OAIC's crackdown on privacy policies – what you need to know

23 February 2026

Hamish Fraser
Partner
Sparke Helmore Lawyers

Hamish Fraser
Partner
Sparke Helmore Lawyers
t: +61 2 9373 3616

Hamish is an accomplished senior technology lawyer with more than 30 years’ experience advising clients on commercial issues and regulatory matters across the information technology and communication industries. Hamish enjoys demystifying the complex interaction of technology and the law.

OAIC announcement

Is your privacy policy up to scratch? On 9 December 2025, the Australian privacy regulator, the Office of the Australian Information Commissioner (OAIC), announced it ’will start 2026 with its first-ever compliance sweep,’[1] of privacy policies, announcing it would review these policies for approximately 60 businesses. The OAIC will review a business for compliance with its obligations under the Australian Privacy Principles (APPs) 1.4, which sets out the requisite information that must be contained in a privacy policy. The OAIC has mentioned it would focus specifically on businesses that collect information in person and in particular will target certain sectors.

Targeted sectors

The OAIC will focus on six sectors, focusing on these sectors because it has identified that they pose ‘particular privacy risks associated with collection of personal information.’[2] The following sectors have been listed by OAIC:

Rental and property – collection of individuals’ personal information during property inspections.
Chemists and pharmacists – collection of personal information for the purpose of providing a paperless receipt and collection of identity information to provide medication.
Licenced venues – collection of identity information to enable individuals to access a venue.
Car rental companies – collection of identity and other personal information to enable an individual to enter into a car rental agreement.
Car dealerships – collection of personal information to enable an individual to conduct a vehicle test drive.
Pawnbrokers and second-hand dealers – collection of identity information from individuals who wish to sell or pawn goods.[3]

What is required in a privacy policy?

Every privacy policy will be different, and will depend upon a range factors, including but not limited to the type of information the business collects, the types of customers (and what personal information) it has and how it uses and processes personal information. Although the content of policies will differ, every privacy policy must contain the information set out in APP 1.4 of the Privacy Act 1988 (Cth) (Privacy Act).

We set out in the table below the required content under APP 1.4 and the OAIC’s guidance.

Enforcement action

If a business bound by the Privacy Act fails to include the required information in its privacy policy, it would be in contravention of ss 13K(1) of the Privacy Act. Under the first tranche of amendments to the Privacy Act, which were passed in late 2024, the OAIC regulatory enforcement powers were broadened, which now provides it with the ability to issue infringement notices up to $330,000 (1,000 penalty units). If the OAIC finds that an entity has contravened APP 1.4, for example not including information on how an individual can make a complaint, it could issue an infringement notice.

Thinking ahead - automated decision

From 10 December 2026, a business is required to include in its privacy policy details about when it uses automated decision-making. Specifically, the details needed include if:

the business has arranged for a computer program to make, or do a thing that is substantially and directly related to making, a decision, and
the decision could reasonably be expected to significantly affect the rights or interests of an individual, and
personal information about the individual is used in the operation of the computer program to make the decision or do the thing that is substantially and directly related to making the decision.[4]

If a business engages in using automated decision-making, then it must disclose in its privacy policy the following:

the kinds of personal information used in the operation of such computer programs, and
the kinds of such decisions made solely by the operation of such computer programs, and
the kinds of such decisions for which a thing, that is substantially and directly related to making the decision, is done by the operation of such computer programs.[5]

The OAIC will provide further detailed guidance about the new requirement to include information about automated decision-making processes. Before the requirement becomes enforceable, any business using any form of automated decisions, should review and consider how it should address this in its privacy policy.

[1] OAIC, ‘Privacy compliance sweep to put privacy policies under the spotlight,’ (Media Release, 9 December 2025) Privacy compliance sweep to put privacy policies under the spotlight | OAIC

[2] Ibid.

[3] Ibid.

[4] APP 1.7 Privacy and Other Legislation Amendment Act 2024 (Cth).

[5] APP 1.8 Privacy and Other Legislation Amendment Act 2024 (Cth).

We would like to acknowledge the contribution of Jasmine Thai.

16-02-2026 | Safety by design

06-02-2026 | Bunnings use of facial recognition - Appeal Panel decision decided collection is authorised

18-12-2025 | 2025 year end cyber reflections

16-12-2025 | Ex tempore decision in Services Australia v Anatoly Kern

11-12-2025 | 12 Days of (Christmas) FOI

08-12-2025 | FOI Secondees – letters 'home' for Christmas

Media room