Real estate agencies are collecting, storing, and sharing more personal information than ever before such as client information, tenant applications, Identification documents, Sales databases, Landlord financial details, Buyer enquiries, Open home records.

And now, many agencies are layering AI tools and automations over the top of all of it.

CRMs are becoming smarter. AI tools are drafting emails, summarising conversations, generating marketing content, analysing leads, and assisting with workflows.

But here is the problem.
Many agencies adopted this technology far faster than they updated their privacy practices.

And in 2026, regulators are paying close attention to how businesses collect, store, use, disclose, and protect personal information, that includes how agencies use AI.

Why CRMs and AI Have Become a Privacy Risk

For years, agencies mainly worried about privacy in obvious situations like rental applications or data breaches. Now the risks are much broader.

Many agencies are unknowingly:

Uploading personal information into AI tools
Giving offshore teams access to sensitive client data
Using CRMs with unclear overseas data storage practices
Syncing multiple platforms together without understanding where data flows
Retaining information far longer than necessary
Collecting more information than they actually need

And often, nobody inside the business has fully mapped where all the information is going. That creates serious risk under the Privacy Act and the Australian Privacy Principles.

The Biggest CRM and AI Mistakes Agencies Are Making

Staff using public AI tools with client information

This is becoming incredibly common.
Staff copy and paste:

Tenant disputes
Client conversations
Contracts
Financial details
Complaint summaries
Internal discussions

into public AI tools to save time.

The problem?
Many agencies have no internal AI policy controlling what staff can and cannot upload.
That creates privacy, confidentiality, and cybersecurity risks.

CRMs collecting more data than necessary

Many CRMs allow agencies to store huge amounts of personal information. Just because the CRM has a field for something does not automatically mean you should collect it.

This issue became even more relevant following the April 2026 2Apply privacy ruling, where the Privacy Commissioner criticised excessive data collection practices in tenancy applications. Agencies now need to ask: “Is this information genuinely necessary?”

No oversight of third party providers

Many agencies now use:

Offshore virtual assistants
AI transcription tools
Automated marketing systems
SMS platforms
Cloud storage systems
Integrated apps and plugins

But few agencies properly review:

Where data is stored
Who can access it
Whether overseas disclosure occurs
What security protections exist
Whether providers comply with Australian privacy expectations

This becomes especially important when handling tenant identification documents, financial information, and AML related information.

Keeping data forever

This is another major issue.

Many agencies are storing years of:

Old tenant applications
Historical buyer enquiries
Copies of passports and licences
Archived emails
Old CRM records

The more information your agency holds unnecessarily, the bigger your exposure if something goes wrong.

AI Does Not Remove Your Legal Responsibilities

One of the biggest misconceptions we are seeing is: “The software handles that.”
Unfortunately, regulators generally look at the agency collecting and controlling the information, not just the software provider.
That means agencies still need to think about:

Privacy policies
Collection notices
Data retention
Staff training
Security systems
Third party agreements
Data breach response plans

AI tools do not remove your obligations under privacy laws. In many cases, they increase them.

The AML and Privacy Overlap Agencies Are Missing

This becomes even more important as AML obligations expand across the real estate industry.
Many agencies are about to collect more identification information than ever before.
That means agencies need to think carefully about:

Where AML data is stored
Who can access it
Whether full ID copies are necessary
Whether AI systems interact with that data
How information is secured and destroyed

Privacy and AML compliance are now closely connected.
Many agencies are preparing for AML while completely overlooking the privacy side of the equation.

Case Studies: What We Are Seeing in Practice

Case Study 1: Staff Uploading Client Information Into AI Tools

An agency discovered team members were uploading client conversations and tenancy dispute summaries into public AI tools to help draft responses. The agency had no AI policy and no controls around data use.

We helped implement internal AI usage policies and review privacy risks across the business.

Case Study 2: The CRM Nobody Had Reviewed

A growing agency had integrated multiple CRMs, automations, and marketing platforms over several years. Nobody inside the business fully understood where client information was being stored or shared.

We helped map their data flows, review privacy risks, and identify gaps in their systems and collection notices.

Case Study 3: Offshore Teams Accessing Sensitive Data

An agency engaged offshore support staff who had broad access to tenant and landlord information. There were no clear internal privacy controls or provider agreements in place.

We helped the agency review access permissions, provider arrangements, and privacy compliance processes.

What Agencies Should Be Doing Now

Review Your CRM Data

Understand:

What information you collect
Why you collect it
Whether it is still needed
Who can access it

Create An AI Usage Policy

Staff should clearly understand:

What can be uploaded into AI tools
What should never be uploaded
Which tools are approved
How confidentiality is protected

Review Third Party Providers

You should understand:

Where your data is stored
Whether overseas disclosure occurs
What security protections exist
Whether providers align with your privacy obligations

Strengthen Your Privacy Framework

This includes:

Updated privacy policies
Collection notices
Internal procedures
Staff training
Data breach response plans

Key Takeaways

AI and CRM systems are creating new privacy risks for agencies
Uploading client information into AI tools can create legal exposure
Agencies remain responsible for personal information even when using third party systems
Excessive data retention increases breach risk
AML and privacy compliance are becoming increasingly connected

Next Steps

Most agencies adopted AI and CRM systems long before reviewing the privacy risks sitting behind them.

Now is the time to understand how your agency is collecting, storing, sharing, and protecting personal information across all platforms and providers.

We help agencies review privacy risks, AI usage practices, CRM systems, and data handling processes before problems escalate.

Book your free 10 minute call with our team today

Frequently Asked Questions (FAQ)

Agencies should be extremely careful when uploading personal or confidential information into AI tools, especially public platforms.
Yes. Agencies remain responsible for how personal information is collected, stored, used, and disclosed within CRM systems.
Yes. Overseas disclosure of personal information creates additional privacy compliance considerations.
Increasingly, yes. AI usage policies help reduce confidentiality, privacy, and cybersecurity risks.
Excessive data retention increases privacy exposure and potential data breach risk.

Luke Shumack – Partner, O*NO Legal

Luke Shumack is one of the Partners at O*NO Legal with a Bachelor of Laws and a sharp focus on helping agencies and business owners stay compliant while scaling with confidence. Since starting his legal career in 2021, Luke has worked closely with real estate agencies, startups, and established businesses on privacy compliance, employment law, contractor agreements, mergers and acquisitions, and corporate governance. Known for his tech-savvy approach and love of efficiency, Luke blends legal precision with practical business strategy—making the complex simple for clients who want to move fast without risk.

Boring legal stuff: This article is general information only and cannot be regarded as legal, financial or accounting advice as it does not take into account your personal circumstances. For tailored advice, please contact us. PS - congratulations if you have read this far, you must love legal disclaimers or are a sucker for punishment.