OAIC to exercise new powers in a compliance sweep scheduled for January 2026

The OAIC last week announced that it will undertake its first-ever compliance sweep by conducting a targeted review of approximately 60 businesses’ privacy policies.

As outlined in the announcement, the sweep will begin in the first week of January and will scrutinise the privacy policies of businesses that collect personal information in person, including real estate agents, chemists, licenced venues, car rental companies, car dealerships and pawnbrokers and second-hand dealers.   

Changes to the Privacy Act (“Tranche 1”) which passed the Parliament in late 2024, gave the OAIC the power to issue compliance notices to encourage organisations to remedy a breach, as well infringement notices up to $66,000 for administrative breaches including non-compliant privacy policies.

The OAIC will target ‘high profile and high-risk’ entities within the targeted sectors to ensure they meet the requirements of APP 1.4, which sets out what a privacy policy has to include.  The OAIC’s recent guidance on this is available here.

How marketers should prepare

While the sweep is focused on privacy policies, the implications go well beyond a document review. Marketers should use this moment to assess their consent, collection and data governance practices and ensure they are being sufficiently transparent with their customers.

Key actions to prioritise now:

• Get clear on consent requirements – Ensure you have the necessary consent from your customers that is current, clear (unambiguous), informed and sufficiently specific (e.g. unbundled), particularly where personal information is collected in person and later used for marketing or profiling.
• Review privacy policies and data practices together – Your policy must accurately reflect what you actually do. Inconsistencies between documented commitments and real-world practices are an enforcement risk.
• Minimise what you collect – Collect only what you need, for a clearly defined purpose. Excessive or “just in case” data collection increases risk without adding value.
• Delete what you no longer need – Legacy data is a liability. Regularly review retention periods and actively dispose of personal information that no longer serves a lawful purpose.
  
  

In a tightening regulatory environment, strong data hygiene isn’t optional – it’s a strategic advantage. Reducing regulatory exposure, strengthening customer trust and enabling more responsible, effective marketing will make your brand more resilient today and more competitive tomorrow.

Want to sharpen your privacy and compliance skills?

Check out our regulatory course offering with a range of options to suit your needs. From our online short courses to our more comprehensive Privacy and Compliance for Marketers course, ADMA has your regulatory upskilling needs sorted.