What It Means for Australian Businesses — and How to Prepare Now
Australian businesses are entering a new era of accountability. Starting from 1 January 2026, the Office of the Australian Information Commissioner (OAIC) will launch its first-ever privacy compliance sweep, focusing on organisations that collect personal information in person.
(Read the announcement here: https://www.oaic.gov.au/news/media-centre/privacy-compliance-sweep-to-put-privacy-policies-under-the-spotlight)
This announcement marks a major shift in regulatory expectations and will affect thousands of businesses across both regulated and everyday consumer-facing sectors.
The Sectors Under the Microscope
The OAIC will review the privacy policies of approximately 60 entities from the following 6 sectors that may collect information in-person for compliance with requirements under APP 1.4:
- Rental and property – collection of individuals’ personal information during property inspections.
- Chemists and pharmacists – collection of personal information for the purpose of providing a paperless receipt and collection of identity information to provide medication.
- Licenced venues – collection of identity information to enable individuals to access a venue.
- Car rental companies – collection of identity and other personal information to enable an individual to enter into a car rental agreement.
- Car dealerships – collection of personal information to enable an individual to conduct a vehicle test drive.
- Pawnbrokers and second-hand dealers – collection of identity information from individuals who wish to sell or pawn goods.
The Focus of the Sweep: In-Person Collection
The sweep is designed to examine whether organisations are meeting their transparency obligations under Australian Privacy Principle (APP) 1.4 and APP 5, specifically, whether privacy policies and collection notices clearly explain what information is collected, why it is collected, and how it is used.
Entities found to have non-compliant privacy policies may face compliance and infringement notices and penalties of up to $66,000.
The OAIC’s decision to focus on in-person interactions highlights an increasing concern about the lack of transparency and the potential for over-collection in environments where customers feel pressured or uninformed.
Many businesses underestimate how often they fall into this risk category. A handwritten sign-in sheet at a property inspection, a receptionist asking for ID without explanation, a venue collecting driver licence details, or a salesperson recording customer information on a clipboard—all are moments where an organisation must be able to justify its collection practices and point customers to a clear, compliant privacy policy.
The challenge, of course, is that most privacy policies are not written with in-person collection in mind. Many are outdated, copied from templates, too vague to meet APP 1.4 requirements, or fail to reflect what actually happens across different teams or locations. This disconnect between policy and practice is precisely what the OAIC intends to uncover.
The good news is that fixing these issues doesn’t need to be overwhelming or expensive. For most organisations, the first step is simply reviewing their current privacy policy and assessing whether it genuinely explains their real-world data handling practices. The next step is ensuring staff understand what they should—and should not—be collecting, and whether customers are being given enough information to make informed decisions.
How de.iterate Can Help
That’s exactly where de.iterate comes in. Designed to help organisations quickly and affordably raise their privacy maturity, de.iterate helps gives businesses a structured, practical way to align their policies and in-person practices with the Privacy Act, all for $99 per month. For small and medium organisations in particular, it offers a way to meet regulatory expectations without the heavy legal costs typically associated with compliance.
The January sweep is not just an audit. It’s a signal of what’s coming. As Australia moves toward a stronger, modernised privacy regime, transparency will only become more important. Businesses that take steps now to strengthen their compliance posture will not only avoid regulatory risk but also build stronger trust with their customers.
If your organisation collects personal information in person, now is the time to act. The sweep may be targeted, but the message is universal: privacy compliance is no longer something to set and forget.
Learn more about how de.iterate can help: https://deiterate.com/privacy-acts/
Tags:
