Australia’s privacy regulator is launching 2026 with its first compliance sweep. The Office of the Australian Information Commissioner (OAIC) will review selected businesses’ privacy policies to ensure they meet the existing statutory requirements of the Privacy Act 1988 (Cth) (Privacy Act).
Whats Happening?
Starting in the first week of January, the OAIC will scrutinise the privacy policies of approximately 60 entities across six sectors that commonly collect personal information in person. These include:
- Rental and property – collecting personal details during property inspections.
- Chemists and pharmacists – gathering identity information for medication or paperless receipts.
- Licensed venues – requiring ID for entry.
- Car rental companies – collecting identity and other personal details for rental agreements.
- Car dealerships – obtaining personal information for test drives.
- Pawnbrokers and second-hand dealers – collecting identity documents for transactions.
The focus on in-person data collection reflects concerns about power and information gaps. People often feel pressured to share personal details without fully understanding how their data will be used, shared, or stored.
Why Does It Matter?
Entities with non-compliant privacy policies could face serious consequences, including compliance and infringement notices and penalties of up to $66,000 per infringement. This is separate from higher civil penalties, which may apply in more serious cases. These penalties follow 2024 amendments to the Privacy Act, which expanded the OAIC’s enforcement powers for breaches of core obligations, such as failing to maintain a compliant privacy policy.
This sweep signals the OAIC’s shift from guidance to active enforcement, with greater use of compliance and infringement notices and escalation to civil penalties for serious or persistent non‑compliance.
The OAIC hopes this sweep will not only enforce compliance but also encourage businesses to strengthen their overall privacy practices.
What Will the OIAC Look For?
The sweep will examine whether privacy policies comply with the requirements of Australian Privacy Principle (APP) 1.4, which requires policies to set out:
- how personal information is collected, used, and disclosed
- how individuals can access and correct their information
- how complaints can be made
- whether information is shared overseas
- how information is stored and destroyed
In addition, businesses should ensure compliance with APP 5.1, which requires entities to take reasonable steps to notify individuals of particular details regarding the collection of their personal information at or before the time of collection.
The OAIC has recently updated its guidance on APP 1, so organisations should review their privacy policies and notification practices against the latest standards.
How We Can Help
Russell Kennedy’s expert Privacy team can assist you in reviewing your privacy policy, collection statements and procedures to ensure they comply with the Privacy Act.
If you’d like to stay up to date with Russell Kennedy Alerts and Events, you can subscribe to our mailing list here.
The information contained in this Insight is intended as general commentary and should not be regarded as legal advice. Should you require specific advice on the topics or areas discussed please contact the Russell Kennedy team.