ARTICLE
7 January 2026

Australian Privacy Policies Under Fire: Essential Uplifts To Safeguard Against The OAIC's Compliance Crackdown

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer LLP logo
Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
Explore Firm Details
As announced in late 2025, the Office of the Australian Information Commissioner (OAIC) will in this month commence a crackdown on the privacy policies of organisations that collect information in-person.
Australia Privacy
Peter Jones,Kaman Tsoi,Amelia Frey
+1 Authors
 Your Author LinkedIn Connections
Peter Jones’s articles from Herbert Smith Freehills Kramer LLP are most popular:
  • within Privacy topic(s)
  • with Senior Company Executives, HR and Finance and Tax Executives
  • with readers working within the Banking & Credit, Business & Consumer Services and Insurance industries

Key takeaways 

As announced in late 2025, the Office of the Australian Information Commissioner (OAIC) will in this month commence a crackdown on the privacy policies of organisations that collect information in-person. The OAIC has announced it will scrutinise the privacy policies of approximately 60 organisations that operate across a number of different sectors to review compliance with APP 1.4. Given the OAIC's recently expanded penalty options, organisations that are in the scope of the OAIC's review should be aware that:

  • This compliance sweep and potential enforcement activity may mark a shift from the OAIC's historical approach focusing on education and conciliation to a more proactive enforcement approach. 
  • They may need to defend their privacy documentation (particularly privacy policies) and ensure they are compliant with APP 1.3 and APP 1.4.
  • They may need to demonstrate that their information handling practices comply with the contents of the relevant privacy policy in relation to collection, use, and disclosure. 
  • Their privacy policies and practices may be reviewed and subject to additional regulatory scrutiny.
  • More broadly, recent amendments to the Privacy Act 1998 (Cth) (Privacy Act) in 2024 introduced new powers for the OAIC in connection with infringements. Non-compliance with the Australian Privacy Principles (APPs) and Privacy Act may expose organisations to penalties including the issue of infringement notices (up to $330,000 for corporations).

Privacy policy compliance sweep

On the 1st of January, the OAIC commenced its targeted reviews of selected privacy policies of organisations that collect information in-person to:

  • determine whether they comply with legal transparency obligations under APP 1.3 and APP 1.4 for the management of personal information; and 
  • ensure they are using the personal information they collect in accordance with their privacy policy. 

The OAIC considers that in-person collection may result in consumers not receiving access to information they need to make informed decisions, make them vulnerable to overcollection of personal information, and heighten security and privacy risks.

Privacy policy requirements: APP 1.3 and APP 1.4 

Organisations must be transparent with consumers through their privacy policies about how they use the personal information they collect. As part of the OAIC's sweep, selected organisations' privacy policies will be assessed against the requirements of APP 1.4, which outlines what an organisation's privacy policy must include. APP 1.4 requires that privacy policies:

1728276.jpg

Targeted sectors and technologies

The OAIC will assess the privacy policies of approximately 60 entities from the following sectors where personal information is collected in-person. 

Sectors & Targeted Entities  Targeted Collection1
Rental and property Collection of personal information during property inspections, including agents requesting phone numbers of attendees.
Chemists and pharmacists Collection of personal information to provide a paperless receipt and to provide medication, including medical conditions.
Licenced venues Collection of identity information to allow access to a venue, such as the collection of driver licence information to verify age. 
Car rental companies Collection of identity documents to enable an individual to enter into a car rental agreement, such as lengthy purchase forms.
Car dealerships Collection of personal information to enable individuals to conduct a vehicle test drive, particularly driver licence information.
Pawnbrokers and second-hand dealers Collection of identity information from individuals who wish to sell or pawn goods, particularly government identifiers.

Implications of a non-compliant privacy policy 

Legislative changes to the Privacy Act were passed by Parliament in late-20242 that expanded the civil penalty regime for breaches of the APPs. The OAIC is now granted authority to issue infringement notices of up to $330,000 for corporations that fail to implement and maintain a current, comprehensive, and easily accessible privacy policy.

The OAIC will consider the following three factors when formulating a value for any infringement notice:

  • The size, scale and impact of potential harms and risks raised by the non-compliance; 
  • The organisation's historical compliance with the APPs;
  • Whether the organisation is entrenched or a new market entrant; and 
  • The impact and degree of the non-compliance. 

Critically, the expanded civil penalty regime and uptick in active enforcement suggest a strong shift in the OAIC's regulatory approach from education and conciliation towards more robust and active enforcement.

Urgent steps your organisation needs to take 

Organisations must ensure their privacy policy complies with APP 1.3 and APP 1.4 and that their privacy practices are aligned to, and consistent with, their privacy policies. Organisations must ensure they do not collect, use, or disclose information in a way that is not expressly identified in their privacy policy. For example, by disclosing personal information to overseas service providers for the maintenance of systems, where this overseas disclosure is not contemplated or drafted.

Footnotes

1. https://www.oaic.gov.au/news/media-centre/privacy-compliance-sweep-to-put-privacy-policies-under-the-spotlight

2. See section 13K of the Privacy and Other Legislation Amendment Act 2024 (Cth).

To view the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Peter Jones
Peter Jones
Photo of Kaman Tsoi
Kaman Tsoi
Photo of Daniel Johnson
Daniel Johnson
Person photo placeholder
Amelia Frey
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More