January 6, 2026

Australian privacy policies under fire: Essential uplifts to safeguard against the OAIC’s compliance crackdown

Amelia Frey, Daniel Johnson, Peter Jones, Kaman Tsoi

Herbert Smith Freehills Kramer

+ Follow Contact

Facebook

Send

Embed

Herbert Smith Freehills Kramer

The regulator has announced it will scrutinise the approaches of around 60 organisations across several sectors

Key takeaways

As announced in late 2025, the Office of the Australian Information Commissioner (OAIC) will in this month commence a crackdown on the privacy policies of organisations that collect information in-person. The OAIC has announced it will scrutinise the privacy policies of approximately 60 organisations that operate across a number of different sectors to review compliance with APP 1.4. Given the OAIC’s recently expanded penalty options, organisations that are in the scope of the OAIC’s review should be aware that:

This compliance sweep and potential enforcement activity may mark a shift from the OAIC’s historical approach focusing on education and conciliation to a more proactive enforcement approach.
They may need to defend their privacy documentation (particularly privacy policies) and ensure they are compliant with APP 1.3 and APP 1.4.
They may need to demonstrate that their information handling practices comply with the contents of the relevant privacy policy in relation to collection, use, and disclosure.
Their privacy policies and practices may be reviewed and subject to additional regulatory scrutiny.
More broadly, recent amendments to the Privacy Act 1998 (Cth) (Privacy Act) in 2024 introduced new powers for the OAIC in connection with infringements. Non-compliance with the Australian Privacy Principles (APPs) and Privacy Act may expose organisations to penalties including the issue of infringement notices (up to $330,000 for corporations).

Privacy policy compliance sweep

On the 1^st of January, the OAIC commenced its targeted reviews of selected privacy policies of organisations that collect information in-person to:

determine whether they comply with legal transparency obligations under APP 1.3 and APP 1.4 for the management of personal information; and
ensure they are using the personal information they collect in accordance with their privacy policy.

The OAIC considers that in-person collection may result in consumers not receiving access to information they need to make informed decisions, make them vulnerable to overcollection of personal information, and heighten security and privacy risks.

Privacy policy requirements: APP 1.3 and APP 1.4

Organisations must be transparent with consumers through their privacy policies about how they use the personal information they collect. As part of the OAIC’s sweep, selected organisations’ privacy policies will be assessed against the requirements of APP 1.4, which outlines what an organisation’s privacy policy must include. APP 1.4 requires that privacy policies:

Targeted sectors and technologies

The OAIC will assess the privacy policies of approximately 60 entities from the following sectors where personal information is collected in-person.

Sectors & Targeted Entities	Targeted Collection¹
	Rental and property	Collection of personal information during property inspections, including agents requesting phone numbers of attendees.
	Chemists and pharmacists	Collection of personal information to provide a paperless receipt and to provide medication, including medical conditions.
	Licenced venues	Collection of identity information to allow access to a venue, such as the collection of driver licence information to verify age.
	Car rental companies	Collection of identity documents to enable an individual to enter into a car rental agreement, such as lengthy purchase forms.
	Car dealerships	Collection of personal information to enable individuals to conduct a vehicle test drive, particularly driver licence information.
	Pawnbrokers and second-hand dealers	Collection of identity information from individuals who wish to sell or pawn goods, particularly government identifiers.

Implications of a non-compliant privacy policy

Legislative changes to the Privacy Act were passed by Parliament in late-2024² that expanded the civil penalty regime for breaches of the APPs. The OAIC is now granted authority to issue infringement notices of up to $330,000 for corporations that fail to implement and maintain a current, comprehensive, and easily accessible privacy policy.

The OAIC will consider the following three factors when formulating a value for any infringement notice:

The size, scale and impact of potential harms and risks raised by the non-compliance;
The organisation’s historical compliance with the APPs;
Whether the organisation is entrenched or a new market entrant; and
The impact and degree of the non-compliance.

Critically, the expanded civil penalty regime and uptick in active enforcement suggest a strong shift in the OAIC’s regulatory approach from education and conciliation towards more robust and active enforcement.

Urgent steps your organisation needs to take

Organisations must ensure their privacy policy complies with APP 1.3 and APP 1.4 and that their privacy practices are aligned to, and consistent with, their privacy policies. Organisations must ensure they do not collect, use, or disclose information in a way that is not expressly identified in their privacy policy. For example, by disclosing personal information to overseas service providers for the maintenance of systems, where this overseas disclosure is not contemplated or drafted.

Footnotes

1. https://www.oaic.gov.au/news/media-centre/privacy-compliance-sweep-to-put-privacy-policies-under-the-spotlight

2, See section 13K of the Privacy and Other Legislation Amendment Act 2024 (Cth).

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.