What’s happening: The OAIC, Australia’s privacy regulator, is launching its initial compliance investigation from January 2026. The initiative will scrutinize around 60 entities across six sectors, such as property rental, pharmacies, licensed venues, car rental, dealerships and second-hand dealers.
Why this is important: The sweep tests whether day-to-day operational practices actually comply with the privacy policy. Failure to align practices with policies creates regulatory exposure, reputational risks and customer trust issues.
Gagan Batra, founder and director of Insighten, understands what many companies are only now realizing: when Australia’s privacy regulator, the OAIC, announced its first-ever compliance review last year, it wasn’t just a warning about documentation. It exposed a much deeper operational problem.
From January 2026, the OAIC will begin reviewing the privacy policies of approximately sixty companies in six high-risk sectors. Real estate agents asking for phone numbers at open houses, car rental companies presenting customers with lengthy forms, licensed locations scanning driver’s licenses and pharmacies collecting personal data will all come under scrutiny. What the regulator really tests, according to Batra, is whether what companies write in their privacy policy actually corresponds to what happens in practice.
“This is not simply a test of policy formulation. It is a test of whether organizations can translate policy into practice,” Batra writes. “Personal data collection extends across operations, customer experience, marketing and technology, making it a broader business problem.”
The real operational challenge
For companies that are in the supervisory network, the stakes are considerable. Entities that have non-compliant privacy policies may face compliance and breach notices and fines of up to $66,000. But the penalty figures only tell part of the story.
The OAIC’s focus on personal data collection reveals a critical vulnerability. When customers provide their personal information at a counter or during an inspection, they rarely see a privacy policy. They may not understand what they are agreeing to or how their data will be used. This power imbalance is exactly what Privacy Commissioner Carly Kind cited as the reason for the cleanup.
“When consumers are faced with personal requests for personal information from retailers, licensed locations, car rental companies or brokers, they often do not have access to all the information they need to make an informed decision,” Kind said in the OAIC’s official announcement. “This makes them vulnerable to excessive collection of personal information and creates risks to their security and privacy.”
The compliance sweep is the regulator’s way of forcing companies to close the gap between policy and practice.
What sector you are in matters
If your business is in the real estate rental business, pharmacies, licensed locations, car rental, car dealerships or second-hand trading, January’s sweep will directly impact you. But Batra emphasizes that companies operating outside these sectors should not ignore the signal. If the OAIC follows in the footsteps of the ACCC, which audited more than 2,000 retail websites by 2025, scrutinizing returns policies and website terms and conditions, we can expect market surveys to become a more regular part of the enforcement strategy.
An important caveat applies specifically to small companies: not all companies are covered by the Privacy Act. Most small businesses with revenues of less than $3 million are not covered by the Privacy Act unless they operate in specific categories, such as trading in personal information or health care services. Checking whether your company is actually covered by the Privacy Act is the first crucial step.
Get compliance right
For companies that do fall under the Privacy Act, Batra outlines a clear path to compliance that goes far beyond simply updating a document.
Conduct an audit of how personal information is actually processed. Map where personal data collection occurs, what information is collected, what consent is sought, and how customer consent preferences are captured and recorded. This will expose the gap between what customers are told and what systems actually store.
Check out the point-of-collection experience. Wherever customers provide their information – at the counter, during inspections, on forms or during registration moments – they must reasonably understand what they are agreeing to. If your current process does not meet this standard, it needs to change.
Communicate clearly to frontline teams. Employees are often the weak link in compliance. They need to understand both the rules and how to explain consent choices to customers. Inconsistent explanations or informal solutions quickly undermine compliance and undermine customer trust. Formal written guidelines ensure consistency across the company.
Align online and offline experience. This is crucial. Any personally given consent or preference settings must be transferred to downstream systems such as CRM and marketing platforms. If your online systems can’t reliably reflect what a customer has personally agreed to, the problem extends beyond compliance to customer experience and brand damage.
The shift currently taking place in Australian regulation is significant. Recent changes to the Privacy Act in 2024 introduced new powers for the OAIC in relation to breaches, marking a shift from the OAIC’s historic approach of education and reconciliation to a more proactive enforcement approach.
Batra’s core message is clear: good governance is not defined by what is written down. It is defined by what is applied consistently. Organizations that view privacy compliance as an operational capability and not just a documentation exercise are the ones most likely to avoid fines and protect customer trust.
January’s compliance sweep isn’t just a regulatory moment. It reminds us that companies must spend their money on privacy by 2026.
Stay up to date with our stories on LinkedIn, Tweet, Facebook And Instagram.
#OAICs #rules #cost #business #dont #Dynamic #Business