Privacy Commissioner starts 2026 with compliance sweep of privacy policies of 60 entities in the rental & property, chemists and pharmacists licensed venues, car rentals & car dealerships and pawnbrokers & second hand dealer industries

February 1, 2026 |

The lack of enforcement of the Privacy Act 1988 has been a chronic problem for many years. That reflected in a poor level of compliance and a dreadful privacy culture by many companies and organisations. It seems the Privacy Commissioner wants to change that. On 9 December 2025 the Privacy Commissioner announced that there would be a privacy compliance sweep of privacy policies of 60 entities in 6 industries.  

The statement provides:

Australia’s privacy regulator will start 2026 with its first-ever compliance sweep, conducting a targeted review of selected businesses’ privacy policies to ensure they meet strict rules.

The compliance sweep, which will begin in the first week of January, will scrutinise the privacy policies of businesses that collect information in person. For example, real estate agents asking for phone numbers at open houses, or car rental agencies presenting customers with lengthy forms.

Entities found to have non-compliant privacy policies may face compliance and infringement notices and penalties of up to $66,000. Legislative changes to the Privacy Act passed by Parliament in 2024 expanded the possible regulatory consequences for infringements of certain foundational requirements of the Act. This includes the failure to have a privacy policy containing certain information.

The Privacy Commissioner has trained her gaze on sectors and practices involving the in-person collection of personal information for the Office of the Australian Information Commissioner’s (OAIC) first privacy compliance sweep, after identifying that such practices often involve power and information asymmetries. “When confronted with in-person requests for their personal information from retailers, licenced venues, car hire companies or real estate agents, consumers often don’t have access to all the information they might need to make an informed decision,” said the Privacy Commissioner, Carly Kind. “This makes them vulnerable to overcollection of personal information and creates risks to their security and privacy.”

“In conducting a compliance sweep, the OAIC intends to ensure that entities are meeting their obligations to be transparent with consumers and customers about how they’re using the personal information they collect in-person. We hope this will also catalyse some reflection about how robust entities’ privacy practices are, and whether more can be done to improve compliance with the Privacy Act writ large.”

“The Australian community is increasingly concerned about the lack of choice and control they have with respect to their personal information. The first building block of better privacy practices is a clear privacy policy that transparently communicates how an individual can expect their information to be collected, used, disclosed and destroyed.”

The OAIC will review the privacy policies of approximately 60 entities from the following 6 sectors that may collect information in-person for compliance with requirements under APP 1.4:

    • Rental and property – collection of individuals’ personal information during property inspections.
    • Chemists and pharmacists – collection of personal information for the purpose of providing a paperless receipt and collection of identity information to provide medication.
    • Licenced venues – collection of identity information to enable individuals to access a venue.
    • Car rental companies – collection of identity and other personal information to enable an individual to enter into a car rental agreement.
    • Car dealerships – collection of personal information to enable an individual to conduct a vehicle test drive.
    • Pawnbrokers and second-hand dealers – collection of identity information from individuals who wish to sell or pawn goods.

The target sectors have been selected noting the particular privacy risks associated with collection of personal information, particularly personal identification documents, and the privacy breaches that have occurred within these sectors. Target entities will be identified having regard to their size and location, as well as by reference to high profile and high-risk entities within each sector (including entities which may previously have been subject to a data breach).

Entities’ privacy policies will be assessed to ensure they meet the requirements of Australian Privacy Principle (APP) 1.4, which sets out what a privacy policy must include. The OAIC has recently updated its APP 1 guidance.

The OAIC takes a risk based and proportionate approach to regulation and if non-compliance is detected as part of the sweep, the OAIC will consider its recently expanded regulatory toolkit in determining the most appropriate regulatory response.

This compliance sweep is consistent with a more robust and assertive approach to  enforcement by a more assertive Privacy Commissioner.  While the Commissioner has not indicated what will be the consequences of an organisation caught up in a sweep being non compliant the Commissioner referred specifically to the increased enforcement options, including issuing infringement notices.

The Australian Privacy Principles (APPs) require organisations and businesses subject to the operation of the Privacy Act 1988 to maintain a compliant privacy policy that clearly explains how personal information is collected, used, stored, and disclosed. The penalty for non-compliance is a penaltiy of up to $66,000 per infringement.  

Great care should be taken by organisations that collect personal information in person.  Scanning licenses by car dealerships and real estate agents will need to be careful.  Similarly chemists verifying identity for medication should be watchful to comply.  The assertive and aggressive use of scanning of identification without any proper consent being sought or privacy policy in place is a chronic problem.

Under APP 1.4 privacy policies must include:

  • the kinds of personal information collected and held by the entity
  • how and why personal information is collected and held
  • how an individual may access and/or correct their personal information
  • The compliant process for an organisation’s breach(es) of the APPs, and
  • whether the entity is likely to disclose personal information to overseas recipients.

The Commissioner’s Office recently updated its guidance covering this privacy principle. Organisations need to carefully consider APP 1 and the guidance when reviewing their privacy policies.

Organisations need to:

1. keep policies relevant

A privacy policy should remain accurate, up to date and reflect any changes in the collection, storage and use of personal information.

2. make sure policies are clear and transparent

Privacy policies that run to a dozen pages or more of dense, turgid and vague prose will be non compliant.  Reverting to legalese is both poor drafting and may attract censure.

3. have a clear understanding of how data is used

Many organisations collect information in a variety of ways and by disparate groups without fully understanding what is being collected and why.  Creating a data map is a useful way of understanding what is happening with data that is collected. There is a benefit in describing that in a privacy policy.

It is also invaluable to have an accurate and accurate data inventory.  That should involve regular audits and updates to the data inventory  Any inventory should inform what information is being collected and where it’s stored as well as clear retention and deletion rules which may differ for different types of data. 

The more data and the more sensitive the data, the more comprehensive technical security requirements as well as the more sophisticated and careful the data handling practices.

4. only collect what is needed and discard what is no longer needed

Over collection of personal information is a chronic problem which has been exacerbated by improved means of collection and storage. Holding onto personal information is also a problem.  Companies the subject of data breaches in recent past have been found to hold onto data relating to ex customers who left many years ago.  A privacy policy which focuses of what is collected and why helps avoid the temptation to collect because you can.  

Leave a Reply