If your business collects personal information from customers (whether online, over the phone or in person) Australian privacy law requires you to give people certain information at the time you collect it. This explanation is called a collection notice, and it’s a core part of your obligations under Australian Privacy Principle 5 (APP 5).
With the OAIC launching its first ever privacy compliance sweep from 1 January 2026, focusing specifically on in-person data collection, now is the time for small businesses to understand what a collection notice is, when you need one, and what must be included.
The good news?
A collection notice doesn’t need to be long or complicated, but it does need to be clear, timely and accurate.
Let’s break it down in plain English.
What is a collection notice?
A collection notice is simply the information you must give someone when you collect their personal details.
Think of it as answering three questions upfront:
- What are you collecting?
- Why are you collecting it?
- What will you do with it once you have it?
APP 5 requires you to tell people this at or before the time you collect their information. If that’s not possible, you must tell them as soon as you reasonably can afterwards.
This applies no matter how you collect the information, but it is especially important when you collect information face-to-face, which is exactly what the OAIC will be reviewing in January.
Why is APP 5 under the spotlight during the January sweep?
The Privacy Commissioner has made it clear:
When businesses collect personal information in person (during sign-ins, inspections, ID checks, bookings, rentals, or purchases) people often don’t know why their information is being requested. They may feel pressured to hand it over or assume it’s required.
The OAIC calls this a “power and information asymmetry”, and it’s one of the reasons certain industries (real estate, venues, pharmacies, car dealers, pawnbrokers, etc.) have been selected for review.
A clear, accessible collection notice helps fix that imbalance.
If your staff are asking for someone’s name, ID, phone number or any personal details, you must be able to explain:
- why your business needs it
- how you will use it
- whether it is mandatory or voluntary
- where they can find your full privacy policy
If this explanation doesn’t happen (or your privacy policy doesn’t match what your staff are doing), your business may fall short of APP 5.
What must a collection notice include? (In plain English)
APP 5 outlines several things you must tell people when collecting their information. In everyday terms, your notice should cover:
1. Who is collecting the information: The person should know it’s your business collecting it, not a third party.
2. What you’re collecting: Be specific. For example, “your name and phone number,” “your driver licence,” or “your email for issuing a digital receipt.”
3. Why you’re collecting it: Give a real, clear reason. People should not have to guess.
4. What happens next: Explain how the information will be used, stored, or shared.
5. Whether providing the information is required: Some things may be necessary to provide a service (e.g., licence details for a test drive). Others may be optional.
6. What happens if they don’t provide it: For example,“If you choose not to provide your details, we may not be able to proceed with your booking.”
7. Where to find your privacy policy: This should be easily accessible online, printed, or visible in-store.
8. Whether the information will be sent overseas: If your systems or service providers store information outside Australia, the customer must be told.
What does a collection notice look like in practice?
A collection notice doesn’t need to be a legal essay. It can be:
- a short explanation given verbally by staff
- a sign at your reception counter
- text displayed on an iPad or sign-in app
- wording added to a paper form
- a message on your website or booking page
The key point is the timing: People must receive the information before or at the moment their details are collected.
If your staff are asking for personal information without a script, sign, or notice to guide them, you may already be out of step with APP 5.
Why many small businesses struggle with APP 5 (and why the sweep will expose it)
Most small businesses don’t have formalised scripts or data collection procedures. Staff often “just ask for what they’ve always asked for,” and collection practices evolve informally over time.
This leads to common issues such as:
- collecting more information than needed
- failing to tell people why information is required
- inconsistent explanations between staff
- no written or visible collection notice
- privacy policies that don’t reflect actual practice
The OAIC’s sweep will specifically examine whether your privacy policy and your real-world practices match. If they don’t, that’s a compliance problem.
The simple way to get your APP 5 obligations sorted
Understanding APP 5 is one thing. Implementing it consistently across your business is another.
That’s why de.iterate was designed: to give small and medium organisations a practical, affordable way to meet privacy requirements without needing an in-house lawyer or privacy officer.
For $99 per month, de.iterate helps you:
- create clear, accessible collection notices
- align in-person practices with APP 5
- update your privacy policy to match your processes
- avoid over-collection risks
- train staff to communicate clearly and consistently
The January sweep is a wake-up call, but it’s also an opportunity to get your privacy house in order before regulators start paying closer attention.
A collection notice is simply about being upfront and transparent with the people whose information you collect. Done well, it protects your customers and protects your business. And with the OAIC about to review in-person data collection across Australia, it’s the perfect time to make sure your notices and processes are clear, consistent and compliant.
Get your APP 5 obligations sorted before the sweep begins: https://deiterate.com/privacy-acts/
Tags:
