Sonia Sharma
Sonia has wide ranging experience advising on technology, cyber, telecommunication and general commercial matters, specialising in cyber and data resilience advice.
View profile
Earlier this week, the Office of the Australian Information Commissioner (OAIC) announced plans to conduct its first-ever privacy compliance sweep commencing in January 2026.
The sweep will target 60 entities across six industry sectors where privacy practices involve ‘in person’ collections of personal information and are therefore considered to have significant “power and information asymmetries.”
The six sectors identified include:
The OAIC has identified these sectors as vulnerable to overcollection, noting that in-person collections of personal information mean that consumers "often don’t have access to all the information they might need to make an informed decision.”
That risk is further amplified by the sensitive nature of the personal information that is often involved, including personal identification documents, and compounded by previous privacy breaches within these industries.
In Australia, many of the selected businesses such as car rental, car dealers and chemists/pharmacists operate under franchise networks, although the OAIC has not made mention of this.
As part of the sweep the OAIC will assess how selected businesses are complying with Australian Privacy Principle 1 (APP 1), especially those requirements set out in APP 1.4. Under APP 1, entities’ privacy policies must clearly set out:
Following recent reforms to the Privacy Act, APP 1 will soon also require disclosure within an entities' privacy policy about automated decisions that significantly affect individuals. Although this new requirement does not take effect until December 2026, we recommend getting on the front foot in relation to these changes. It makes sense to ensure that the new requirements are considered ahead of the deadline as part of any review or update of your existing privacy policy over the course of the next 12 months.
The OAIC has consistently signaled an intent to target compliance across the spectrum in 2026, from high-profile data breaches (e.g. Australian Clinical Labs) and emerging issues such as facial recognition (e.g. Kmart/Bunnings), to basic privacy policy compliance. It is now clear that this will include proactive market scans to ensure entities are meeting their basic requirements under APP 1.4.
This week's announcement represents the beginning of a new era of enforcement for the OAIC implementing the first tranche of the Privacy Act reforms. Following those reforms, some of the OAIC’s new powers include:
The OAIC is now clearly piloting this expanded toolkit which includes the power to issue infringement notices for non-compliance with APP 1.
Often compared to a ‘speeding ticket’, infringement notices are designed to provide an alternative to potential litigation and to encourage timely and cost-efficient enforcement outcomes for relatively minor contraventions of the Privacy Act. The OAIC has the power to issue an infringement notice to a person or entity setting out an alleged contravention, together with a penalty amount to be paid in relation to the breach.
Anyone receiving an infringement notice can choose to pay the penalty amount specified as an alternative to court proceedings.
While this marks the OAIC’s first market compliance sweep, the approach is not unprecedented among Australian regulators. Earlier this year, the ACCC conducted a sweep of more than 2,000 retail websites, scrutinising return policies and website terms and conditions for compliance with Australian Consumer Law. The consequences of non-compliance included warnings, civil penalties, and, in some cases, Federal Court proceedings.
The ACCC frequently uses the market sweep as an enforcement strategy. The roll out of the sweep generally runs after the regulator provides a short window of notice, a recent example of this was the announcement of a market sweep targeting misleading claims ahead of Black Friday sales.
Similarly, we anticipate that the OAIC will draw from its recently expanded regulatory toolkit to address identified non-compliance , with potential consequences including warnings and infringement notices.
For businesses in targeted sectors, now is the time to review your Privacy Policy before year-end to ensure it meets the APP 1.4 requirements.
For the broader market, the January 2026 sweep signals a continued shift toward stronger enforcement and heightened community expectations around privacy and data handling. It is an opportunity to prioritise:
If you are a franchisor, consider also communicating with your franchisee network about this market sweep.
If the OAIC follows in the footsteps of the ACCC, we can expect to see market sweeps to become a more regular feature in its enforcement strategy. This means that businesses need to take a more proactive approach to compliance and regulatory expectations, given limited notice is given before the regulatory ‘broom’ is taken out.
The Maddocks’ Privacy Team offers a comprehensive range of services, from urgent assistance in responding to regulatory action to full compliance reviews. For organisations seeking a streamlined approach, ADAPT by Maddocks provides tools to map data flows and develop tailored privacy policies aligned with your operational practices.
Additional resources are available on the OAIC website, including the APP 1 Guidance which can assist businesses in creating or updating privacy policies to meet compliance requirements.
Please contact one of our Maddocks privacy and data protection experts if you have any questions about OAIC’s privacy sweep.
Sonia has wide ranging experience advising on technology, cyber, telecommunication and general commercial matters, specialising in cyber and data resilience advice.
View profileOoma advises public and private sector clients in information technology, consumer markets and telecommunications sectors, particularly in relation to regulatory compliance and technology.
View profileKeep up to date with our legal insights and events
Sign upThe Commonwealth Government will establish a set of Australian Standards for AI.
The ACCC responds to the growing use and safety issues arising from the use of these products.
OAIC determinations clarify privacy obligations for organisations using tracking pixels.
Targeted changes are now in place for approvals, strategic assessments, information sharing and advisory processes.
Partner
Sydney