TMT trends 2026: privacy, surveillance and spam

As innovation and regulatory change accelerate, technology, media and telecommunications (TMT) companies are facing developments that will affect how they handle privacy, data and surveillance laws.

Upcoming changes include:

• current privacy consultations, the previous tranche of privacy reforms coming into force, and the OAIC's enforcement attitudes;
• reviews on existing surveillance law; and
• developments directed at combatting spam and telecommunications scams.

Find out more about changes to digital infrastructure and emerging technology regulation in part 1 of our series about reform and regulation across in TMT.

Privacy regulation

Children's Privacy Code

As required by the first tranche of reforms to the Privacy Act 1988 (Cth) (Privacy Act), introduced by the Privacy and Other Legislation Amendment Act 2024 (Cth) (POLA Act), the Office of the Australian Information Commissioner (OAIC) continued detailed consultations to develop the Children's Online Privacy Code (the Code). The Code will apply to online services 'likely to be accessed by children' and comes into force from 10 December 2026.

An overview of the three phases of the consultation process is set out below, with 2026 being a decisive year for the Code's final design and implementation.

Based on the Issues Paper, coupled with the findings from the COPC Children's Consultation Report, it is expected that the Code:

• will require more practical, child-friendly privacy features than what is currently reflected by industry practice. This would include straightforward tools that give children direct control over their data, prioritise clarity over complexity and remove default settings that collect or use information without clear consent. Organisations should anticipate a shift toward design obligations that make privacy easy to understand, easy to action and accessible to younger users;
• will adopt significantly more prescriptive notification and transparency requirements. This would reflect a clear regulatory response to persistent concerns raised by children that existing privacy policies are excessively lengthy, overly technical, and fundamentally ineffective in enabling them to understand how their personal information is collected, used, or shared;
• will address targeted advertising, given significant concerns about profiling accuracy, unease about behavioural tracking, and a desire for stronger limits on advertising practices directed at young people;
• will emphasise data minimisation, reflecting children's calls for high-privacy defaults and geolocation to be turned off by default, reinforcing a privacy-by-design approach; and
• may influence consideration of a formal right to erasure. Consulted children have expressed a strong desire for greater control over their digital footprint, including the ability to delete their data or have it removed after periods of inactivity.

Employee records and small business exemptions

Two key anticipated changes to the Privacy Act were not included in the POLA Act: the removal or modification of the small business and employee records exemptions. In the Privacy Act Review Report (the Report) published in 2022 (which led to the eventual development of the POLA Act), the OAIC proposed that small businesses, identified as those with an annual turnover of less than $3 million, should be covered by the general privacy obligations under the Privacy Act. Additionally, the Report proposed that the employee records exemption, which exempts businesses from complying with the Privacy Act with respect to acts or practices directly related to the business' employment relationship with current or former employees, should be modified to improve transparency and protection for the collection and use of employees' personal information.

While these changes have not been implemented, the OAIC has signalled that changes to these exemptions are on their radar in 2026 following further consultation with employer and employee groups. Businesses should monitor developments on the small business and employee records exemptions and prepare for the possibility of changes to the Privacy Act and establishment of exemption-specific codes of practice.

OAIC enforcement attitude

2026 will mark a shift from encouraging privacy best practice to active enforcement in Australia. This builds upon the first civil penalty ordered under the Privacy Act in 2025, which was ordered against Australian Clinical Labs for the 2022 Medlab Pathology data breach (see Australian Information Commissioner v Australian Clinical Labs: first civil penalty under the Privacy Act for further details).

This year, the OAIC will conduct its first sector-specific compliance sweep, reviewing privacy policies of around 60 businesses in high-risk, face-to-face data collection environments (e.g. rental and property services, chemists and pharmacists, licensed venues, car rental companies and dealerships, pawnbrokers). This targeted review demonstrates that the OAIC will prioritise high-risk, in-person data collection in 2026, having made clear that these industries often involve 'power and information asymmetries', which lead to consumer vulnerability and overcollection risks. This foreshadows a regulatory stance that will no longer tolerate organisations collecting 'just in case' information or hiding crucial details inside dense, outdated privacy policies. Entities found to have a non-compliant privacy policy may face maximum civil penalties of up to $330,000 (for bodies corporate) or infringement notices, to the extent the contravention is dealt with standalone, up to $19,800 (for bodies corporate) or $66,000 (for listed corporations).

The OAIC sector sweep of privacy policies aligns with broader Australian regulatory oversight and enforcement priorities. For example, the Australian Competition and Consumer Commission routinely conducts rapid, industry-wide sweeps, such as its review of more than 2,000 retail websites for consumer law compliance in early 2025. These often lead to warnings, civil penalties and in some cases, court proceedings. Sector sweeps enable expedited and efficient enforcement and compliance, and it seems likely that the OAIC will adopt similar methods in the privacy space.

Importantly, the OAIC now has a significantly expanded enforcement toolkit following the introduction of the POLA Act. The regulator can, amongst other remedies, issue infringement notices for breach of specific obligations under the Australian Privacy Principles (APPs), impose civil penalties for a broader range of privacy interferences, and exercise enhanced investigative power. These reforms sit alongside the OAIC's 2025-26 regulatory action priorities, which make clear where the regulator intends to apply these new powers. These priorities include:

• correcting power and information asymmetries in sectors such as property, credit reporting and data brokerage;
• scrutinising technologies such as biometrics, facial recognition, and pixel tracking;
• strengthening information management across government; and
• ensuring timely public access to information.

Together, these priorities mirror the issues the 2026 sweep is designed to uncover.

When viewed in conjunction, the sweep and the OAIC's expanded enforcement powers point to a broader shift toward ongoing and proactive regulatory oversight. In its official announcement, the OAIC explained that the sweep is intended not only to assess compliance with APP1.4 but also to 'catalyse reflection' on the strength of organisations' privacy practices. This framing makes clear that further compliance activity is expected and that the January sweep is likely to be the beginning of a sustained period of increased regulatory attention.

Automated decision making

From 10 December 2026, if an APP entity uses personal information in automated decision making (ADM) to make, or in relation to making, a decision that could be reasonably expected to affect an individual's rights or interests, then they may be required to comply with the newly introduced Australian Privacy Principles 1.7, 1.8 and 1.9. These entities will be required to disclose in their privacy policies the personal information used in the ADM and the decisions made by the ADM.

Organisations should expect regulators to require detailed evidence regarding the operation of ADM and how personal information feeds into those systems. Together, these rules shift the regulatory expectation from general explanations to detailed operational transparency. The OAIC will have authority to issue infringement notices, compliance notices, and seek civil penalties through the Federal Court for non-compliance with the newly created APPs 1.7 to 1.9.

Organisations should therefore anticipate that compliance in 2026 will depend on being able to map automated processes, document data inputs and decision logic, and provide precise disclosures consistent with the statutory requirements.

Surveillance regulation

Ongoing reviews and reform

The evolution of surveillance laws is a notable development in the data and privacy landscape. Surveillance is increasingly pervasive, with employers leveraging advanced technologies to monitor employee performance and governments employing surveillance technologies for national security and law enforcement purposes. The Australian surveillance regime is a complex patchwork across Commonwealth and state laws. States primarily regulate through general surveillance devices statutes, with some jurisdictions also having workplace-specific legislation, such as the Workplace Surveillance Act 2005 (NSW) and Part 2A of the Surveillance Devices Act 1999 (Vic). The Commonwealth regime deals with surveillance across several acts, including the Surveillance Devices Act 2004 (Cth), Telecommunications (Interception and Access) Act 1979 (Cth), Crimes Act 1914 (Cth), Telecommunications Act 1997 (Cth), and the Australian Security Intelligence Organisation Act 1979 (Cth). Reform proposals typically call for consolidating and harmonising these laws, noting that the sheer volume of legislation has made the regime burdensome and difficult to interpret.

Legislative changes to the surveillance frameworks at both state and federal level are forthcoming and warrant attention. For instance, the Department of Home Affairs has noted that they are actively progressing consultations on the ongoing reform of Australia's electronic surveillance framework following comprehensive reviews of the regime in recent years. In Victoria, the state government is expected to respond to outstanding recommendations pertaining to surveillance laws, which include potential amendments to the Privacy and Data Protection Act 2014 (Vic), which traditionally only binds public entities. Otherwise, the Victorian government has indicated 'in-principle' support for 15 of the inquiry's 18 recommendations, which are comprehensively set out in Victorian Government backs landmark workplace surveillance reforms, and are expected to significantly impact workplace surveillance within the state once the recommendations are implemented.

From a government surveillance perspective, the powers of the Australian Federal Police and Australian Criminal Intelligence Commission to combat cybercrime are subject to a review by the Independent National Security Legislation Monitor. The review (published 31 July 2025) focuses on the circumstances under which data disruption warrants, network activity warrants and account takeover warrants can be exercised (for further detail, please see Australia's surveillance framework: National security and counter-terrorism watchdog signals reform). These developments will likely impact domestic and international businesses, necessitating a revisit of the extent to which entities should cooperate with authorities (including provision of customers' data upon request) and careful consideration in tandem with other privacy obligations.

Facial recognition technology

Otherwise, facial recognition technology (FRT), which may be used as a form of surveillance by identifying individuals based on their facial features, remains a particular focus under the OAIC 2025-26 regulatory priorities. This is because many FRT systems involve the collection of biometric data, which the Privacy Act classifies as sensitive information, and therefore attracts a heightened risk profile given the significant potential consequences for individuals if mishandled.

Spam Act

Australia's Spam Act 2003 (Cth) (Spam Act) prohibits the sending of commercial electronic messages (i.e. messages promoting an organisation's goods, services or brand that are sent via email, SMS, instant messaging, and in-app notifications) without the recipient's consent, without identifying the organisation, and without an opt-out option. The Australian Communications and Media Authority (ACMA) has actively enforced the Spam Act in recent years and has imposed substantial penalties for violations. In 2025, ACMA investigated and took enforcement action (of up to $4,003,270 and with enforceable undertakings) against two high-profile gambling entities for sending marketing emails and SMS without consent and without functional unsubscribe facilities, and for sending marketing SMS and WhatsApp messages without adequate sender information.

Organisations should be vigilant that if any marketing aspect is incorporated into the communication (even a small promotional slogan or offer in an email header or footer), the whole message will be deemed a commercial electronic message, and the provisions of the Spam Act will apply. For instance, a message stating the following would be considered a commercial electronic message:

"Your monthly statement with [organisation] is ready. If you didn't request this statement, please contact support. For more information about how you can make the most out of your account with [organisation], click here."

As such, organisations should consider keeping service and promotional messages strictly separate, ensuring messages are categorised appropriately to maintain compliance with Spam Act requirements (consent, sender identification, unsubscribe) where required.

With respect to consent, although this may be express or inferred, express consent is generally preferred. Inferred consent has a higher evidentiary burden, applying where an individual has knowingly provided contact details and it is reasonable to believe the individual would expect to receive marketing from the organisation. Organisations would typically be required to prove an ongoing relationship between themselves and the individual, with the marketing being directly related to such a relationship. For instance, ACMA Guidance gives the example of an individual who has a long-term savings account with a bank. In such circumstances, the individual might expect to receive promotional material about another savings account option but would be unlikely to form a similar expectation for other categories of offerings, such as insurance products. More information on inferred consent and other Spam Act requirements is set out in ACMA Spam Act enforcement and the implications for business.

ACMA have also highlighted that their 2025-26 compliance and enforcement priorities include disrupting mobile number fraud and combatting spam and telecommunications scams, with the same active approach to investigations and enforcement being expected to continue into 2026. Though 2026 has only recently commenced, ACMA has already issued a $376,200 penalty and accepted an 18-month enforceable undertaking against a telecommunications company for failing to carry out anti-scam identity checks which resulted in consumer losses of at least $175,000. Organisations must ensure that their anti-fraud measures are robust as ACMA has indicated that they will take action where such measures are non-compliant with fraud prevention obligations. In addition, from 1 July 2026, branded text messages with an organisation's name at the top of a message will need to have the sender ID registered on the SMS Sender ID Register as part of the Australian government's'Fighting Scams'initiative.

In light of this regulatory landscape, businesses should re-evaluate commercial electronic messages and consider and review the validity of their customers' marketing consents on an ongoing basis to avoid the risk of increased Spam Act enforcement.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Lawyers Weekly Law firm of the year 2021	Employer of Choice for Gender Equality (WGEA)