Gagan Batra explains why the OAIC’s new compliance sweep changes everything for Australian businesses collecting customer data face-to-face.
What’s happening: The OAIC, Australia’s privacy regulator, is launching its first compliance sweep from January 2026. The initiative will scrutinise approximately 60 entities across six sectors like property rental, pharmacies, licensed venues, car rentals, dealerships, and second-hand dealers.
Why this matters: The sweep tests whether day-to-day operational practices genuinely align with stated privacy policies. Failure to align practices with policy creates regulatory exposure, reputational risk, and customer trust issues.
Gagan Batra, Founder & Director at Insighten, understands what many businesses are only now realising: when Australia’s privacy regulator, the OAIC, announced its first-ever compliance sweep last year, it wasn’t just a warning about documentation. It was an exposure of a much deeper operational problem.
From January 2026, the OAIC will begin reviewing the privacy policies of approximately 60 businesses in six high-risk sectors. Real estate agents asking for phone numbers at open houses, car rental agencies presenting customers with lengthy forms, licensed venues scanning driver’s licences, and pharmacies collecting personal data will all fall under scrutiny. What the regulator is really testing, according to Batra, is whether what businesses write in their privacy policies actually matches what happens on the ground.
“This is not simply a test of policy wording. It is a test of whether organisations can translate policy into practice,” Batra writes. “In-person data collection cuts across operations, customer experience, marketing and technology, making it a broader business issue.”
The Real Operational Challenge
For businesses caught in the regulator’s net, the stakes are significant. Entities found to have non-compliant privacy policies may face compliance and infringement notices and penalties of up to $66,000. But the penalty figures only tell part of the story.
The OAIC’s focus on in-person data collection reveals a critical vulnerability. When customers hand over their personal information at a counter or during an inspection, they rarely see a privacy policy. They may not understand what they’re consenting to, or how their data will be used. This power imbalance is precisely what Privacy Commissioner Carly Kind identified as the reason for the sweep.
“When confronted with in-person requests for their personal information from retailers, licensed venues, car hire companies or real estate agents, consumers often don’t have access to all the information they might need to make an informed decision,” Kind stated in the OAIC’s official announcement. “This makes them vulnerable to over-collection of personal information and creates risks to their security and privacy.”
The compliance sweep is the regulator’s way of forcing businesses to close the gap between policy and practice.
What Sector You’re in Matters
If your business operates in property rental, pharmacies, licensed venues, car rentals, car dealerships, or second-hand dealing, the January sweep affects you directly. But Batra stresses that businesses operating outside these sectors shouldn’t ignore the signal. If the OAIC follows in the footsteps of the ACCC, which conducted a sweep of more than 2,000 retail websites in 2025 scrutinising return policies and website terms, we can expect market sweeps to become a more regular feature in enforcement strategy.
For small businesses specifically, there’s an important caveat: not all are covered by the Privacy Act. Most small businesses with turnover under $3 million aren’t covered by the Privacy Act, unless they operate in specific categories like trading in personal information or health services. Checking whether your business is actually subject to the Privacy Act is the first critical step.
Getting Compliance Right
For businesses that do fall under the Privacy Act, Batra outlines a clear path to compliance that goes well beyond simply updating a document.
Conduct an audit on how personal information is actually handled. Map out where in-person data collection occurs, what information is collected, what consent is being sought, and how customer consent preferences are captured and recorded. This will expose gaps between what customers are told and what systems actually store.
Review the point-of-collection experience. Wherever customers provide their information—at counters, during inspections, on forms, or during sign-up moments—they need to reasonably understand what they’re agreeing to. If your current process doesn’t meet this standard, it needs to change.
Communicate clearly to frontline teams. Staff are often the weak link in compliance. They need to understand both the rules and how to explain consent choices to customers. Inconsistent explanations or informal workarounds quickly undermine compliance and erode customer trust. Formal written guidance ensures consistency across the business.
Align online and offline experience. This is critical. Any consent or preference settings given in-person must be carried over to downstream systems such as CRM and marketing platforms. If your online systems can’t reliably reflect what a customer agreed to in-person, the problem extends beyond compliance into customer experience and brand damage.
The shift happening right now in Australian regulation is significant. Recent amendments to the Privacy Act in 2024 introduced new powers for the OAIC in connection with infringements, marking a shift from the OAIC’s historical approach focusing on education and conciliation to a more proactive enforcement approach.
Batra’s core message is clear: good governance isn’t defined by what’s written down. It’s defined by what’s consistently applied. Organisations that treat privacy compliance as an operational capability, not just a documentation exercise, are the ones most likely to avoid penalties and protect customer trust.
The January compliance sweep isn’t just a regulatory moment. It’s a reminder that in 2026, businesses need to put their money where their mouth is on privacy.
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.
