Automated decision making and franchises: What you need to know before December 2026
7 mins reading time
Automation is now a core feature of many franchise systems. Franchises employ pricing engines, performance dashboards, lead allocation tools, recruitment filters and customer loyalty platforms, which increasingly rely on algorithms, to streamline their operations.
From 10 December 2026, certain automated decision-making tools will attract new and express transparency obligations under the Privacy and Other Legislation Amendment Act 2024 (Cth). These reforms require greater upfront disclosure where automation plays a significant role in decisions affecting individuals.
With significant compliance changes on the horizon, franchisors should understand how these reforms may affect their systems, disclosures and risk exposure.
Which franchisors and franchisees are affected?
The amendments apply to all APP entities. In broad terms, this includes entities that:
- have an annual turnover of more than $3 million; or
- have a turnover below $3 million, but:
- trade in personal information;
- provide health services; or
- fall within another designated category under the Privacy Act 1988 (Cth) (Privacy Act), such as certain credit, data or digital service providers.
Many established franchisors will already be APP entities by virtue of turnover alone. Importantly, franchisees may also be APP entities, meaning automated decision‑making compliance (and, for that matter, privacy compliance in general) in franchise systems is not automatically centralised, even where systems are centrally designed.
What has changed under the Privacy Act?
The Act inserts new APPs 1.7-1.9 into the Privacy Act, which impose additional disclosures to be made in Privacy Policies where automated decision‑making is used.
In practical terms, this means an organisation must disclose in its privacy policy if it has arranged for automation, such as an LLM or computer program, to:
- make a decision; or
- substantially assist in making a decision,
using personal information, where the decision could reasonably be expected to significantly affect an individual’s rights or interests.
How much automation is enough to trigger compliance?
That obligation applies whether the decision is:
- fully automated;
- partially automated with human sign-off; or
- effectively automated through scoring, ranking or prioritisation.
A “decision” includes refusing or failing to make a decision. It is also irrelevant whether the outcome is positive or negative for the individual concerned.
The legislation gives examples of decisions affecting:
- rights under a contract or arrangement; and
- access to a significant service.
Common examples of automated decision-making in franchise systems
Franchise systems are structurally well suited to automation. Franchisors typically operate centralised systems that draw on data from multiple franchisees, customers and employees, and apply standardised rules or models across the network.
Common examples of automated decision that may trigger the new disclosure obligations include:
- automated approval or rejection of a franchisee’s marketing spend, supplier choices or local pricing;
- algorithmic ranking or scoring of franchisee performance (including where linked to renewal or incentives);
- automated allocation (or non-allocation) of leads;
- AI-driven recruitment screening;
- dynamic pricing, promotions or loyalty offers based on customer data; and
- automated handling of customer complaints, refunds or disputes.
What must be disclosed in privacy policies?
From December 2026, affected franchisors (and franchisees) must update their privacy policies to clearly describe:
- the kinds of personal information used in automated decision-making systems (for example, transaction history, performance metrics, customer demographics or behavioural data); and
- the kinds of decisions that are:
- made solely by computer programs; and
- where computer programs play a substantial and direct role in the decision.
The disclosure must be accurate, and reflect how the system actually operates, not how it is described internally. Boilerplate statements about “automated processing” may prove inadequate as regulatory expectations develop, particularly once OAIC guidance emerges.
Who is responsible for disclosure: franchisor or franchisee?
Responsibility turns on who has “arranged for” the computer program used in decision‑making, which is a fact-specific question.
In most franchise systems, franchisors select, design or mandate the systems used across the network. This will usually amount to having arranged for the computer program, even if franchisees interact with the outputs day-to-day.
Franchisees may have separate obligations where:
- they are APP entities; and
- their practices are not covered by the franchisor’s privacy policy, or
- they independently implement secondary automated processing systems.
What are the consequences of non-compliance?
Failure to include the required disclosures in the organisation’s privacy policy is a breach of APP 1.7 and may expose the business to:
- civil penalties of up to 2,000 penalty units (currently $660,000) per contravention;
- compliance notices, infringement notices and enforceable undertakings; and
- heightened scrutiny by the OAIC and, indirectly, the ACCC.
In cases of serious or repeated non-compliance, significantly higher penalties may apply, including penalties of up to $50 million, three times the benefit received from the contravention, or 30% of turnover.
What should franchisors (and franchisees that are APP entities) do now?
Franchisors do not need to dismantle automation — but they do need to be aware of, and if necessary disclose, how it impacts their business. Practical steps include:
- Mapping systems
Identify where algorithms influence decisions affecting franchisees, staff or customers. - Testing thresholds
Ask whether those decisions could significantly affect rights or access. - Amending policies
Update privacy policies and other disclosures to reflect processes. - Reviewing contracts
Ensure franchise agreements and manuals align with how decisions are actually made. - Building oversight
Ensure meaningful human review is available, particularly for adverse outcomes.
Macpherson Kelley’s franchising and privacy lawyers can assist in assessing your automated decision‑making practices and updating your privacy policy. Please reach out to one of our experts today.
The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.
more
insights
stay up to date with our news & insights
Automated decision making and franchises: What you need to know before December 2026
Automation is now a core feature of many franchise systems. Franchises employ pricing engines, performance dashboards, lead allocation tools, recruitment filters and customer loyalty platforms, which increasingly rely on algorithms, to streamline their operations.
From 10 December 2026, certain automated decision-making tools will attract new and express transparency obligations under the Privacy and Other Legislation Amendment Act 2024 (Cth). These reforms require greater upfront disclosure where automation plays a significant role in decisions affecting individuals.
With significant compliance changes on the horizon, franchisors should understand how these reforms may affect their systems, disclosures and risk exposure.
Which franchisors and franchisees are affected?
The amendments apply to all APP entities. In broad terms, this includes entities that:
- have an annual turnover of more than $3 million; or
- have a turnover below $3 million, but:
- trade in personal information;
- provide health services; or
- fall within another designated category under the Privacy Act 1988 (Cth) (Privacy Act), such as certain credit, data or digital service providers.
Many established franchisors will already be APP entities by virtue of turnover alone. Importantly, franchisees may also be APP entities, meaning automated decision‑making compliance (and, for that matter, privacy compliance in general) in franchise systems is not automatically centralised, even where systems are centrally designed.
What has changed under the Privacy Act?
The Act inserts new APPs 1.7-1.9 into the Privacy Act, which impose additional disclosures to be made in Privacy Policies where automated decision‑making is used.
In practical terms, this means an organisation must disclose in its privacy policy if it has arranged for automation, such as an LLM or computer program, to:
- make a decision; or
- substantially assist in making a decision,
using personal information, where the decision could reasonably be expected to significantly affect an individual’s rights or interests.
How much automation is enough to trigger compliance?
That obligation applies whether the decision is:
- fully automated;
- partially automated with human sign-off; or
- effectively automated through scoring, ranking or prioritisation.
A “decision” includes refusing or failing to make a decision. It is also irrelevant whether the outcome is positive or negative for the individual concerned.
The legislation gives examples of decisions affecting:
- rights under a contract or arrangement; and
- access to a significant service.
Common examples of automated decision-making in franchise systems
Franchise systems are structurally well suited to automation. Franchisors typically operate centralised systems that draw on data from multiple franchisees, customers and employees, and apply standardised rules or models across the network.
Common examples of automated decision that may trigger the new disclosure obligations include:
- automated approval or rejection of a franchisee’s marketing spend, supplier choices or local pricing;
- algorithmic ranking or scoring of franchisee performance (including where linked to renewal or incentives);
- automated allocation (or non-allocation) of leads;
- AI-driven recruitment screening;
- dynamic pricing, promotions or loyalty offers based on customer data; and
- automated handling of customer complaints, refunds or disputes.
What must be disclosed in privacy policies?
From December 2026, affected franchisors (and franchisees) must update their privacy policies to clearly describe:
- the kinds of personal information used in automated decision-making systems (for example, transaction history, performance metrics, customer demographics or behavioural data); and
- the kinds of decisions that are:
- made solely by computer programs; and
- where computer programs play a substantial and direct role in the decision.
The disclosure must be accurate, and reflect how the system actually operates, not how it is described internally. Boilerplate statements about “automated processing” may prove inadequate as regulatory expectations develop, particularly once OAIC guidance emerges.
Who is responsible for disclosure: franchisor or franchisee?
Responsibility turns on who has “arranged for” the computer program used in decision‑making, which is a fact-specific question.
In most franchise systems, franchisors select, design or mandate the systems used across the network. This will usually amount to having arranged for the computer program, even if franchisees interact with the outputs day-to-day.
Franchisees may have separate obligations where:
- they are APP entities; and
- their practices are not covered by the franchisor’s privacy policy, or
- they independently implement secondary automated processing systems.
What are the consequences of non-compliance?
Failure to include the required disclosures in the organisation’s privacy policy is a breach of APP 1.7 and may expose the business to:
- civil penalties of up to 2,000 penalty units (currently $660,000) per contravention;
- compliance notices, infringement notices and enforceable undertakings; and
- heightened scrutiny by the OAIC and, indirectly, the ACCC.
In cases of serious or repeated non-compliance, significantly higher penalties may apply, including penalties of up to $50 million, three times the benefit received from the contravention, or 30% of turnover.
What should franchisors (and franchisees that are APP entities) do now?
Franchisors do not need to dismantle automation — but they do need to be aware of, and if necessary disclose, how it impacts their business. Practical steps include:
- Mapping systems
Identify where algorithms influence decisions affecting franchisees, staff or customers. - Testing thresholds
Ask whether those decisions could significantly affect rights or access. - Amending policies
Update privacy policies and other disclosures to reflect processes. - Reviewing contracts
Ensure franchise agreements and manuals align with how decisions are actually made. - Building oversight
Ensure meaningful human review is available, particularly for adverse outcomes.
Macpherson Kelley’s franchising and privacy lawyers can assist in assessing your automated decision‑making practices and updating your privacy policy. Please reach out to one of our experts today.