Most privacy conversations in Australia focus on digital environments, like cookies, tracking pixels, online forms, and data breaches. But the OAIC’s upcoming compliance sweep shines a spotlight on an area of privacy risk that receives far less public discussion: the personal information businesses collect directly from customers in person.
In-person data collection can be deceptively simple. A clipboard at a property inspection. A request for ID before a test drive. A venue entrance checkpoint. A pharmacy counter asking for details to supply medication. These interactions feel routine, almost administrative, but they carry significant privacy implications, especially when customers are not told why the information is needed or how it will be used.
The OAIC has expressed concern about these situations because they create what the Commissioner describes as power and information asymmetries. When staff ask someone face-to-face for their details, customers naturally feel pressure to comply. They may not know whether the information is required or optional, and they often have no visibility of the organisation’s privacy practices. This uncertainty creates a vulnerability that the regulator is now seeking to address.
For businesses, the risk comes from the gap between what happens on the ground and what is documented in the privacy policy. It is not uncommon for staff to request more information than is necessary simply because “that’s how it has always been done.” Over time, these habits become standard practice, even if they conflict with the organisation’s formal procedures or compliance obligations. Without clear guidance and transparent communication, businesses can easily drift into over-collection or ambiguity.
The January sweep will likely expose how widespread these issues are. But beyond regulatory risk, in-person data collection also poses operational challenges. Information gathered casually or inconsistently can end up stored in insecure formats, emailed without protection, or left in physical locations that increase the risk of a breach. These are the kinds of scenarios that undermine both customer trust and organisational resilience.
Addressing these risks requires a shift in mindset. In-person privacy compliance is not just about having a policy. It is about embedding transparency into every interaction. Staff should feel confident explaining why information is requested and what will happen next. Customers should never feel confused or coerced. And businesses should ensure that only the information necessary for the task at hand is collected.
For many organisations, particularly small and medium-sized ones, this level of structured oversight can feel out of reach. That’s why solutions like de.iterate are so valuable. By providing an affordable, practical framework for privacy compliance at $99 per month, de.iterate helps businesses document their practices, modernise their policies, and build a consistent approach across every point of customer interaction.
The regulator’s attention to in-person data collection is long overdue. For organisations, it presents an opportunity; not just to avoid scrutiny, but to elevate their privacy maturity and strengthen their customer relationships. The businesses that act now will be better prepared not only for the January sweep, but for the broader privacy reforms expected in the coming years.
Learn more about how de.iterate can support your compliance needs: https://deiterate.com/privacy-acts/
Tags:
