Australia’s privacy regulator launches its first compliance sweep this week, targeting businesses that collect customer data in person.
What’s happening: Australia’s privacy regulator begins 2026 with its first compliance sweep, examining privacy policies of approximately 60 businesses that collect personal information face-to-face. Businesses with non-compliant policies face infringement notices and penalties reaching $66,000.
Why this matters: The sweep signals a new enforcement era following 2024 legislative changes that expanded the OAIC’s regulatory powers. The initiative reflects growing community concerns about personal information control and follows major data breaches affecting millions of Australians.
Australia’s privacy watchdog begins the new year with enforcement action, launching its inaugural compliance sweep to examine how businesses handle personal information collected in face-to-face interactions.
The Office of the Australian Information Commissioner commenced the targeted review in the first week of January, scrutinising privacy policies of approximately 60 entities across six sectors identified as high-risk for privacy breaches.
Power imbalances at play
Privacy Commissioner Carly Kind explains the focus on in-person data collection stems from identified power and information asymmetries between businesses and consumers.
“When confronted with in-person requests for their personal information from retailers, licensed venues, car hire companies or real estate agents, consumers often don’t have access to all the information they might need to make an informed decision,” Kind said. “This makes them vulnerable to overcollection of personal information and creates risks to their security and privacy.”
The commissioner emphasises transparency obligations as fundamental to better privacy practices.
“In conducting a compliance sweep, the OAIC intends to ensure that entities are meeting their obligations to be transparent with consumers and customers about how they’re using the personal information they collect in-person,” Kind said. “We hope this will also catalyse some reflection about how robust entities’ privacy practices are, and whether more can be done to improve compliance with the Privacy Act writ large.”
Six sectors under review
The OAIC targets businesses from rental and property services, chemists and pharmacists, licensed venues, car rental companies, car dealerships, and pawnbrokers and second-hand dealers.
Entities face assessment on whether privacy policies meet Australian Privacy Principle 1.4 requirements, which mandate specific information about personal data collection, use, disclosure and destruction practices.
The regulator selected target sectors noting privacy risks associated with collecting personal identification documents and previous data breaches within these industries. Entity selection considers size, location and risk profile, including whether organisations previously experienced data breaches.
Kind underscores community expectations around information handling.
“The Australian community is increasingly concerned about the lack of choice and control they have with respect to their personal information,” she said. “The first building block of better privacy practices is a clear privacy policy that transparently communicates how an individual can expect their information to be collected, used, disclosed and destroyed.”
Expanded enforcement powers
Legislative changes to the Privacy Act passed by Parliament in 2024 expanded regulatory consequences for infringements of foundational requirements, including failures to maintain compliant privacy policies.
Businesses found with non-compliant privacy policies may face compliance notices, infringement notices and penalties reaching $66,000.
The OAIC recently updated its APP 1 guidance to assist organisations in meeting obligations. The regulator takes a risk-based and proportionate approach to regulation, considering its expanded regulatory toolkit when determining appropriate responses to detected non-compliance.
The compliance sweep represents the beginning of heightened enforcement activity from the OAIC, which has consistently signalled intent to target compliance across the spectrum in 2026, from high-profile data breaches to basic privacy policy requirements.
For businesses in targeted sectors, the sweep serves as immediate notice to review privacy policies before year-end to ensure compliance with APP 1.4 requirements. The broader market receives clear warning that proactive privacy policy compliance reviews have become standard regulatory practice in Australia’s evolving privacy landscape.
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.
