Privacy Audits Have Started: Why Real Estate Agencies Can No Longer Put This Off
Privacy audits are no longer something that is “about to happen”. They are happening now.
As we move through January and into February 2026, Australia’s privacy regulator has officially begun its first ever privacy compliance sweep. Real estate agencies are firmly in scope. Not because they are doing anything unusual, but because they collect personal information in person, every single day.
If your agency is still relying on an old privacy policy, a generic template, or the assumption that privacy only matters for big businesses, this is the moment where that thinking becomes risky.
We are already speaking with agency owners who assumed they were compliant until they actually looked closely at what their privacy policy says compared to what their team does in practice. For many, the gap is bigger than they expected.
This is the first blog in our Privacy Super Guide series for real estate agencies. In this article, we explain why privacy compliance is now a live issue, how Anti Money Laundering obligations automatically pull privacy law into play, and what agencies should be fixing right now while the regulator is actively reviewing businesses.
Why Privacy Is Front and Centre for Real Estate Agencies in Early 2026
For years, privacy compliance sat quietly in the background for many agencies. It existed, but enforcement felt distant. That has changed.
The Office of the Australian Information Commissioner has begun a targeted compliance sweep focusing on businesses that collect personal information in person. Real estate agencies sit squarely in that category. Open homes, inspections, rental applications, in office enquiries and identity checks all involve face to face data collection.
The regulator has been very clear about why this matters. When information is collected in person, consumers often do not have the time, information, or confidence to question what is being collected or why. That creates a risk of over collection, poor disclosure, and misuse of personal data.
From a regulator’s perspective, real estate agencies handle large volumes of sensitive information and often rely on informal or outdated systems. That combination makes the sector a priority.
Importantly, this compliance sweep is not just about punishment. It is about forcing businesses to review whether their privacy practices actually line up with the law. That said, infringement notices of up to $66,000 are available where non compliance is identified, and more serious issues can escalate further.
If your privacy policy is vague, outdated, copied from another business, or does not reflect how your agency really operates, you are exposed.
Anti Money Laundering Obligations Change Everything for Privacy
One of the most common misconceptions we still hear is this: “We are under $3 million turnover, so privacy law does not really apply to us.”
That assumption is becoming increasingly dangerous. Once a real estate agency is required to comply with Anti Money Laundering laws, privacy compliance becomes mandatory, regardless of turnover. The small business exemption no longer offers protection.
AML obligations require agencies to collect, verify, store, and sometimes disclose highly sensitive personal information. This includes identity documents, proof of address, and financial details. That information is squarely regulated by the Privacy Act. In practical terms, if AML applies to your agency, you must have a compliant privacy policy, clear privacy notices, proper data handling procedures, and staff who understand how to explain privacy obligations to clients and tenants.
We are seeing agencies focus heavily on AML systems while unintentionally creating privacy risks. More data is being collected, but privacy disclosures have not been updated. Retention periods are unclear. Destruction processes do not exist.
Regulators will not accept “we did not realise” as an excuse. AML and privacy are legally connected, whether agencies like it or not. We recently assisted an agency that had invested heavily in AML compliance software but had not touched their privacy documents in years. Once this was identified, we updated their privacy policy, aligned their AML processes with privacy obligations, and created simple scripts for staff to use when collecting information in person. The agency is now compliant on both fronts and far more confident dealing with clients.
What the Regulator Is Actually Looking at Right Now
Privacy compliance is not just about having a document on your website. The regulator is looking at how privacy works in practice. Under Australian Privacy Principle 1.4, privacy policies must clearly explain how personal information is collected, used, disclosed, stored, and destroyed. They must be easy to access and easy to understand.
In the current compliance sweep, the regulator is comparing written policies to real world behaviour. If your policy says one thing and your processes say another, that is a problem.
For example, if your policy suggests you only collect basic contact information, but your rental application process involves extensive identity verification, there is a mismatch. If your policy promises secure storage and timely destruction but your agency has no clear system for doing this, there is another issue.
Point of collection is also under scrutiny. When someone signs in at an open home, are they told why their information is being collected? Are they told where to find the privacy policy? Are they given meaningful information, or just handed a clipboard or iPad? We worked with a regional agency that had a reasonably strong privacy policy but no in person disclosure at open homes. From a compliance perspective, this created a real gap. A simple printed privacy collection notice and brief staff training closed that gap quickly and significantly reduced their risk.
Privacy compliance is not about perfection. It is about transparency, accuracy, and alignment between words and actions.
Real Case Studies From Agencies Navigating Privacy Right Now
Case Study 1: Open homes under the spotlight
A metropolitan agency was collecting names, phone numbers, and email addresses at open homes using an iPad and software. Their privacy policy existed but had not been updated since before the 2024 legislative changes.
We reviewed the policy and found it did not clearly explain in person collection, marketing use, or how individuals could access or correct their information. We updated the policy, created a clear open home privacy notice, and aligned their CRM practices with what the policy promised.
The outcome was immediate. Staff felt more confident answering questions, attendees were better informed, and the agency significantly reduced its exposure during the compliance sweep.
Case Study 2: Rental applications and identity handling
A property management business required tenants to provide extensive identity documentation in person. While the information was necessary, the privacy policy did not explain retention periods or destruction processes.
We helped the agency map how information flowed through the business, updated the privacy policy, and implemented a clear process for secure storage and disposal. Staff were trained on how to explain privacy obligations when collecting documents. This improved compliance and reduced tenant complaints. The agency also found their internal processes became more efficient.
Case Study 3: AML compliance triggers a privacy reset
An agency preparing for AML obligations focused heavily on verification and reporting. Privacy compliance had not been considered.
We worked alongside their AML advisers to ensure privacy obligations were integrated rather than treated as an afterthought. Policies were updated, in person disclosures rewritten, and staff guidance simplified.
The agency is now compliant across both AML and privacy and well prepared for ongoing regulatory scrutiny.
Key Takeaways
Privacy compliance is no longer theoretical. Audits have started
Real estate agencies are a specific focus due to in person data collection
AML obligations automatically trigger Privacy Act compliance
Outdated or generic privacy policies are a real risk
What you do in practice must match what your privacy policy says
Next Steps
If your agency collects personal information, and especially if AML applies to you, now is the time to review your privacy compliance properly. A short, targeted review can identify gaps before they become problems.
Book your free 10-minute call today. We will help you understand where you stand, what needs updating, and how to fix it without unnecessary complexity.
Frequently Asked Questions (FAQ)
-
Yes. The compliance sweep is already underway, and agencies must ensure their privacy policies and practices meet current legal requirements.
-
Yes. AML compliance removes the small business exemption and triggers full Privacy Act obligations.
-
In person collection at open homes, inspections, and applications without clear privacy disclosures.
-
No. Privacy must also be explained at the point of collection and reflected in daily practices.
-
Most issues can be identified and addressed quickly with the right legal guidance and clear documentation.
The O*NO Legal Team
O*NO Legal is a team of commercially-minded lawyers who specialise in helping business owners—particularly in real estate and service-based industries—stay compliant, protect their assets, and grow with confidence. Led by Founder Kristen Porter, our team combines deep legal expertise with firsthand business experience. We don’t just interpret the law—we translate it into strategic advice you can actually use. From contracts and employment to privacy, compliance, and M&A, we’re here to simplify the complex and make the law work for you. At O*NO Legal, we’re changing the way business owners experience legal services.
Boring legal stuff: This article is general information only and cannot be regarded as legal, financial or accounting advice as it does not take into account your personal circumstances. For tailored advice, please contact us. PS - congratulations if you have read this far, you must love legal disclaimers or are a sucker for punishment.