In early 2026, the Office of the Australian Information Commissioner (the “OAIC”) commenced its first-ever privacy compliance sweep, launching a targeted review of business’ privacy policies.
The initial sweep targets businesses from specific sectors known to collect personal information in person, including rental and property businesses and chemist and pharmacy businesses.
Businesses found to have non-compliant privacy policies may face compliance and infringement notices, and penalties of up to $66,000 per breach.
The current sweep is a clear message from the Australian Privacy Commissioner: ensure your privacy policies comply with the Privacy Act or risk the consequences.
Background
Prompted by the growing prevalence of data breaches and heightened public concern about privacy, legislative amendments to the Privacy Act 1988 (Cth) in 2024 strengthened the OAIC’s enforcement powers, broadening compliance requirements and introducing new civil penalties in an effort to provide Australians with greater transparency and control over their personal information, especially in circumstances where individuals may lack sufficient information to make fully informed decisions and be vulnerable to overcollection of their data.
Target Sectors
In the initial stage of the compliance sweep, the OAIC is targeting the privacy policies of selected businesses within sectors that have experienced notable privacy breaches, and where customers are often asked to provide personal details (including identification documents) quickly and without the opportunity to properly review how their information will be used. These sectors include rental and property businesses (where individuals’ personal information is collected during property inspections) and chemist and pharmacy businesses (where individuals’ personal information is collected for dispensing medication or issuing paperless receipts).
Although this phase of the sweep focuses solely on selected businesses, it is unlikely to be an isolated spot check and indicates the OAIC's shift toward stricter privacy enforcement. Given regulators are actively monitoring compliance and have the means to impose significant penalties, all businesses within these sectors should take proactive steps to ensure compliance.
Compliance Requirements
The OAIC’s primary focus is assessing whether businesses have a clearly expressed and up to date privacy policy that addresses the management of personal information and contains the required information regarding how an individual’s information will be collected, used, disclosed and destroyed.
Penalties
The consequences of non-compliance can be significant. If the OAIC finds that a business’ privacy policy fails to meet the required standards, possible enforcement action may include issuing a Compliance Notice (which legally compels an organisation to take specified steps to rectify privacy failures) or an Infringement Notice (which may impose financial penalties of up to $66,000 per infringement).
Key Takeaways
The current compliance sweep serves as a call for all businesses in the real estate and pharmacy sectors to proactively review privacy policies (and overall data handling practices). Consider: Does your privacy policy contain all required information under the Privacy Act? Is it written in clear, plain language? Is it easily accessible to customers at the point of data collection? If you have any uncertainty or suspect gaps, it’s important to address these issues sooner rather than later – before the OAIC comes knocking.
Need legal advice or assistance with your business?
We are here to assist. We can provide expert legal advice and support in reviewing your existing privacy policy for compliance gaps or by drafting a new privacy policy tailored to your business’ needs. Acting now will help protect your business against enforcement action and maintain the trust of your customers.
Please contact us to arrange a consultation with our commercial team to discuss strengthening your privacy compliance.
