The Hidden Ways Real Estate Agencies Get Caught by the Privacy Act
A lot of real estate agencies still believe privacy law is something they can deal with later.
That belief is quietly putting agencies at risk.
In 2026, privacy compliance is no longer just about whether you are a “big business”. It is about what information you collect, how you use it, and what you have promised other parties you are doing.
This blog is the third in our Privacy Super Guide series. It explains who must comply with the Privacy Act in real estate, the lesser known ways agencies get caught by privacy obligations, and what the Australian Privacy Principles actually require agencies to do in practice.
Who Has to Comply With the Privacy Act in Real Estate?
Privacy compliance applies to far more real estate agencies than most owners realise.
At a minimum, your agency must comply with the Privacy Act if:
Your agency has an annual turnover of more than $3 million
Your agency is required to comply with Anti Money Laundering laws
Your agency operates or uses a residential tenancy database
Once AML obligations apply, the small business exemption no longer protects you. Identity documents, verification records, and beneficial ownership information are all personal information regulated under the Privacy Act.
There is also a lesser known trap.
Many agencies sign contracts with third party providers such as CRMs, tenant checking databases, reference services, marketing platforms, and identity verification tools. TICA is a common example, but it is not the only one.
These contracts often include clauses where the agency warrants or promises that it complies with the Privacy Act. Even if your turnover is under $3 million, you may have contractually agreed to comply anyway.
This means agencies can be caught three ways at once. Through legislation, through AML obligations, and through contractual promises they may not even remember signing.
How Real Estate Agencies Must Comply in Practice
Privacy compliance is not just about having documents on a website.
It is about systems, staff behaviour, and transparency.
At its core, the Privacy Act requires agencies to:
Only collect personal information they actually need
Be clear about why it is collected and how it will be used
Keep personal information secure
Allow individuals to access and correct their information
Dispose of information properly when it is no longer required
These obligations are set out in the 13 Australian Privacy Principles.
The 13 Australian Privacy Principles Explained for Real Estate
APP 1: Open and transparent management of personal information
Agencies must have a clear, up to date privacy policy that accurately reflects how personal information is handled in practice.
APP 2: Anonymity and pseudonymity
Where practical, individuals should be able to deal with your agency without identifying themselves. This is limited in real estate, but still relevant for initial enquiries.
APP 3: Collection of solicited personal information
You may only collect personal information that is reasonably necessary for your functions. Collecting extra information “just in case” is not permitted.
APP 4: Dealing with unsolicited personal information
If you receive personal information you did not ask for and do not need, you must decide whether to keep it or destroy it.
APP 5: Notification of collection
At the time of collection, individuals must be told why their information is being collected and how it will be used. This is critical at open homes, inspections, and applications.
APP 6: Use or disclosure of personal information
Personal information can only be used or disclosed for the purpose it was collected, unless an exception applies.
APP 7: Direct marketing
Marketing communications must comply with strict rules. Opt out requests must be easy and honoured.
APP 8: Cross border disclosure
If information is stored or accessed overseas, including by software providers or virtual assistants, reasonable steps must be taken to ensure privacy protections apply.
APP 9: Government related identifiers
Agencies cannot adopt government identifiers such as licence numbers as their own identifiers.
APP 10: Quality of personal information
Reasonable steps must be taken to ensure personal information is accurate, complete, and up to date.
APP 11: Security of personal information
Agencies must protect personal information from misuse, loss, and unauthorised access, whether held digitally or in hard copy.
APP 12: Access to personal information
Individuals have the right to access their personal information within a reasonable timeframe.
APP 13: Correction of personal information
If information is inaccurate or outdated, agencies must correct it when requested.
Together, these principles form the backbone of privacy compliance for real estate agencies.
How Privacy Obligations Catch Agencies in Practice
Case Study: Under $3 Million Turnover but Still Caught by Privacy Law
A boutique real estate agency operated well under the $3 million turnover threshold and believed privacy compliance did not apply to them. They had a basic privacy policy but had never reviewed it since starting the business.
The agency became subject to Anti Money Laundering obligations and began collecting identity documents for verification. They were also using a CRM and a tenant reference checking service as part of their leasing process.
AML obligations automatically triggered Privacy Act compliance. In addition, both third party contracts required the agency to warrant compliance with the Privacy Act. Their privacy policy did not reflect what was being collected, how long information was kept, or how access requests were handled.
We conducted a privacy audit, updated the agency’s privacy policy and supporting notices, and aligned AML processes with privacy obligations. Staff were trained on what to say at the point of collection and how to manage access requests.
The agency moved from accidental non compliance to a clear, documented privacy framework and was able to confidently meet both AML and privacy obligations.
Turnover alone does not determine privacy obligations. AML compliance and contractual promises often pull agencies into the Privacy Act without them realising.
Case Study: Contractual Promises Create Unexpected Privacy Exposure
A growing property management agency used several third party platforms including a CRM, cloud document storage, and a tenant checking database such as TICA. Privacy compliance had never been formally reviewed.
Multiple contracts required the agency to warrant compliance with the Privacy Act. However, their privacy policy was generic and internal practices did not align with the Australian Privacy Principles.
This created both regulatory risk and contractual exposure if a service provider alleged breach of warranty.
We reviewed the agency’s contracts, updated their privacy suite to meet Privacy Act requirements, and conducted a practical privacy audit to align systems and staff behaviour with the policy.
The agency reduced both regulatory and contractual risk and was able to demonstrate compliance if questioned by regulators or providers.
Many agencies promise Privacy Act compliance through contracts without realising it. If you have signed the promise, you must be able to deliver on it.
Where Data Breaches Fit into Privacy Compliance
Privacy compliance does not end with having the right documents. If personal information is lost, accessed without authority, or disclosed incorrectly, agencies may have obligations under the Notifiable Data Breaches scheme. Every suspected breach must be assessed, even if it is not ultimately reportable.
This is covered in detail in Blog 2 of the Privacy Super Guide series.
Key Takeaways
Privacy compliance applies to more real estate agencies than most owners realise
AML obligations and contracts can trigger compliance even under $3 million turnover
The Australian Privacy Principles set clear operational rules
Privacy policies must match real world practice
Privacy audits help identify and fix gaps early
Next Steps
If you are unsure whether your agency must comply with the Privacy Act, or whether your current documents and practices align, now is the time to check.
We help real estate agencies update their privacy suite and conduct practical privacy audits that reduce regulatory and contractual risk.
Frequently Asked Questions (FAQ)
-
Possibly yes. AML obligations, residential tenancy databases, and contractual promises can all trigger compliance.
-
Having privacy documents that do not reflect what happens in practice.
-
Yes. Many contracts require agencies to warrant Privacy Act compliance.
-
No. Policies must be supported by compliant systems and staff behaviour.
-
Yes. Audits identify issues early and allow agencies to fix them before enforcement or complaints arise.
The O*NO Legal Team
O*NO Legal is a team of commercially-minded lawyers who specialise in helping business owners—particularly in real estate and service-based industries—stay compliant, protect their assets, and grow with confidence. Led by Founder Kristen Porter, our team combines deep legal expertise with firsthand business experience. We don’t just interpret the law—we translate it into strategic advice you can actually use. From contracts and employment to privacy, compliance, and M&A, we’re here to simplify the complex and make the law work for you. At O*NO Legal, we’re changing the way business owners experience legal services.
Boring legal stuff: This article is general information only and cannot be regarded as legal, financial or accounting advice as it does not take into account your personal circumstances. For tailored advice, please contact us. PS - congratulations if you have read this far, you must love legal disclaimers or are a sucker for punishment.