If you have been operating your gym, fitness studio, or martial arts club for any length of time, you have probably heard someone mention the "small business exemption." For years, it was a reliable safety net — if your annual turnover sat below $3 million, Australia's Privacy Act 1988 largely did not apply to you. You could collect member data, store it however you liked, and sleep at night knowing the big regulatory guns were pointed elsewhere.

That safety net no longer exists. As of 2026, the exemption has been effectively removed for the fitness and wellness industry, and the consequences of not knowing that are already starting to bite Australian business owners. At MAA Insurance Services, we speak to gym and club owners every week who are genuinely shocked when they learn where they now stand legally. This blog is our attempt to change that — to give you a straight, honest picture of what the new landscape looks like and what you need to do about it.

What Was the Small Business Exemption?

The original small business exemption was introduced when the Privacy Act was written in a pre-digital world. The reasoning was simple: a small bakery or local trades business had neither the scale nor the infrastructure to pose a serious privacy risk. They collected a handful of customer names at most. The threshold — businesses turning over less than $3 million per year — seemed generous and appropriate.

Fast-forward to 2026, and the assumption that small businesses pose minimal privacy risk is completely outdated. A gym with 400 members runs cloud-based CRM software, processes direct debit payments, stores injury assessments and health screening waivers, and tracks attendance through a digital booking system. That is a significant amount of sensitive personal and health data, regardless of what the business turns over each year.

The Attorney-General's Privacy Act Review acknowledged this reality and recommended removing the small business exemption entirely. The Australian Government accepted that recommendation and the legislative machinery has been moving ever since. By December 2026, virtually every Australian business with a digital presence or a member database will fall under the Privacy Act's obligations.

But Wait — Gyms Were Never Really Exempt

Here is the part that surprises most fitness business owners: the $3 million threshold never applied to you in the first place. Not fully, anyway.

Under the Privacy Act, the small business exemption has always excluded "health service providers." The Office of the Australian Information Commissioner (OAIC) explicitly lists gyms and weight loss clinics as health service providers. The reasoning is straightforward: if your business collects information about a person's physical condition, injuries, health goals, fitness assessments, or medical history in the course of providing a service, you are legally providing a health service. It does not matter if you call yourself a gym, a dojo, a wellness studio, or a CrossFit box. The data you collect decides your classification, not the name above the door.

What this means in practice is that even the smallest dojo turning over $80,000 a year has been subject to the Australian Privacy Principles for years. Many simply did not know it. The removal of the small business exemption in 2026 simply brings the rest of the small business world in line with obligations that fitness businesses have carried all along.

What the 2026 Laws Actually Require

The Australian Privacy Principles (APPs) are the backbone of your compliance obligations. There are 13 principles in total, and they cover everything from how you collect data to how you store it, use it, disclose it, and respond when things go wrong. Some of the most critical requirements for a fitness business include:

•You must have a clearly written, publicly available privacy policy that explains what data you collect, why you collect it, who you share it with, and where it is stored.

•You can only collect the personal information that is genuinely necessary for your operations. Collecting member home addresses when you only need a phone number for emergency contact is a breach waiting to happen.

•If you store data on overseas servers — which most cloud-based gym management software does — your privacy policy must disclose the countries involved.

•Members have a right to access their own data and to request corrections. You need a process for handling these requests.

•If a data breach occurs that is likely to result in serious harm, you must notify the OAIC and affected members within 30 days of becoming aware of the breach.

•Consent for the collection of sensitive health data must be express, specific, and informed. A pre-ticked checkbox buried in a membership form does not cut it.

The Fines Are Not Theoretical

When we talk to club owners about privacy compliance, the most common response is: "Nobody is going to come after a small gym." We understand the sentiment, but the numbers tell a different story.

The OAIC can now issue on-the-spot infringement notices of up to $66,000 for foundational breaches — such as not having a visible, compliant privacy policy — without needing a court order. For more serious or repeated breaches, Federal Court civil penalties can reach $50 million for corporations or $2.5 million for individual directors. Australian Clinical Labs was fined $5.8 million for inadequately reporting a data breach. The OAIC has commenced proceedings against Optus for a breach affecting 9.5 million customers, alleging penalties that theoretically reach $21 trillion. These are not hypothetical scare stories. They are real enforcement actions happening right now.

The OAIC has also moved from education mode into active enforcement mode. They are conducting compliance sweeps — essentially random audits of industries that collect health data. Gyms, studios, and martial arts clubs are firmly in their crosshairs.

Your Legal Structure Matters Too

How your business is structured determines how much personal liability you carry in the event of a breach. Sole traders and partnerships have no legal separation between business and personal assets. If your gym is sued or fined, your family home, savings account, and personal property are all potentially on the table.

A Pty Ltd company provides some protection, but directors can still be found personally liable if they are found to have been negligent in implementing basic cybersecurity — such as failing to enable multi-factor authentication or allowing staff to share login credentials. A company structure held within a trust provides the highest level of protection, but it is not a licence to be lazy about compliance.

Recommendations

Our job is to protect fitness businesses from the risks that can end them. In 2026, data and cyber risk sits alongside public liability and property damage as a business-critical exposure. Here is what we advise every client to act on immediately:

•Audit your data: Know exactly what personal information you collect, where it is stored, who can access it, and why you need it.

•Update your privacy policy: Make sure it is visible on your website, compliant with the APPs, and accurately reflects what you actually do with member data.

•Enable multi-factor authentication (MFA): This is the single most effective technical step you can take to prevent unauthorised access to your systems.

•Get Standalone Cyber Insurance: Your Public Liability policy does not cover data breaches, forensic IT costs, legal defence fees, or regulatory fines. A standalone cyber policy does.

•Train your staff: Human error is the number one cause of successful cyber attacks. Your team needs to know what a phishing email looks like and why sharing passwords is a serious business risk.

The Bottom Line

The small business exemption was never your shield in the fitness industry, and in 2026, it is gone for everyone else too. The question is not whether the law applies to you — it does. The question is whether you are ready.

MAAIS has spent years building specialist knowledge in the gym, fitness, and martial arts space. We understand the specific risks your business carries, and we can help you put the right insurance framework in place to protect everything you have built. Get in touch with us today for a no-obligation conversation about where your business stands.