Australia’s privacy regulator will begin 2026 with its first-ever privacy compliance sweep, launching a targeted review of selected businesses’ privacy policies to ensure they meet strict legal requirements. The sweep, commencing in the first week of January, will focus on businesses that collect personal information in person, such as real estate agents requesting contact details at open houses or car rental agencies presenting customers with lengthy collection forms.
Entities found to have non-compliant privacy policies may face compliance and infringement notices, with penalties of up to $66,000. Legislative amendments to the Privacy Act passed in 2024 expanded the regulatory consequences for breaches of fundamental requirements, including failure to maintain a privacy policy that contains the mandatory information set out in the Act.
Privacy Commissioner Carly Kind said the OAIC has prioritised sectors where in-person information collection often involves power and information imbalances. “When confronted with in-person requests for their personal information from retailers, licenced venues, car hire companies or real estate agents, consumers often don’t have access to all the information they might need to make an informed decision,” she said. “This makes them vulnerable to overcollection of personal information and creates risks to their security and privacy.”
Kind said the inaugural compliance sweep aims to ensure entities meet their obligations to clearly inform consumers about how their personal information is being collected, used, disclosed and destroyed. She said the initiative is intended not only to lift transparency but to prompt businesses to reassess the robustness of their broader privacy practices. “The Australian community is increasingly concerned about the lack of choice and control they have with respect to their personal information. The first building block of better privacy practices is a clear privacy policy that transparently communicates how an individual can expect their information to be collected, used, disclosed and destroyed.”
The OAIC will examine the privacy policies of around 60 entities across six sectors known to collect personal information in person and where past breaches highlight elevated privacy risks. These sectors are rental and property agencies, chemists and pharmacists, licensed venues, car rental companies, car dealerships and pawnbrokers or second-hand dealers.
Entities will be selected based on size, location and risk profile, including whether they have previously experienced a data breach. The OAIC will assess each privacy policy for compliance with Australian Privacy Principle 1.4, which outlines the information that must be included. Updated APP 1 guidance has recently been released to assist organisations in meeting their obligations.
The OAIC said it will apply a risk-based, proportionate regulatory approach. If non-compliance is identified during the sweep, the regulator will consider responses from its expanded toolkit, which now includes stronger penalties and enforcement options.
