Australia’s Privacy Regulator Is No Longer Just Advising — It’s Enforcing Why Every Business Should Review Its Privacy Policy Now
For years, privacy compliance in Australia has been treated by many businesses as a “later problem” — something to tidy up once growth slows or reforms finally land. That grace period is ending.
From January 2026, the Office of the Australian Information Commissioner (OAIC) has confirmed it will begin its first formal compliance sweep of privacy policies, signalling a decisive move away from education and guidance and towards active enforcement under the Privacy Act 1998 (Cth).
While the next tranche of Privacy Act reforms is still expected in early 2026, the message from the regulator is already very clear:
businesses must comply with the law as it exists today — not the law that may arrive tomorrow.
What Is the OAIC Doing?
The OAIC has announced it will review the privacy policies of approximately 60 organisations operating across selected industries that collect personal information in person.
This is not a consultation exercise.
It is a targeted compliance review focused on whether businesses are meeting their existing obligations under Australian Privacy Principle (APP) 1.4.
In practical terms, the OAIC will be asking a simple question:
“Does your publicly available privacy policy accurately and lawfully reflect how your business actually collects, uses, stores and discloses personal information?”
If the answer is “no”, enforcement action may follow.
Why This Matters (Even If You’re Not Targeted)
This sweep follows the 2024 amendments to the Privacy Act, which significantly expanded the OAIC’s enforcement powers — including the ability to issue infringement notices for administrative and technical breaches.
That shift matters.
Historically, privacy compliance failures often resulted in guidance or requests to improve. Now, penalties can apply even where harm is minimal, simply because the law has not been followed.
Importantly, privacy policies are:
Publicly accessible
Often the first document reviewed by regulators
Routinely compared against actual business practices
In other words, they are the lowest-hanging fruit in any investigation.
Which Industries Are Being Reviewed?
The OAIC has identified six sectors where in-person data collection creates a higher risk of over-collection and poor consumer understanding:
Rental and property services (e.g. inspections and applications)
Chemists and pharmacists
Licensed venues
Car rental companies
Car dealerships (including test drives)
Pawnbrokers and second-hand dealers
The OAIC has noted that when personal information is requested face-to-face, individuals often lack the time or context to fully understand how their data will be used — increasing the risk of non-compliance.
That said, this is not a “safe list” for everyone else. The regulator has made it clear that this sweep is a signal to the entire market.
What Does APP 1.4 Actually Require?
Under APP 1.4, every organisation required to have a privacy policy must ensure it clearly and accurately sets out:
The types of personal information collected and held
How that information is collected and stored
Why the information is collected, used and disclosed
How individuals can access and correct their information
How complaints can be made — and how they will be handled
Whether information is disclosed overseas, and where practicable, which countries
Critically, it is not enough to include this information generically.
Your privacy policy must match your real-world practices.
If your business collects data in a way your policy does not describe — or your policy describes protections you do not actually apply — you may already be non-compliant.
Automated Decision-Making and AI: The Next Layer of Risk
From December 2026, new requirements under APP 1.7 will require businesses to disclose how personal information is used in automated decision-making systems that significantly affect individuals.
This includes certain uses of:
Artificial intelligence
Algorithmic profiling
Automated eligibility or approval systems
Businesses that are experimenting with AI tools — often without formal governance — should already be assessing whether those tools trigger disclosure obligations.
Privacy compliance is no longer static. It is becoming operational.
What Are the Penalties?
For privacy policy non-compliance alone, the OAIC can issue infringement notices of up to $66,000 per breach.
More serious or repeated failures may attract substantially higher civil penalties under the Privacy Act’s tiered enforcement regime.
Just as importantly, enforcement action creates:
Reputational risk
Consumer trust issues
Contractual and commercial fallout
All of which typically cost far more than getting the policy right in the first place.
The Takeaway: This Is Your Warning Bell
The OAIC is not waiting for the next legislative reforms to begin enforcement.
It is enforcing the law as it stands now.
Whether or not your business collects information in person, this compliance sweep is a clear signal that privacy policies are no longer treated as “set and forget” documents.
They must be:
Accurate
Current
Operationally aligned
Legally compliant
How Connected Legal and Commercial Can Help
At Connected Legal and Commercial, we advise businesses across Australia on:
Privacy policy drafting and reviews
Privacy Act and APP compliance
Data handling and governance frameworks
AI and automated decision-making risk
Practical, commercially grounded privacy advice
We focus on how your business actually operates, not just what looks good on paper — because that is exactly how regulators assess compliance.
If you are unsure whether your privacy policy reflects your real practices, now is the time to find out.
📩 Contact Connected Legal and Commercial
📞 1300 804 195
Privacy compliance isn’t optional — and it’s no longer theoretical.
DISCLAIMER
The content given herein is provided for information purposes only. It is general in nature and does not constitute legal advice and should not be used as such. Formal legal advice should be sought in particular matters.
Connected Legal + Commercial does not accept any liability to any person for the information (or use of such information) which is provided herein or incorporated into it by reference.
The information is provided in good faith on the basis that all persons accessing the content undertake responsibility for assessing its relevance and accuracy and will seek appropriate formal legal advice accordingly.