Australia’s Privacy Regulator Takes Aim at In-Person Data Collection Practices in End-of-Year Crackdown

Key Takeaways

• Privacy Compliance Sweep: The OAIC will launch its first-ever compliance sweep in January 2026 focusing on in-person data collection practices.
• Sector Focus: Approximately 60 organizations across six sectors, including real estate, pharmacies, licensed venues, car rentals, car dealerships, and pawnbrokers, will have their privacy policies reviewed.
• Enforcement Powers: Businesses with non-compliant policies may face penalties up to $43,800 (AUD 66,000) under expanded Privacy Act consequences introduced in 2024.
• Transparency Requirements: The sweep will assess whether privacy policies meet APP 1.4 standards, including clear explanations of how personal information is collected, used, disclosed, and destroyed.
• Consumer Protection: The initiative aims to address power imbalances during face-to-face data collection and drive stronger, proactive privacy governance before breaches occur.

Deep Dive

Beginning the first week of January, the Office of the Australian Information Commissioner (OAIC) will launch its first compliance sweep examining how everyday businesses handle personal information they request directly from customers. Real estate agents at weekend house tours, pharmacy counters offering paperless receipts, and car rental desks asking for IDs are among the common touch-points now under heightened scrutiny.

The OAIC will review around 60 organizations across six sectors, including rental and property, chemists and pharmacists, licensed venues, car rentals, car dealerships, and pawnbrokers/second-hand dealers, all chosen due to the identity-linked data they routinely gather and the history of breaches affecting these industries.

Privacy Commissioner Carly Kind says that when personal data harvesting happens in person, the power imbalance becomes hard to ignore.

Consumers, she notes, often provide documents or contact details on the spot, with little to no visibility into what happens next, whether their data is shared, stored indefinitely, or used for unrelated marketing.

Kind frames the sweep as an accountability check. Are organizations providing enough transparency for people to make an informed choice, or are Australians effectively flying blind when handing over their most sensitive identifiers?

Higher Stakes After Privacy Act Reform

The crackdown has teeth. Penalties up to $43,800 (AUD 66,000) can apply if companies fail to meet basic privacy policy requirements laid out under Australian Privacy Principle (APP) 1.4, including clearly explaining how personal information is collected, used, disclosed, and destroyed.

Those consequences became possible after Parliament strengthened enforcement powers in 2024, broadening infringement options for privacy fundamentals many businesses have long treated as mere box-ticking.

Raising the Bar Before Breaches Happen

The OAIC says the goal isn’t just to catch laggards but to shift culture. The regulator wants organizations to rethink whether the data they collect in person is genuinely necessary and whether customers are given clear, genuine choice.

Australians are increasingly vocal about wanting more say in how their information is handled. And as the country prepares for a modernized privacy regime, the OAIC is signaling that proactive policing, not just incident response, will be the new norm.

By placing sectors with everyday physical interactions under the microscope, the regulator is betting that stronger privacy foundations can be built long before the next headline-grabbing breach.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.