Your New Year's Resolution: Review and update your privacy policy ahead of OAIC sweep

New year, new era of privacy enforcement

The Office of the Australian Information Commissioner (OAIC) has issued a clear warning: the New Year will begin with a “compliance sweep” of privacy policies. Businesses that collect personal information face-to-face – including real estate agents, chemists, car dealerships, and licensed venues – will be under close scrutiny.

Why this matters

The OAIC’s compliance sweep signals the beginning of a new era of enforcement and marks the regulator’s first sector-specific review of privacy policies, supported by its expanded enforcement powers.

Under the Australian Privacy Principles (APPs), businesses must maintain a compliant privacy policy that clearly explains how personal information is collected, used, stored, and disclosed. Non-compliance can result in penalties of up to $66,000 per infringement, with repeat or serious breaches attracting substantial civil penalties.

Organisations that collect personal information in person – such as car dealerships scanning licences for test drives, chemists verifying identity for medication, or real estate agents checking identification at home inspections – should especially be mindful of the OAIC’s upcoming sweep.

However, even for organisations not targeted by the January sweep, the OAIC's action is a timely reminder of the need to regularly review and update privacy policies to ensure they continue to meet current standards and reflect your organisation's current personal information practices.

New Year, new privacy policy resolutions

As we enter 2026, prioritising a robust and compliant privacy policy should be a focus for your organisation.

Here are five resolutions to ensure your privacy policy meets OAIC requirements:

1. Keep your policy relevant

In 2026, your privacy policy should remain accurate, up to date and should continue to evolve at the same pace as your business.

If your organisation has recently adopted new technologies or processes – such as AI chatbots, digital ID collection, biometric systems, or machine-learning tools – the privacy policy should be reviewed to make sure it covers these new technologies or processes.

2. Be clear and transparent

Privacy policies that are overly complex and legalistic run the risk of being found to be non-compliant.

The OAIC is prioritising clear and accessible policies. If your organisation’s privacy policy is difficult to understand, or has become cumbersome through the addition of new processes and collections over time, the New Year is a perfect time for a refresh to ensure it strikes the right balance between clarity and comprehensiveness.

3. Map the data journey

Understanding how personal information moves through your organisation will continue to be critical in 2026.

For each type of personal information your organisation handles, you should map its journey – from collection to use, disclosure, storage, and security – and ensure this journey is clearly outlined in your privacy policy.

4. Collect only what you need

The Privacy Commissioner's focus for this first “compliance sweep” has been driven by the a perceived vulnerability to the overcollection of personal information. Undertaking a review of your privacy policy is a great platform for you to challenge previously formed views about whether your organisation truly needs each item of personal information collected. Those that it can do without should not be collected, and in fact present an unnecessary risk in the event that the personal information is exposed in a data breach.

5. Going global?

For many organisations, the move to storing and disclosing more personal information overseas will continue in 2026.

If your organisation engages with cloud platforms, international service providers, or overseas related entities, and such engagement involves personal information, your privacy policy should be updated to specify the countries involved and the types of data disclosed or stored overseas.

2026 and beyond

The OAIC’s sector-based compliance sweep is unlikely to be a one-off. Organisations across other industries should prepare for increased regulatory action, stricter enforcement, and public scrutiny of non-compliance. In an environment where consumer trust is paramount, privacy missteps can lead to significant reputational and financial damage.

Regardless of how your organisation collects personal information, a compliant, accessible, and up-to-date privacy policy should be prioritised. Taking action now will ensure your organisation is prepared for regulatory scrutiny in 2026 and beyond.