Australian marketers and the business world generally have been waiting with bated breath for the Government to release news on its second tranche of privacy legislation changes, originally expected in mid-late 2025 but now expected in early 2026. In the meantime, as we had foreshadowed would be the case, the Office of the Australian Information Commissioner (“OAIC”) has officially begun its first-ever compliance sweep, which will involve scrutinising the privacy policies of selected organisations that collect personal information ‘in-person’.

In late 2025, the OAIC announced that from January 2026, it will commence reviewing the privacy policies of approximately 60 unnamed organisations that operate across six different sectors to ensure compliance with Australian Privacy Principle (“APP”) 1.4 as currently drafted. In other words, are these businesses compliant with the current law? We have advised consistently that the OAIC will be keen to get businesses moving on compliance, and one of the principle strategies will be to ensure businesses are up to date on their current requirements, so that the market is already moving rather than “starting from scratch”.

Following the amendments to the Privacy Act 1998 (Cth) (“Privacy Act”) in 2024, which expanded the OAIC’s enforcement powers, January’s compliance sweep highlights a shift in the OAIC’s regulatory approach, from guidance towards active enforcement.

As such, this is a timely reminder for businesses to review their privacy policies to ensure that they are compliant with the APPs and reflect their current privacy practices. After all, privacy policies are publicly available to consumers and regulators alike, and they are the first item checked on a compliance investigation.  Businesses must ensure that their privacy policies contain the required minimum information, and that they do not collect, use, or disclose personal information in a manner that is inconsistent with their privacy policy. Regardless of whether your business falls within one of the six industry sectors that will be targeted as part of this sweep, it is important that your business prepares for increased regulatory action and stricter enforcement. This new sweep is absolutely a warning siren for all businesses, and as such, reviewing and updating your privacy policy must be a priority.

Who is the OAIC targeting?

The compliance sweep will target approximately 60 entities across the following six industry sectors, which involve ‘in-person’ collections of personal information.

The six sectors include:

1. Rental and property– collection of individuals’ personal information during property inspections;
2. Chemists and pharmacists– collection of personal information for the purpose of providing a paperless receipt and collection of identity information to provide medication;
3. Licensed venues– collection of identity information to enable individuals to access a venue;
4. Car rental companies– collection of identity and other personal information to enable an individual to enter into a car rental agreement;
5. Car dealerships– collection of personal information to enable an individual to conduct a vehicle test drive; and
6. Pawnbrokers and second-hand dealers– collection of identity information from individuals who wish to sell or pawn goods.

The OAIC has targeted these industry sectors as they have been identified as being vulnerable to overcollection of personal information in-person. Specifically, within the announcement, the OAIC mentioned that when confronted with in-person requests for personal information, consumers often do not have access to all the information, and as such, are unable to make an informed decision. When deciding the entities that will be selected, the OAIC will consider factors such as the entity’s size, location, as well as whether they are high-profile, high-risk or have had a history of non-compliance with the Privacy Act.

What are the requirements under APP 1.4?

As part of the sweep, the OAIC will be assessing whether the privacy policies of the selected businesses comply with APP 1, specifically those minimum requirements set out under APP 1.4.

Under APP 1.4, privacy policies must include as a minimum:

• • • the kinds of personal information collected and held by the entity;
    • how personal information is collected and held;
    • the purposes for which personal information is collected, held, used and disclosed;
    • how an individual may access their personal information and seek its correction;
    • how an individual may complain if the entity breaches the APPs or any registered binding APP code, and how the complaint will be handled; and
    • whether the entity is likely to disclose personal information to overseas recipients, and if so, the countries in which such recipients are likely to be located, if it is practicable to specify those countries in the policy.

As of December 2026, APP 1.7 will also require businesses to disclose within their privacy policies how information is used in automated decision-making systems that might significantly affect individuals. As such, if this will impact your business, it is important that you carefully consider how your business uses artificial intelligence and other automated decision-making systems and the extent of the disclosure required in the privacy policy. For further information on this amendment that was passed in the first tranche of reforms to the Privacy Act in 2024, please refer to our article – FINALLY – The Privacy Amendment Bill (round one) is here.

Penalties for non-compliance

Entities that are found to have a non-compliant privacy policy may face infringement notices and penalties of up to $66,000 (per infringement), with repeat or serious breaches attracting substantial civil penalties.

This represents the beginning of a new era of enforcement and the OAIC’s implementation of the first tranche of reforms to the Privacy Act in 2024, which involved the introduction of a new ‘tiered’ civil penalty system that provided additional powers to the OAIC to issue infringement notices for administrative or minor breaches of the Privacy Act.

As we anticipated, the OAIC is now taking a proactive approach to ensuring that businesses are meeting the requirements under the current APPs, and as such, the risk of detection for non-compliance has increased. Therefore, it is important that businesses conduct internal reviews and update their privacy policies as soon as possible, to ensure they accurately reflect how personal information is collected, used, disclosed and destroyed in practice.

Don’t wait to comply! Get moving and review your privacy policy now!

Although the OAIC’s announcement noted that the compliance sweep is targeted towards selected businesses that collect information ‘in-person’, businesses in other sectors must also ensure they are reviewing their privacy policies to ensure compliance with APP 1.4. It would be imprudent (at best) to ignore the regulatory sirens here – the OAIC is signalling to the market what it expects to see, and businesses would be accepting undue risk if they were to ignore the signs. With the support of the OAIC’s expanded enforcement powers and the OAIC’s increased scrutiny of privacy policies, businesses need to take action now before it is too late. The key here is to assess how your business operates in practice and ensure that such methods of handling personal information are reflected accurately in the privacy policy. There is an expectation that businesses are meeting their privacy obligations and have a privacy policy that is compliant with APP 1.4, and as such, if this is not the case, they will be at risk and may face infringement notices and penalties.

Contact us

If you would like assistance with reviewing your privacy policy to ensure it is compliant with the APPs and Privacy Act, or if you require further information on privacy law compliance generally, please contact our experts below.

Co-authored by