Legal Insights

A clean sweep: the OAIC’s New Year plans for Privacy Policy compliance checks

By
• 10 December 2025 • 7 min read

Earlier this week, the Office of the Australian Information Commissioner (OAIC) announced plans to conduct its first-ever privacy compliance sweep commencing in January 2026

The sweep will target 60 entities across six industry sectors where privacy practices involve ‘in person’ collections of personal information and are therefore considered to have significant “power and information asymmetries.”

The six sectors identified include:

  1. rental and property – collection of individuals’ personal information during property inspections;
  2. chemists and pharmacists – collection of personal information for the purpose of providing a paperless receipt and collection of identity information to provide medication;
  3. licensed venues – collection of identity information to enable individuals to access a venue;
  4. car rental companies – collection of identity and other personal information to enable an individual to enter into a car rental agreement.
  5. car dealerships – collection of personal information to enable an individual to conduct a vehicle test drive; and
  6. pawnbrokers and second-hand dealers – collection of identity information from individuals who wish to sell or pawn goods.

Why are these sectors being targeted?

The OAIC has identified these sectors as vulnerable to overcollection, noting that in-person collections of personal information mean that consumers "often don’t have access to all the information they might need to make an informed decision.”

That risk is further amplified by the sensitive nature of the personal information that is often involved, including personal identification documents, and compounded by previous privacy breaches within these industries.

In Australia, many of the selected businesses such as car rental, car dealers and chemists/pharmacists operate under franchise networks, although the OAIC has not made mention of this.

APP 1.4 - Privacy Policy requirements 

As part of the sweep the OAIC will assess how selected businesses are complying with Australian Privacy Principle 1 (APP 1), especially those requirements set out in APP 1.4. Under APP 1,  entities’ privacy policies must clearly set out:

  1. the kinds of personal information that the entity collects and holds;
  2. how the entity collects and holds personal information;
  3. the purposes for which the entity collects, holds, uses and discloses personal information;
  4. how an individual may access personal information about themselves that is held by the entity and seek the correction of such information;
  5. how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;
  6. whether the entity is likely to disclose personal information to overseas recipients; and
  7. if the entity is likely to disclose personal information to overseas recipients – the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.

Following recent reforms to the Privacy Act, APP 1 will soon also require disclosure within an entities' privacy policy about automated decisions that significantly affect individuals. Although this new requirement does not take effect until December 2026, we recommend getting on the front foot in relation to these changes. It makes sense to ensure that the new requirements are considered ahead of the deadline as part of any review or update of your existing privacy policy over the course of the next 12 months.

The OAIC enforcement posture in 2026 

The OAIC has consistently signaled an intent to target compliance across the spectrum in 2026, from high-profile data breaches (e.g. Australian Clinical Labs) and emerging issues such as facial recognition (e.g. Kmart/Bunnings), to basic privacy policy compliance. It is now clear that this will include proactive market scans to ensure entities are meeting their basic requirements under APP 1.4.

This week's announcement represents the beginning of a new era of enforcement for the OAIC implementing the first tranche of the Privacy Act reforms. Following those reforms, some of the OAIC’s new powers include:

  1. civil penalties for privacy interferences that do not meet the ‘seriousness’ threshold under section 13G of the Act;
  2. infringement notices for breaches of the Act, including the APPs; and
  3. expanded entry, search and seizure powers to strengthen enforcement capability.

The OAIC is now clearly piloting this expanded toolkit which includes the power to issue infringement notices for non-compliance with APP 1. 

Often compared to a ‘speeding ticket’, infringement notices are designed to provide an alternative to potential litigation and to encourage timely and cost-efficient enforcement outcomes for relatively minor contraventions of the Privacy Act. The OAIC has the power to issue an infringement notice to a person or entity setting out an alleged contravention, together with a penalty amount to be paid in relation to the breach. 

Anyone receiving an infringement notice can choose to pay the penalty amount specified as an alternative to court proceedings. 

Old regulator, new methods 

While this marks the OAIC’s first market compliance sweep, the approach is not unprecedented among Australian regulators. Earlier this year, the ACCC conducted a sweep of more than 2,000 retail websites, scrutinising return policies and website terms and conditions for compliance with Australian Consumer Law. The consequences of non-compliance included warnings, civil penalties, and, in some cases, Federal Court proceedings.

The ACCC frequently uses the market sweep as an enforcement strategy. The roll out of the sweep generally runs after the regulator provides a short window of notice, a recent example of this was the announcement of a market sweep targeting misleading claims ahead of Black Friday sales. 

Similarly, we anticipate that the OAIC will draw from its recently expanded regulatory toolkit to address identified non-compliance , with potential consequences including warnings and infringement notices.

Key takeaways 

For businesses in targeted sectors, now is the time to review your Privacy Policy before year-end to ensure it meets the APP 1.4 requirements.

For the broader market, the January 2026 sweep signals a continued shift toward stronger enforcement and heightened community expectations around privacy and data handling. It is an opportunity to prioritise:

  1. mapping your current data flows and information handling practices – understanding what data you collect and why;
  2. ensuring your Privacy Policy reflects what your organisation actually does – alignment to ensure transparency and accuracy;
  3. embedding proactive measures – conducting Privacy Impact Assessments (PIAs), Data Breach Response Plans, and regular reviews to keep your Privacy Policy current;
  4. investing in staff training and awareness – reinforcing that privacy is everyone’s responsibility; and
  5. conducting a general privacy compliance health check in light of the recent reforms – and developing a clear roadmap for steps you will be taking towards a mature compliance posture.

If you are a franchisor, consider also communicating with your franchisee network about this market sweep.

If the OAIC follows in the footsteps of the ACCC, we can expect to see market sweeps to become a more regular feature in its enforcement strategy. This means that businesses need to take a more proactive approach to compliance and regulatory expectations, given limited notice is given before the regulatory ‘broom’ is taken out.
 


The Maddocks’ Privacy Team offers a comprehensive range of services, from urgent assistance in responding to regulatory action to full compliance reviews. For organisations seeking a streamlined approach, ADAPT by Maddocks provides tools to map data flows and develop tailored privacy policies aligned with your operational practices.

Additional resources are available on the OAIC website, including the APP 1 Guidance which can assist businesses in creating or updating privacy policies to meet compliance requirements.

Please contact one of our Maddocks privacy and data protection experts if you have any questions about OAIC’s privacy sweep.

Sonia Sharma

Sonia has wide ranging experience advising on technology, cyber, telecommunication and general commercial matters, specialising in cyber and data resilience advice.

View profile

Ooma Khurana

Ooma advises public and private sector clients in information technology, consumer markets and telecommunications sectors, particularly in relation to regulatory compliance and technology.

View profile
By

Recent articles

Online Access