As Privacy Laws Tighten, Australian Business Owners Must Be More Careful With Customer Data

Australian business owners are being asked to take greater responsibility for how they collect and handle customer data, including during face-to-face interactions. Even when information is gathered in person, it rarely stays offline as the details collected are typically entered into digital systems, platforms, or cloud-based tools shortly after.

From early 2026, the Office of the Australian Information Commissioner (OAIC) will begin reviewing privacy policies used by businesses that collect personal information in person. The review targets everyday situations such as rental inspections, pharmacy counters, car hire desks, and vehicle test drives, moments where customers are often asked for personal details quickly and with little opportunity to question why or feel able to refuse.

The move follows years of concern about excessive data collection, from rental platforms demanding far more information than necessary to car brands gathering and sharing detailed driver data under vague terms.

Even when privacy policies exist, the Australian Competition and Consumer Commission (ACCC) estimates that the average Australian would need around 46 hours each month to read all those they encounter, with each policy averaging about 6876 words.

Related: Most Common Cyber Threats on Small Businesses and How to Prevent Them (Without Hiring an IT Team)

What’s changing and why it matters for businesses

Under Australia’s Privacy Act, businesses already have to explain what data they collect, why they need it, and how it’s used. But reforms passed in 2024 raise the bar. From December 2026, privacy policies must clearly state whether automated systems or computer programs are used to make decisions about or against individuals — for example, rejecting a rental application.

The reforms also give the Office of the Australian Information Commissioner (OAIC) new enforcement powers, including the ability to issue fines without going to court, and expand individuals’ rights to seek compensation when their data is misused.

If a business doesn’t have a compliant privacy policy, or doesn’t have one at all, penalties can reach up to $66,000.

Related:  How to Check If Your Business Is Affected by a Breach (And What to Do if It Is)

Which industries are affected

The privacy policy sweep will focus on industries where the OAIC believes there are clear power imbalances between businesses and the customers being asked to provide personal data. In these situations, customers may feel they have little choice but to comply.

The OAIC plans to review around 60 businesses across the following sectors:

· Rental and property – collecting personal information during property inspections

· Chemists and pharmacists – collecting personal details for paperless receipts and identity information to dispense medication

· Licensed venues – collecting identity information to allow entry

· Car rental companies – collecting identity and personal information to enter into rental agreements

· Car dealerships – collecting personal information for vehicle test drives

· Pawnbrokers and second-hand dealers – collecting identity information from individuals selling or pawning goods

“When confronted with in-person requests for their personal information from retailers, licensed venues, car hire companies, or real estate agents, consumers often don’t have access to all the information they need to make an informed decision. This makes them vulnerable to overcollection of personal information and creates risks to their security and privacy,”says Privacy Commissioner Carly Kind.

Related: 10 Cybersecurity Tips to Protect Your Small Business Data

How to better protect customer data and stay compliant

1. Review what you collect and why
List every piece of personal information you ask for in person, whether on paper, on a tablet, or verbally. If a detail isn’t strictly necessary to provide the service, remove it. Over-collection is one of the main risks the OAIC is targeting.

2. Update your privacy policy in plain English
Make sure your privacy policy clearly explains what data you collect, why you need it, how it’s used, who it’s shared with, and when it’s deleted. Customers should be able to understand it quickly, not feel pressured to agree without reading.

3. Make privacy visible at the point of collection
Ensure customers can access your privacy policy before handing over their details. This could be a printed notice, a QR code, or a link on a tablet screen. Staff should also be able to explain, in simple terms, why information is being requested.

4. Prepare for automated decision disclosures
If you use software or automated systems that influence decisions, such as screening rental applications or approving services, document this clearly and prepare to disclose it, as required under upcoming Privacy Act changes.

5. Protect the data you collect, not just the policy
If your business collects personal information in person, now is the time to review both your privacy processes and the security behind them.

Bitdefender Ultimate Small Business Security helps protect your business devices, email accounts, online tools and digital identities, reducing the risk that customer information is exposed through malware, phishing, or account takeovers.

Try Bitdefender Ultimate Small Business Security for free for 30 days.