The Office of the Australian Information Commissioner (OAIC) has announced it will conduct its first privacy compliance sweep in January, targeting approximately 60 entities across six sectors that collect personal information in person.

The targeted review will scrutinise whether privacy policies comply with Australian Privacy Principle 1.4. Entities with non-compliant policies face infringement notices and penalties up to $A66,000.

The OAIC states the sweep focuses on sectors where power and information asymmetries create vulnerability to overcollection. These include real estate agents, car rental companies, licenced venues, chemists, car dealerships, and pawnbrokers.

"When confronted with in-person requests for their personal information, consumers often don't have access to all the information they might need," Privacy Commissioner Carly Kind said.

The OAIC will assess whether privacy policies clearly communicate how personal information will be collected, used, disclosed and destroyed. The regulator recently updated its APP 1 guidance.

Legislative changes passed by Parliament in 2024 expanded regulatory consequences for breaching foundational Privacy Act requirements. This includes failure to maintain compliant privacy policies.

The regulator will take a risk-based and proportionate approach. Where non-compliance is detected, the OAIC says it will consider its expanded regulatory toolkit when determining responses.

Target Sectors and Selection Criteria

The OAIC selected sectors based on particular privacy risks associated with collecting personal identification documents and previous data breaches within these industries.

Target entities will be identified by size, location, and high-profile status. The OAIC will prioritise high-risk entities, including those previously subject to data breaches.

The sweep addresses growing community concern about lack of choice and control over personal information. "A clear privacy policy is the first building block of better privacy practices," Kind said.

The compliance sweep represents the first use of this regulatory approach.

The OAIC did not specify which 60 entities will be selected or whether organisations will receive advance notice before review.

The announcement does not detail specific APP 1.4 deficiencies the OAIC has observed or provide examples of non-compliant privacy policies.

While the release mentions "power and information asymmetries," it does not quantify the scale of overcollection or cite specific breach statistics for the targeted sectors.

The timing gives organisations approximately three weeks to review compliance before the sweep begins in January's first week.

This enforcement action follows increased global focus on privacy transparency. Australian organisations now face similar scrutiny to European entities under GDPR enforcement.