OAIC to launch blitz on privacy compliance

The Office of the Australian Information Commissioner (OAIC) will kick off its first-ever compliance sweep in the first week of January 2026, scrutinising the privacy policies of some 60 organisations in a bid to curb the overcollection of personal information during face-to-face interactions.

Those found to have non-compliant privacy policies may face compliance and infringement notices and penalties of up to A$66,000.

“When confronted with in-person requests for their personal information from retailers, licenced venues, car hire companies or real estate agents, consumers often don’t have access to all the information they might need to make an informed decision,” said privacy commissioner Carly Kind. “This makes them vulnerable to overcollection of personal information and creates risks to their security and privacy.”

The sweep will specifically target six sectors identified as high-risk for privacy breaches or over-collection. These include real estate and property management firms which collect phone numbers and other personal details at open house inspections. This sector has long been a source of tension for Sydney residents, who often feel compelled to trade their digital privacy for the chance to view a rental property or potential home.

Also under the spotlight are chemists and pharmacists. The regulator is concerned about the growing use of “paperless receipts,” where customers are asked for personal information during checkout and collection of medication. The concern is that the convenience of a digital receipt could be used as a trojan horse to harvest data for marketing purposes without clear consent or transparency.

Licensed venues, which frequently scan driver’s licences and identity cards as a condition of entry, will face scrutiny, too. The sweep also extends to car rental firms that present customers with lengthy, complex forms at the counter, along with car dealerships that require personal data before allowing a vehicle test drive. Pawnbrokers and second-hand dealers, who collect identity information from individuals selling goods, round out the list of targeted industries.

The regulator has indicated that the 60 organisations will be chosen based on a risk assessment that considers their size, location, and profile. Crucially, the list includes those that have had data breaches, signalling that the watchdog is returning to check if lessons have been learned.

“In conducting a compliance sweep, the OAIC intends to ensure that entities are meeting their obligations to be transparent with consumers and customers about how they’re using the personal information they collect in-person. We hope this will also catalyse some reflection about how robust entities’ privacy practices are, and whether more can be done to improve compliance with the Privacy Act writ large,” Kind said.

“The Australian community is increasingly concerned about the lack of choice and control they have with respect to their personal information. The first building block of better privacy practices is a clear privacy policy that transparently communicates how an individual can expect their information to be collected, used, disclosed and destroyed,” she added.

Legislative changes to the Privacy Act passed by parliament in 2024 have expanded the possible regulatory consequences for infringements of certain foundational requirements of the Act. This includes the failure to have a privacy policy containing certain information.

If non-compliance is detected during the January operation, the OAIC will take a “risk-based and proportionate” approach to regulation, using its expanded powers to determine the appropriate response. For businesses that have relied on opaque data-gathering practices at the front counter, the era of lax enforcement appears to be over.