In recent years, CHOICE has conducted several investigations that focused on the far-reaching permissions privacy policies give the businesses that write them
In 2023, we reported on the privacy policies of rental platforms, and last year we analysed the privacy policies of Australia’s ten most popular car brands
This month, the Office of the Australian Privacy Commissioner begins its first full-scale privacy policy review, focusing on information demanded by businesses in person
Very few of us read the privacy policies we passively consent to when engaging with a service provider. Fewer still would understand what these privacy policies actually say.
In recent years, CHOICE has conducted several investigations that focused on the far-reaching permissions these documents give the businesses we regularly interact with.
The conclusion? These RentTech platforms collected information that went well beyond what’s needed to assess a tenant’s ability to pay the rent. The questions often seemed designed to grab as much data as possible from people who had no choice but to provide it.
In 2024, we analysed the privacy policies of Australia’s ten most popular car brands to see how the vehicles monitored and tracked their drivers. Here again we found that the harvesting of personal driver information was often excessive, and the rights the manufacturers gave themselves to share the data with third-parties were both far-reaching and vague.
The ACCC has estimated that it would take the average Australian 46 hours to read all the privacy policies they encountered in a month, the average length of which is about 6876 words.
The ACCC has estimated that it would take the average Australian 46 hours to read all the privacy policies they encountered in a month
All of this makes the Office of the Australian Information Commissioner’s (OAIC) recent announcement that it will begin its first large-scale review of privacy policies in early January 2026 more timely than ever.
The Privacy Act requires privacy policies to contain certain details, such as what information is collected, why it’s needed, how it’s used, and how it can be corrected if necessary.
An update to the Act in 2024 means businesses will also be required (as of 10 December 2026) to specify in their privacy policies whether a computer program will be using your personal information to make decisions that could go against you, such as when an application for a rental home is rejected.
The privacy policy sweep is … focusing on information demanded by businesses in person, such as when a real estate agent asks you for personal details when you’re inspecting a rental property or a car rental company presents you with a lengthy form before handing you the keys
In addition, the 2024 update gave the OAIC the power to issue infringement notices for Privacy Act violations without going to court. And it gives individuals the right to seek legal redress and financial compensation in certain cases for invasions of privacy or misuse of their personal information.
The OAIC’s privacy policy sweep is taking a different approach than our investigations of online privacy documents. It will occur in the real world, focusing on information demanded by businesses in person, such as when a real estate agent asks you for personal details when you’re inspecting a rental property or a car rental company presents you with a lengthy form before handing you the keys. The privacy policies of such businesses must include the above-mentioned information.
Not having the right information in a privacy policy – or not having a privacy policy at all – could lead to fines from the OAIC of up to $66,000.
The privacy policy sweep will focus on sectors where the OAIC believes there are particular power imbalances – also known as information asymmetries – between the business in question and the customers being asked to provide the information.
When confronted with in-person requests for their personal information … consumers often don’t have access to all the information they might need to make an informed decision
Privacy Commissioner Carly Kind
“When confronted with in-person requests for their personal information from retailers, licensed venues, car hire companies or real estate agents, consumers often don’t have access to all the information they might need to make an informed decision,” says Privacy Commissioner Carly Kind.
“This makes them vulnerable to overcollection of personal information and creates risks to their security and privacy.”
The OAIC says it will review the privacy policies of around 60 businesses from the following six sectors, with a particular focus in each case.
Rental and property – collection of individuals’ personal information during property inspections.
Chemists and pharmacists – collection of personal information for the purpose of providing a paperless receipt and collection of identity information to provide medication.
Licenced venues – collection of identity information to enable individuals to access a venue.
Car rental companies – collection of identity and other personal information to enable an individual to enter into a car rental agreement.
Car dealerships – collection of personal information to enable an individual to conduct a vehicle test drive.
Pawnbrokers and second-hand dealers – collection of identity information from individuals who wish to sell or pawn goods.
In the OAIC’s view, a business’s explanation of how it will use personal information should be open and transparent.
“The Australian community is increasingly concerned about the lack of choice and control they have with respect to their personal information,” Kind says.
“The first building block of better privacy practices is a clear privacy policy that transparently communicates how an individual can expect their information to be collected, used, disclosed and destroyed.
“In conducting a compliance sweep, the OAIC intends to ensure that entities are meeting their obligations to be transparent with consumers and customers about how they’re using the personal information they collect in-person.
“We hope this will also catalyse some reflection about how robust entities’ privacy practices are, and whether more can be done to improve compliance with the Privacy Act writ large.”
Andy Kollmorgen is the Investigations Editor at CHOICE. He reports on a wide range of issues in the consumer marketplace, with a focus on financial harm to vulnerable people at the hands of corporations and businesses. Prior to CHOICE, Andy worked at the Australian Securities and Investments Commission (ASIC) and at the Australian Financial Review along with a number of other news organisations. Andy is a former member of the NSW Fair Trading Advisory Council. He has a Bachelor of Arts in English from New York University. LinkedIn
Andy Kollmorgen is the Investigations Editor at CHOICE. He reports on a wide range of issues in the consumer marketplace, with a focus on financial harm to vulnerable people at the hands of corporations and businesses. Prior to CHOICE, Andy worked at the Australian Securities and Investments Commission (ASIC) and at the Australian Financial Review along with a number of other news organisations. Andy is a former member of the NSW Fair Trading Advisory Council. He has a Bachelor of Arts in English from New York University. LinkedIn
For more than 60 years, we've been making a difference for Australian consumers. In that time, we've never taken ads or sponsorship.
Instead we're funded by members who value expert reviews and independent product testing.
With no self-interest behind our advice, you don't just buy smarter, you get the answers that you need.
You know without hesitation what's safe for you and your family. And our recent sunscreens test showed just how important it is to keep business claims in check.
So you'll never be alone when something goes wrong or a business treats you unfairly.
