We read 33 of Australia's biggest brands' privacy policies. One was ready for December.
From 10 December 2026 the law makes businesses disclose the automated decisions they make about people. We checked who already does. One in thirty-three.
From 10 December 2026, Australian privacy law requires businesses to disclose, in their privacy policy, that they make automated decisions about people: the kinds of decisions, and the kinds of personal information behind them. We read the current Australian privacy policies of 33 of the country's largest consumer brands, across banking, lending, insurance, superannuation, telco, energy, retail and wagering. One met the bar. Most of the rest said nothing about automated decisions at all.
The one that was ready tells the story. It is ING, a bank owned in the Netherlands, whose policy states plainly that "your credit score is calculated based on automated decision-making", and names the decisions and the data behind them. The two big local banks that came closest, Commonwealth Bank and NAB, describe their automated credit decisions too, but in the European section of their policy, the part written for the GDPR. The Australian policies ready for an Australian law are the ones Europe already shaped.
The obligation is also wider than it sounds. The Australian test catches any decision a computer program is substantially involved in, not only the fully automated ones, so a person signing off on a model's recommendation still counts. It reaches credit, insurance, pricing, eligibility, and hiring. If you turn over more than three million dollars, or you hold health or credit data at any size, the question is not whether this applies to you. It is whether you can answer it.
A privacy policy is easy to edit. The hard part is standing behind it. Disclosing the decision is the floor. On request you also have to substantiate it, which means producing the record of why the machine decided what it did. If that record lives in a supplier's environment, you cannot produce it on your own terms. The brands that will struggle in December are not the ones with bad policies. They are the ones who rent the record.
From December, you have to explain the decision. And you can only explain a decision whose record you own.
How we read this. We read the current public Australian privacy policy of 33 of the country's largest consumer brands on 29 June 2026, across banking, consumer lending, buy-now-pay-later, insurance, superannuation, telecommunications, energy, retail and wagering. We marked a policy ready only if it disclosed automated decision-making, the kinds of decisions, and the kinds of personal information, in the Australian policy itself. The law is the Privacy and Other Legislation Amendment Act 2024 (new Australian Privacy Principle 1.7), with guidance from the OAIC. The obligation commences 10 December 2026, so none of these brands is in breach today. They are not ready. We will re-run this each quarter to the deadline.
Own the record before December.
NTWRK builds the pieces that have to explain themselves, the record of why included, inside your own environment and handed over with the keys.