-class field on every contact — when it was given, for what purpose, and through which channel.
• Ensure your opt-out mechanism works across every channel: email, SMS, phone. An unsubscribe that stops emails but not SMS is still a breach of APP 7.

Data residency and AI

• Get a definitive, written answer from your CRM vendor on where primary data, backups, logs and AI processing physically occur.
• If data leaves Australia, document the safeguards and your assessment that the overseas recipient will handle it consistently with the APPs.
• Understand what every AI feature in your CRM does with customer data. If you cannot map the data flow, disable the feature until you can.

Security and access control

• Enforce role-based access with least-privilege principles. Not every team member needs export rights over the entire customer database.
• Enable multi-factor authentication. Compromised credentials are consistently among the top breach causes reported to the OAIC.
• Turn on audit logging so you can demonstrate who accessed, modified or exported what, and when.
• Set explicit data retention rules. Information you no longer hold cannot be breached — and APP 11 requires you to destroy or de-identify data you no longer need.

Access and correction rights

• Test your ability to produce everything you hold about a specific individual within a reasonable timeframe. If it takes longer than an hour, you have a gap.
• Ensure records can be corrected and, when required, deleted across all linked modules and integrations — not just the primary contact card.

Fulcrum CRM is built around these requirements by design rather than retrofit. Australian data hosting means APP 8 is satisfied structurally. Built-in AI agents operate inside your own boundary rather than shipping records to an external model provider. Role-based access, audit logging, and encryption at rest are standard features, not premium add-ons. And because every module — Sales, Real Estate, Automotive, Consultation, Inventory and Project Management — shares a single contact database, producing a complete picture of any individual is a query, not an archaeological dig. For more on how CRM fundamentals underpin compliance, see our guide on what a CRM is and why your business needs one in 2026.

The cost of getting it wrong — and the advantage of getting it right

The penalty regime makes non-compliance a genuine business risk, but the upside of getting privacy right is often overlooked. Customers increasingly choose to do business with companies they trust to handle their data responsibly. A CRM configured for Privacy Act compliance is also a CRM with clean data, tight access controls, and auditable processes — which means better security, better reporting, and better customer relationships. Privacy compliance and operational excellence are not in tension; they are the same discipline applied to the same system.

For a deeper comparison of how Australian privacy rules differ from overseas frameworks and what that means for your CRM choice, see our analysis of GDPR versus the Privacy Act. And if you are evaluating platforms, our comparison page breaks down how Fulcrum CRM stacks up against the offshore incumbents on compliance, pricing and features.

The Privacy Act is not going away and the reforms are not slowing down. The businesses that treat compliance as a property of their CRM architecture — rather than a policy document they review once a year — are the ones that will navigate the next decade without a breach, a penalty, or a public apology.