Estimated reading time: 9 minutes
What is the OAIC privacy compliance sweep?
Australia’s privacy regulator launched its first-ever compliance sweep in January 2026. The Office of the Australian Information Commissioner (OAIC) conducted a targeted review of approximately 60 businesses across six sectors, scrutinising their privacy policies for compliance with the Privacy Act 1988.
The sweep focused on businesses that collect personal information in person like real estate agents taking details at open houses, car rental agencies, licensed venues checking IDs, pharmacists, and car dealerships.
Businesses found to have non-compliant privacy policies face compliance notices, infringement notices, and penalties of up to $66,000. This is not the ceiling for serious cases, higher civil penalties apply for more significant breaches.
TL;DR
- Australia’s privacy regulator (OAIC) launched its first-ever compliance sweep in January 2026, targeting businesses that collect personal information in person.
- Non-compliant businesses face penalties of up to $66,000 per infringement.
- From 1 July 2026, more than 100,000 small businesses will come under the Privacy Act for the first time due to AML Tranche 2 expanding the definition of regulated entities.
- Cyber and Privacy Liability insurance is the primary coverage for privacy breach costs and most SME policies have gaps.
- The OAIC has signalled a shift from guidance to active enforcement. The sweep is not a warning, it’s the new normal.
Table of Contents
Why is this happening now?
Two factors have converged:
1. The Privacy and Other Legislation Amendment Act 2024 expanded the OAIC’s enforcement powers. The Commissioner can now issue infringement notices and investigate potential breaches more easily, including without a formal complaint.
2. AML Tranche 2 (effective 1 July 2026) brings approximately 100,000 small businesses under the Privacy Act for the first time. These businesses, accountants, lawyers, real estate agents, conveyancers, will lose the small business exemption (previously available to businesses under $3M annual turnover) when they become regulated entities under the AML/CTF Act.
The OAIC’s sweep is part of a deliberate signal: the era of voluntary compliance guidance is over. Active enforcement has begun.
Whether you need a cyber and privacy liability review or want to talk through your exposure before 1 July — book a free call with the Pocket team →
Which businesses are most at risk?
| Sector targeted in 2026 sweep | Privacy risk at issue |
|---|---|
|
Rental and property (real estate agents) |
Collecting personal details at open inspections |
|
Chemists and pharmacists |
Identity and medication information |
|
Licensed venues |
ID collection at entry |
|
Car rental companies |
Identity, licence, and payment details |
|
Car dealerships |
Personal information for test drives |
|
Pawnbrokers and second-hand dealers |
Identity verification for transactions |
Source: OAIC — Privacy compliance sweep announcement
Even if your business wasn’t in the sweep’s initial cohort, the implications extend far beyond these six sectors. Any business that collects personal information, which is most businesses, should treat this as a signal to review their practices.
What do the new Privacy Act rules actually require?
Under Australian Privacy Principle (APP) 1.4, your privacy policy must clearly set out:
- What kinds of personal information you collect and hold
- How you collect, use, and disclose that information
- How individuals can access and correct their information
- How you manage complaints about privacy
Under APP 5.1, you must notify individuals of key details about the collection of their information at or before the time of collection. If you’re handing someone a form, asking for an email address, or scanning a driver’s licence, that notification needs to happen in that moment — not just in a policy buried on your website.
What is the insurance angle?
Privacy breaches create two types of costs:
1. Regulatory costs: fines, infringement notices, compliance investigations, legal response costs
2. Third-party costs: claims from individuals whose data was mishandled, notification costs, credit monitoring, reputational damage
Standard Business Pack insurance does not cover these. Cyber Insurance with a Privacy Liability coverage is what you need.
| Cost type | Covered by standard Business Pack? | Covered by Cyber + Privacy Liability? |
|---|---|---|
| OAIC investigation response |
No |
Yes (typically) |
| Legal fees to respond to complaint |
No |
Yes (typically) |
| Infringement notice / fine |
No |
Some policies (check exclusions) |
| Third-party claims from individuals |
No |
Yes (subject to policy terms) |
| Notification costs after breach |
No |
Yes (typically) |
| Reputational damage / PR response |
No |
Yes (some policies) |
The 100,000 business gap: From 1 July 2026, over 100,000 small businesses will be subject to the Privacy Act for the first time due to AML Tranche 2. Most of these businesses, small law firms, accounting practices, real estate agencies, do not currently carry Cyber and Privacy Liability cover. That’s a significant uninsured exposure landing on 1 July.
Source: Helios Salinger, Privacy Reforms Impact Small Businesses, 2026
What should you do now?
Before 1 July 2026:
- Review your privacy policy against the OAIC’s updated APP 1 guidance
- Check your in-person data collection practices. What are you asking for, and what notice are you giving?
- Confirm whether AML Tranche 2 brings your business under the Privacy Act for the first time
- Talk to your broker about whether you have Cyber + Privacy Liability cover and whether the limit is adequate
Questions to ask your broker:
- Does my current Cyber policy include a Privacy Liability?
- Does it cover regulatory investigation costs (OAIC response)?
- What is the per-claim limit for privacy breach notifications?
- Does it cover third-party claims from individuals?
Frequently asked questions
1. What is the OAIC privacy compliance sweep?
The OAIC conducted Australia’s first privacy compliance sweep in January 2026, reviewing approximately 60 businesses across six sectors that collect personal information in person. Businesses with non-compliant privacy policies face penalties up to $66,000 per infringement under expanded OAIC enforcement powers.
2. Who does the Privacy Act apply to?
Currently, the Privacy Act applies to Australian Government agencies and private sector organisations with annual turnover over $3 million, plus some others (including health service providers regardless of size). From 1 July 2026, over 100,000 additional small businesses will become subject to the Privacy Act when they become regulated under AML Tranche 2.
3. What is APP 1.4?
APP 1.4 is the Australian Privacy Principle that requires businesses to maintain a clearly expressed, up-to-date privacy policy. It must set out what information is collected, how it is used and disclosed, and how individuals can access and correct their information. The OAIC’s 2026 sweep assessed compliance with APP 1.4.
4. What is the penalty for a non-compliant privacy policy?
Penalties of up to $66,000 per infringement can be issued by the OAIC under its expanded enforcement powers. More serious breaches can attract higher civil penalties under the Privacy Act.
5. What insurance covers privacy breaches?
Cyber Insurance with Privacy Liability coverage is the purpose-built cover for privacy breach costs. Standard Business Pack policies do not cover regulatory investigation costs, third-party privacy claims, or notification expenses. Ask your broker whether your current Cyber policy includes privacy liability cover.
6. Does my business need to comply with the Privacy Act if I’m under $3M turnover?
Currently, most businesses under $3M turnover are exempt. However, from 1 July 2026, this exemption will be removed for businesses that become regulated under AML Tranche 2 — including many accountants, lawyers, conveyancers, and real estate agents, regardless of size.
7. What is the statutory tort for serious invasions of privacy?
The Privacy and Other Legislation Amendment Act 2024 introduced a statutory tort, enabling individuals to sue businesses directly for serious invasions of their privacy. This is separate from OAIC enforcement and creates additional third-party liability exposure for businesses.
8. What should my privacy policy include?
Under APP 1.4, your privacy policy must include: what personal information you collect and hold, how you collect it, how you use and disclose it, how to access or correct information you hold, how to make a complaint, and whether you disclose information overseas. The OAIC has published updated APP 1 guidance.
9. How does the OAIC’s sweep affect real estate agents specifically?
Real estate agents who collect personal details at open inspections were directly targeted in the 2026 sweep. From 1 July 2026, they will also become regulated under AML Tranche 2, bringing them under the Privacy Act regardless of turnover. Real estate agents should review both their privacy policy and their AML/CTF program simultaneously.
10. What is the difference between a privacy breach and a cyber incident?
A cyber incident typically involves external attack (hacking, ransomware, phishing) leading to data exposure. A privacy breach is broader — it includes any mishandling of personal information, including internal errors, improper disclosure, or failure to comply with collection requirements. A well-structured Cyber with Privacy Liability policy is designed to respond to both — but coverage for privacy breaches specifically depends on whether your policy includes a privacy liability section and how it defines a covered event. This is worth confirming with your broker.
Related guides
Privacy risk is real and it's insurable
The OAIC’s new enforcement posture means privacy compliance is no longer optional. Pocket can review your Cyber and Privacy Liability cover, check for gaps, and make sure you’re protected before the 1 July deadline changes the landscape entirely.
Book a free call with the Pocket team →
This article is general in nature and does not constitute legal advice. For Privacy Act compliance advice, consult a qualified privacy lawyer. Sources: OAIC (oaic.gov.au), Russell Kennedy Lawyers, MinterEllison, Helios Salinger.
Pocket is a licensed Australian insurance broker (AFSL 491165) and member of NIBA. Part of the Steadfast Group — Australia’s largest broker network. We help small and growing businesses get the right cover without the jargon. Start smart. Scale strong. Stay protected.