AML Changed Privacy Rules for Real Estate Agencies. Will You Ready by 1 July? 

Property ManagementPrivacy and Security
Written By Luke Shumack

For years, many smaller real estate agencies believed they were exempt from the Privacy Act because they turned over less than $3 million.
That is no longer the full story.

From 1 July 2026, many real estate professionals become reporting entities under Australia’s expanded Anti Money Laundering and Counter Terrorism Financing laws.

And here is what many agencies are missing:
If your agency becomes subject to AML obligations, you are also required to comply with the Privacy Act when handling personal information for those AML obligations.
That includes agencies that would otherwise fall under the small business exemption.

This means many agencies are about to collect more personal information while facing greater privacy obligations at exactly the same time.
And many are not ready.

Why AML Changes Everything for Privacy Compliance

AML requires agencies to collect and verify significant personal information. 
This may include: 

  • Names

  • Dates of birth

  • Residential addresses

  • Identification information

  • Beneficial ownership information

  • Risk assessment information

  • Customer verification records 

That creates immediate privacy obligations. 

The OAIC has made it very clear that reporting entities must comply with the Privacy Act when handling this information.
That means your agency now needs to think about: 

  • What information you are collecting

  • Why you are collecting it

  • Whether it is reasonably necessary

  • Where it is stored

  • Who has access to it

  • When it should be destroyed 

This is where many agencies are currently exposed. 

The Biggest Privacy Mistakes We Are Seeing Agencies Make

Keeping full copies of passports and licences

This is a major one.
The OAIC has confirmed agencies do not automatically need to retain full copies of ID documents under the updated AML framework.

From 1 July 2026, agencies should generally retain only the information required for compliance purposes rather than keeping full copies unnecessarily.
Holding unnecessary copies creates major breach risk. 

Outdated privacy policies

Many agency privacy policies were written years ago and do not mention AML collection activities.
That is a problem.

Your privacy policy now needs to accurately explain how personal information is collected, used, stored, disclosed, and destroyed.

Missing collection notices

Your clients need to understand: 

  • Why you are collecting their information

  • Whether collection is required by law

  • What happens if they refuse

  • Who information may be disclosed to 

Many agencies currently have no compliant collection notices. 

Weak third party contracts

If your CRM, ID verification provider, offshore VA, or document storage platform handles personal information, you need to know exactly what they are doing with that data.

The OAIC has specifically warned businesses to review third party provider arrangements.

No data breach response plan

You are about to hold more sensitive information.
That means greater breach exposure. If something goes wrong, your team needs a plan.

Case Studies: What We’re Seeing in Real Life

Case Study 1: The Agency That Thought They Were Exempt

A boutique agency under $3 million turnover assumed privacy laws did not apply to them.
Once we reviewed their AML obligations, they realised they would soon be collecting significantly more personal information.
We identified major gaps in their privacy policy, collection notices, and document retention practices.
We helped them fix everything before the AML deadline and avoided a fine. 

Case Study 2: The Agency Storing Too Much ID Data

An agency was keeping full copies of passports and driver licences in multiple systems.
This created unnecessary privacy exposure.
We helped redesign their collection and retention processes to reduce risk. 

Case Study 3: The Agency With No Privacy Framework

An agency had started preparing for AML but had completely missed the privacy side. They had no collection notices, no breach response plan, and no third party contract reviews.
We helped build their privacy framework before they became exposed. 

Why Waiting Until June Is Risky

We are already seeing agencies leave this too late.
Privacy compliance is not just: “Update your privacy policy.” 

It often requires: 

  • Reviewing workflows

  • Updating collection documents

  • Reviewing storage systems

  • Reviewing third party providers

  • Updating internal procedures

  • Creating breach plans

  • Training staff 

This takes time.
And as more agencies scramble before 1 July, support availability will become tighter. 

What Our Privacy Prepared Health Check Does

This is exactly why we created our Privacy Prepared Health Check + Action Plan.
We help agencies identify privacy gaps before regulators do.

We review: 

  • Your privacy documents

  • Your collection processes

  • Your AML privacy risks

  • Your storage practices

  • Your third party arrangements

  • Your breach readiness 

And provide a practical action plan.
No fluff.
No generic templates.
Real legal advice built for real estate agencies. 

Key Takeaways

  • AML now pulls many real estate agencies into privacy compliance

  • Agencies under $3 million are not automatically exempt

  • 1 July 2026 is approaching quickly

  • Holding unnecessary ID data creates serious risk

  • Many agencies are only preparing for half the problem

Next Steps

If your agency is preparing for AML but has not reviewed privacy obligations yet, now is the time.
Waiting until late June could leave you scrambling. 

Our Privacy Prepared Health Check helps agencies identify gaps and get compliant before the deadline. 

Book your Privacy Prepared Health Check here
Book your Privacy Prepared Health Check here
 

Frequently Asked Questions (FAQ)

  • For many agencies, yes. The OAIC has confirmed reporting entities must comply with the Privacy Act for AML related personal information handling.  

  • Not necessarily. In many cases, agencies should only retain the necessary verification records rather than full copies.  

  • Usually privacy policies, collection notices, internal procedures, and data breach response processes. 

  • You still need to understand how third parties handle personal information. 

  • That depends on how prepared you are, which is why leaving it late creates risk. 

 

Luke Shumack – Partner, O*NO Legal

Luke Shumack is one of the Partners at O*NO Legal with a Bachelor of Laws and a sharp focus on helping agencies and business owners stay compliant while scaling with confidence. Since starting his legal career in 2021, Luke has worked closely with real estate agencies, startups, and established businesses on privacy compliance, employment law, contractor agreements, mergers and acquisitions, and corporate governance. Known for his tech-savvy approach and love of efficiency, Luke blends legal precision with practical business strategy—making the complex simple for clients who want to move fast without risk.

 

Boring legal stuff: This article is general information only and cannot be regarded as legal, financial or accounting advice as it does not take into account your personal circumstances. For tailored advice, please contact us. PS - congratulations if you have read this far, you must love legal disclaimers or are a sucker for punishment.

Luke Shumack
Next

LEGAL UPDATE ALERT: 2Apply Found to Have Engaged in Unlawful Data Collection. What Real Estate Agencies Need to Know