A New Broom for the New Year: The Office of the Australian Privacy Commissioner’s First Ever Compliance Sweep is happening in January 2026

Australia’s federal privacy regulator, the Office of the Australian Information Commissioner (OAIC), will be undertaking its first ever compliance sweep. This sweep will assess whether businesses’ privacy policies are sufficiently transparent about how they handle personal information collected from individuals in face-to-face settings.      

Why is the OAIC doing this?

As noted by the Privacy Commissioner: “When confronted with in-person requests for their personal information from retailers, licenced venues, car hire companies or real estate agents, consumers often don’t have access to all the information they might need to make an informed decision….This makes them vulnerable to overcollection of personal information and creates risks to their security and privacy.”

Targeted Sectors

The Commissioner has confirmed that the sweep will target businesses in the following sectors. As noted above, the sweep will assess how transparent they are in their privacy policies about how they handle personal information collected face-to-face.

1. Rental and property – contact details collected at property inspections
2. Chemists and pharmacists – personal information in paperless receipts and identify information collected before supplying medication
3. Licenced venues – identity information collected as a condition of access (e.g. age)
4. Car rental companies – identity information and other personal information collected from individuals entering into car rental agreements
5. Car dealerships – personal information collected from individuals wishing to have a test drive
6. Pawnbrokers and second-hand dealers – collection of identity information from individuals who wish to sell or pawn goods

Will your number come up?

60 entities will be subject to review and will be selected based on factors such as size, location, and risk profile, including those previously affected by data breaches.

Regulatory Risks

Quite apart from being reviewed by the OAIC, you should always be mindful about complying with Australian Privacy Principle 1, which requires you to manage personal information in an open and transparent way.

The Australian federal Privacy Act provides for significant regulatory consequences for certain infringements, including the failure to have a privacy policy that contains the required information.

Entities that are found to have a non-compliant privacy policy face:

1.         Compliance notices

2.         Infringement notices

3.         Penalties of up to A$66,000

To avoid regulatory consequences, you must ensure that your privacy policy is compliant with the Australian Privacy Principles and the Australian federal Privacy Act.

For more information, here is the link to the OAIC’s Media Release of 9 December 2025

Queries

If you have any questions about this article, please get in touch with the author or any member of our Fintech, Privacy & Emerging Technologies team.

Disclaimer

This information is general in nature. It is intended to express the state of affairs as of the date of publication.  It does not constitute legal or financial advice. If you are concerned about any topic covered, we recommend that you seek your own specific legal and financial advice before taking any action.