LEGAL UPDATE ALERT: 2Apply Found to Have Engaged in Unlawful Data Collection. What Real Estate Agencies Need to Know
If your agency uses tenancy application platforms like 2Apply, this update matters.
This week, The Age reported that millions of renters may have had personal information unlawfully collected through rental application processes, following a major privacy ruling against IRE Pty Ltd.
According to the report, Australia’s Privacy Commissioner found that 2Apply collected significantly more personal information than was reasonably necessary from rental applicants. This included highly sensitive personal information that many renters felt pressured to provide in order to secure housing. Office of the Australian Information Commissioner also raised concerns that renters were often left feeling they had little genuine choice in the process.
This decision should be a wake up call for real estate agencies relying on third party technology platforms.
Because while the platform may be collecting the information… your agency may still be exposed.
What happened?
In IRE Pty Ltd (Privacy) [2026] AICmr 24 (1 April 2026), the Privacy Commissioner found that 2Apply engaged in excessive data collection practices that breached Australian privacy laws. The Commissioner specifically found that 2Apply did not need to collect the following information to perform its tenancy application functions:
Gender
Names and ages of dependants
Student status
Bankruptcy status
Retirement status
Previous living history details
Whether applicants owned their principal place of residence or investment property
Whether applicants were applying for other rental properties
Bond or rental assistance application status
Citizenship status
Visa expiry information
The Commissioner also found that 2Apply was collecting too much detail in relation to:
Emergency contacts
Vehicle details
Identification documents
Passport information
Medicare card details
Proof of income documents
Employment information including occupation, start/end dates and employment status
The biggest issue? Power imbalance.
This part of the Commissioner’s comments is what agencies should pay close attention to.
They stated:
“The circumstances in which the respondent collects personal information is characterised by significant power imbalances, limited choice and security risks relating to the real estate sector.”
And further:
“The competitiveness of the current rental market means that individuals are at a disadvantage when trying to rent a home and are more vulnerable.”
The Commissioner also criticised what they described as “online choice architecture” practices, which pressured renters into handing over more information than they may have otherwise agreed to provide.
In simple terms?
Applicants may have felt that if they didn’t provide extensive personal information, they wouldn’t secure the property.
That creates serious privacy risk.
Why this matters for real estate agencies
Many agencies assume:
"We use a third party platform, so privacy compliance sits with them."
That assumption can be dangerous.
If your agency:
directs applicants to these platforms
collects information through these platforms
stores applicant information in your CRM
downloads documents from these systems
shares information internally
You may still have obligations under the Privacy Act 1988 and the Australian Privacy Principles.
Regulators are increasingly looking at how information is collected in practice, not just whether you have a privacy policy sitting on your website.
Questions every agency should be asking right now
What applicant data are we currently collecting?
Do we actually need all of it?
Are our application forms collecting excessive information?
What third party platforms are we relying on?
Have we reviewed their privacy practices?
Are applicants being given meaningful choice?
Are we securely storing and deleting personal information?
Do our collection notices properly disclose what we’re doing?
If you can’t confidently answer these questions, it may be time for a privacy review.
This comes at the worst possible time for agencies
And by worst, we mean regulators are already increasing scrutiny.
As we’ve been warning agencies:
The Office of the Australian Information Commissioner has already commenced broader privacy compliance activity in the real estate sector.
Having a privacy policy alone is not enough.
Agencies need operational compliance across:
open homes
rental applications
inspections
CRM systems
employee handling of personal information
data breach response processes
What agencies should do now
Review every tenancy application platform you use
Audit what applicant data is being collected
Remove unnecessary collection points
Update collection notices
Review your privacy policies and procedures
Train staff on compliant data handling
Ensure you have a data breach response plan
This ruling makes one thing very clear:
Just because a platform asks for the information doesn’t mean you should be collecting it.
And if regulators start asking questions, blaming the software provider likely won’t be enough.
The agencies that act now will be in a far better position than those waiting for complaints, investigations or media scrutiny.
Key Takeaways
The Privacy Commissioner has ruled that 2Apply engaged in unlawful data collection
Collecting “just because the software asks for it” is not a legal defence
Real estate agencies may still be liable even when using third party platforms
Excessive collection of tenant information creates major regulatory risk
Agencies should urgently review their rental application systems and privacy practices
Next Steps
Need help reviewing your agency’s privacy compliance?
O*NO Legal helps real estate agencies identify privacy risks before regulators do.
Learn more about our comprehensive privacy audit and implementation system
for real estate agencies hereand book in today.
To read just what the Commissioner said about each element of data collection, click here.
Frequently Asked Questions (FAQ)
-
Yes. If your agency directs applicants to the platform, accesses the data, stores it, or relies on it, you may still have Privacy Act obligations.
-
Only collect information that is reasonably necessary for the tenancy application process. Excessive collection creates legal risk.
-
No. This ruling should prompt agencies using any tenancy application platform to review their privacy practices.
-
You may face privacy complaints, regulatory investigations, reputational damage, and potential penalties.
-
If you are unsure what your agency is collecting or whether your systems are compliant, a privacy audit is highly recommended.
Luke Shumack – Partner, O*NO Legal
Luke Shumack is one of the Partners at O*NO Legal with a Bachelor of Laws and a sharp focus on helping agencies and business owners stay compliant while scaling with confidence. Since starting his legal career in 2021, Luke has worked closely with real estate agencies, startups, and established businesses on privacy compliance, employment law, contractor agreements, mergers and acquisitions, and corporate governance. Known for his tech-savvy approach and love of efficiency, Luke blends legal precision with practical business strategy—making the complex simple for clients who want to move fast without risk.
Boring legal stuff: This article is general information only and cannot be regarded as legal, financial or accounting advice as it does not take into account your personal circumstances. For tailored advice, please contact us. PS - congratulations if you have read this far, you must love legal disclaimers or are a sucker for punishment.