Australia’s privacy regulator will start 2026 with its first-ever compliance sweep, conducting a targeted review of selected businesses’ privacy policies to ensure they meet strict rules.
The compliance sweep, which will begin in the first week of January, will scrutinise the privacy policies of businesses that collect information in person. For example, real estate agents asking for phone numbers at open houses, or car rental agencies presenting customers with lengthy forms.
Entities found to have non-compliant privacy policies may face compliance and infringement notices and penalties of up to $66,000. Legislative changes to the Privacy Act passed by Parliament in 2024 expanded the possible regulatory consequences for infringements of certain foundational requirements of the Act. This includes the failure to have a privacy policy containing certain information.
The Privacy Commissioner has trained her gaze on sectors and practices involving the in-person collection of personal information for the Office of the Australian Information Commissioner’s (OAIC) first privacy compliance sweep, after identifying that such practices often involve power and information asymmetries. “When confronted with in-person requests for their personal information from retailers, licenced venues, car hire companies or real estate agents, consumers often don’t have access to all the information they might need to make an informed decision,” said the Privacy Commissioner, Carly Kind. “This makes them vulnerable to overcollection of personal information and creates risks to their security and privacy.”
“In conducting a compliance sweep, the OAIC intends to ensure that entities are meeting their obligations to be transparent with consumers and customers about how they’re using the personal information they collect in-person. We hope this will also catalyse some reflection about how robust entities’ privacy practices are, and whether more can be done to improve compliance with the Privacy Act writ large.”
“The Australian community is increasingly concerned about the lack of choice and control they have with respect to their personal information. The first building block of better privacy practices is a clear privacy policy that transparently communicates how an individual can expect their information to be collected, used, disclosed and destroyed.”
The OAIC will review the privacy policies of approximately 60 entities from the following 6 sectors that may collect information in-person for compliance with requirements under APP 1.4:
- Rental and property – collection of individuals’ personal information during property inspections.
- Chemists and pharmacists – collection of personal information for the purpose of providing a paperless receipt and collection of identity information to provide medication.
- Licenced venues – collection of identity information to enable individuals to access a venue.
- Car rental companies – collection of identity and other personal information to enable an individual to enter into a car rental agreement.
- Car dealerships – collection of personal information to enable an individual to conduct a vehicle test drive.
- Pawnbrokers and second-hand dealers – collection of identity information from individuals who wish to sell or pawn goods.
The target sectors have been selected noting the particular privacy risks associated with collection of personal information, particularly personal identification documents, and the privacy breaches that have occurred within these sectors. Target entities will be identified having regard to their size and location, as well as by reference to high profile and high-risk entities within each sector (including entities which may previously have been subject to a data breach).
Entities’ privacy policies will be assessed to ensure they meet the requirements of Australian Privacy Principle (APP) 1.4, which sets out what a privacy policy must include. The OAIC has recently updated its APP 1 guidance.
The OAIC takes a risk based and proportionate approach to regulation and if non-compliance is detected as part of the sweep, the OAIC will consider its recently expanded regulatory toolkit in determining the most appropriate regulatory response.
