Legal Update Alert: Privacy Compliance Sweep Puts Privacy Policies Under the Spotlight

Australia’s privacy regulator will begin 2026 with its first-ever privacy compliance sweep, conducting a targeted review of selected businesses’ privacy policies to ensure they comply with strict legal requirements.

The compliance sweep will commence in the first week of January 2026 and will focus on businesses that collect personal information in person. This includes everyday practices such as real estate agents requesting contact details at open homes or car rental companies requiring customers to complete detailed forms.

What Is the OAIC Compliance Sweep?

The Office of the Australian Information Commissioner (OAIC) will review whether privacy policies clearly and transparently explain how personal information is collected, used, disclosed, and managed.

Businesses found to have non-compliant privacy policies may face:

Compliance notices
Infringement notices
Penalties of up to $66,000

Recent amendments to the Privacy Act, passed by Parliament in 2024, have expanded the regulator’s enforcement powers. These changes mean that failing to maintain a compliant privacy policy can now attract significantly stronger regulatory consequences.

Why In-Person Collection Is Under Scrutiny

The Privacy Commissioner has identified that in-person information collection often involves power and information imbalances, increasing privacy risks for consumers.

Privacy Commissioner Carly Kind explained:

“When confronted with in-person requests for their personal information from retailers, licensed venues, car hire companies or real estate agents, consumers often don’t have access to all the information they might need to make an informed decision.”

She noted that this can lead to over-collection of personal information and heightened risks to privacy and data security.

The OAIC has stated that the purpose of the sweep is not only enforcement, but also to encourage businesses to reflect on whether their privacy practices are sufficiently robust and compliant with the Privacy Act.

Sectors Targeted in the Compliance Sweep

The OAIC will review the privacy policies of approximately 60 entities across the following six sectors, all of which commonly collect personal information in person:

Rental and property
Collection of personal information during property inspections
Chemists and pharmacists
Collection of information for paperless receipts and identity verification for medication
Licensed venues
Collection of identity information for venue entry
Car rental companies
Collection of identity and personal information to enter rental agreements
Car dealerships
Collection of personal information for vehicle test drives
Pawnbrokers and second-hand dealers
Collection of identity information to sell or pawn goods

These sectors were selected due to the heightened privacy risks associated with collecting personal identification documents and the history of privacy breaches within these industries.

Target entities will be selected based on factors such as size, location, and risk profile, including whether they have previously experienced a data breach.

What the OAIC Will Be Assessing

The compliance sweep will assess whether privacy policies meet the requirements of Australian Privacy Principle (APP) 1.4, which prescribes what information must be included in a privacy policy.

The OAIC has recently updated its APP 1 guidance, reinforcing expectations that privacy policies must be clear, accurate, up to date, and accessible.

The regulator has also confirmed it will take a risk-based and proportionate approach, but will use its expanded enforcement powers where non-compliance is identified.

What This Means for Real Estate Businesses

Real estate agencies routinely collect personal information in person, particularly during open homes, rental applications, and inspections. This places the industry squarely within the OAIC’s focus.

If your privacy policy is outdated, generic, or does not accurately reflect how you collect and handle personal information, now is the time to act.

A compliant privacy policy is no longer optional. It is the foundation of lawful data handling and a key focus area for regulators in 2026.

Case Study 1: Open Home Sign-Ins Without a Compliant Privacy Policy

Scenario: Emma runs a small real estate agency and regularly collects names, phone numbers, and email addresses from attendees at open homes using a paper sign-in sheet. Her agency has a privacy policy on its website, but it has not been updated for several years and does not clearly explain how in-person information is collected or used.

Solution: Ahead of the OAIC compliance sweep, Emma reviews and updates her privacy policy to ensure it complies with APP 1.4. She also adds a clear privacy notice at open homes explaining why personal information is collected, how it will be used, and where attendees can access the full privacy policy.

Outcome:

The agency’s privacy practices align with current Privacy Act requirements
Attendees are better informed and more comfortable providing their details
The agency reduces its risk of regulatory action during the OAIC compliance sweep

Lesson: In-person collection of personal information, particularly at open homes, must be supported by a clear, up-to-date, and accessible privacy policy. Transparency reduces both legal risk and consumer concern.

Case Study 2: In-Office Data Collection Triggers Compliance Risk

Scenario: Michael owns a regional property management business. Prospective tenants are required to complete detailed application forms in person, including identity documents and contact details. While the business has internal data handling processes, its privacy policy is vague and does not clearly explain how long information is retained or how individuals can access or correct their data.

Solution: Michael updates the agency’s privacy policy to clearly outline how personal information is collected, stored, used, disclosed, and destroyed. He also trains staff to provide applicants with a brief explanation of the privacy policy when collecting information in person.

Outcome:

The agency meets the transparency requirements under APP 1.4
Staff handle personal information more consistently
The business is better positioned if selected for the OAIC’s targeted review

Lesson: Privacy compliance is not just about data security. Clear communication at the point of collection, supported by a compliant privacy policy, is essential to meeting Privacy Act obligations.

What Should You Do Now?

With the OAIC’s first privacy compliance sweep starting in January 2026, real estate agencies collecting personal information at open homes and inspections are under increased scrutiny.

Now is the time to review your privacy documents and ensure they are compliant, current, and aligned with how your agency actually operates.

1. Protect Your Agency with Lawyer Approved Privacy Templates

Our Lawyer Approved Privacy Templates are specifically designed for real estate businesses and address the risks highlighted by the OAIC’s compliance sweep. This is the same suite our legal team relies on when advising real estate agencies facing increased scrutiny around in-person data collection. It is designed to give you clarity, confidence, and peace of mind, without needing to revisit your privacy documents again next year.

Available Privacy Packs:

2. Learn from Our Privacy 3.0 Webinar Replay

For further guidance, watch Privacy 3.0: How Real Estate Agencies Can Stay Ahead of Changes, Breaches & Legal Duties with Luke Shumack and Kristen Porter.

The webinar covers:

Updates in privacy legislation and what your agency must do to stay compliant
Essential dos and don’ts when handling personal information in real estate
How to identify data breaches, what counts as one, and the legal steps to follow
Practical guidance on collecting and using data at open homes, online enquiries, and marketing databases
Answers to common privacy questions from real estate agencies
How a Privacy Health Check can protect your agency and provide peace of mind

This webinar complements our privacy packs, giving you the knowledge and tools to manage client data confidently, prevent breaches, and keep your agency legally protected.

Watch The FREE Webinar Here

Key Takeaways

The OAIC’s first privacy compliance sweep starts January 2026, focusing on in-person data collection.
Real estate agencies collecting personal information at open homes, inspections, or applications are under scrutiny.
Non-compliant privacy policies can result in notices and penalties up to $66,000.
Privacy policies must be clear, up to date, and reflect how your agency collects and uses data.
Use Lawyer Approved Privacy Templates and the Privacy 3.0 webinar replay to ensure compliance and reduce risk.

Next Steps

If you’re a real estate agency looking to ensure privacy compliance ahead of the OAIC sweep, book your FREE 10-minute call with our legal team.

We’ll help you review and update your privacy policies and practices, implement clear in-person data collection procedures, and prepare your agency for increased regulatory scrutiny.

BOOK YOUR FREE CALL TO GET STARTED

Frequently Asked Questions (FAQ)

The sweep targets businesses that collect personal information in person, including real estate agencies at open homes, inspections, or rental applications. It focuses on entities across sectors like property, car rentals, licensed venues, and more.
Businesses with non-compliant privacy policies may receive compliance notices, infringement notices, and penalties of up to $66,000. The OAIC may also take further regulatory action depending on the severity of non-compliance.
Under APP 1.4, privacy policies must be clear, accurate, accessible, and up to date. They should explain how personal information is collected, used, disclosed, and destroyed, and reflect your agency’s actual practices. Using O*NO Legal lawyer-approved privacy templates ensures your documents meet these standards.
EAgencies should review and update their privacy policies to ensure they are compliant and reflect actual practices. This includes implementing privacy notices for open homes, inspections, and in-person enquiries, using O*NO Legal lawyer-approved privacy templates, and watching the Privacy 3.0 webinar replay for practical guidance.

Jonathan Green – Partner, O*NO Legal

Jonathan Green is one of the Partners at O*NO Legal with a strong passion for both the real estate and legal industries. With over 15 years of experience, he has led his own firm, worked for a large national law firm, and served as Partner and Director of a busy Victorian real estate agency. As a Licensed Estate Agent, Jonathan understands the real-world challenges his clients face, having worked directly within the industry. After selling his real estate business in 2021, he returned to full-time legal practice, combining his expertise in law and real estate.

Jonathan specialises in commercial law, property transactions, developments, rent roll sales, and leasing and conveyancing matters. He holds a Bachelor of Laws from La Trobe University, a Bachelor of Arts from the University of Melbourne, and is a Graduate of the Australian Institute of Company Directors.

Boring legal stuff: This article is general information only and cannot be regarded as legal, financial or accounting advice as it does not take into account your personal circumstances. For tailored advice, please contact us. PS - congratulations if you have read this far, you must love legal disclaimers or are a sucker for punishment.