Privacy crackdown: What really happens to your data in Australia

By

Ever wondered what happens to the personal information you hand over when you rent a car, attend a home open, or accept a paperless receipt at the checkout?

According to the ACCC, the data can be shared with third parties, used to profile you, or combined with other information in ways that expose consumers to discrimination, scams or fraud.

It's one of the reasons Australia's privacy watchdog is now stepping in.

Privacy crackdown: What really happens to your data in Australia

The Office of the Australian Information Commissioner's (OAIC) first-ever compliance sweep is underway, targeting businesses that collect personal information in person and examining whether their privacy policies are up to standard.

Why this keeps catching consumers out

In-person data collection often happens quickly, with little explanation and even less choice.

Privacy Commissioner Carly Kind says this creates power and information imbalances that leave consumers vulnerable.

"When confronted with in-person requests for their personal information, consumers often don't have access to all the information they might need to make an informed decision," she says.

The OAIC is reviewing the privacy policies of around 60 businesses across six sectors where in-person data collection is common.

Why privacy policies matter even if no one reads them

Long, complex privacy policies are a major reason the regulator is concerned.

The ACCC's 2024 Digital Platform Services Inquiry found Australians would need almost 46 hours a month to read every privacy policy they encounter., with the average policy running close to 7000 words.

Consumer group CHOICE has repeatedly raised red flags about how businesses use privacy policies.

In 2023, it found rental application platforms were collecting far more data than needed to assess tenants, often from people with no alternative but to comply.

In 2024, CHOICE analysed the privacy policies of Australia's most popular car brands and found widespread tracking of drivers and vague rights to share data with third parties.

These findings underpin growing concerns that privacy policies are being used to justify data harvesting, rather than inform consumers.

Data trade-offs: Privacy versus convenience

Data harvesting is nothing new.

Businesses collect data when you shop online, use apps, or engage with social media - and this information is sold to data brokers who combine it with publicly available information.

Businesses then buy back enriched profiles to target you more effectively with ads, offers, and services.

One dataset alone, for example - the Eyeota (Dun & Bradstreet) dataset - boasts 17,501 unique data categories about Australians that are up for sale.

This cycle repeats endlessly, fuelling a system where the consumer is both product and target.

There are benefits to data-sharing; Products are certainly more personalised and convenient.

Spotify curates playlists based on your music tastes, while Coles Online reminds you to restock frequently purchased items. Even targeted ads can help you discover products that genuinely suit your needs.

It can make things more secure. Banks use spending profiles to detect fraud, flagging unusual transactions that don't align with your typical habits.

But there's a darker side. The biggest problem is that there are no limits on who is buying this information - and by not knowing where it ends up creates the opportunity for it to be used for nefarious purposes.

It could also be used to target vulnerable consumers: Gambling addicts have been known to be targeted with gambling ads after appearing as a gambler in datasets.

What's in a privacy policy?

Consumers must consent to the sharing of their information, and online, that comes with accepting the terms and conditions set out in a privacy policy.

"Privacy policies explain how entities handle personal information," the OAIC tells Money.

"They typically outline: the kinds of information collected, the intended purposes for use, complaints procedures, instructions on how to access or correct information, and how information is used or disclosed, including whether it may be shared with overseas recipients."

But in person, it can be hard for consumers to fully comprehend what information they are giving away to be sold.

"For these reasons, entities should ensure their privacy policies are easily accessible to individuals and free of charge, usually via a website," the OAIC says. "It may also be appropriate to make the privacy policy available in other formats."

What the watchdog is trying to change

The OAIC says the sweep is designed to force greater transparency about how personal information is collected, used, disclosed and destroyed.

Legislative changes passed in 2024 expand the regulator's enforcement powers and increase penalties for non-compliant privacy policies, with fines of up to $66,000.

From December 10, 2026, businesses must also disclose whether automated systems use personal information to make decisions that could adversely affect consumers, such as rental application rejections.

The OAIC says it will take a "proportionate approach" to enforcement, meaning any action it takes will reflect the significance of the non-compliance identified.

"For example, if we identify non-compliance in a smaller business and we determine there's unlikely to be a large number of people impacted, we may choose to engage informally."

"Alternatively, if a very large business is involved, the potential consequences of non-compliance are likely to be greater, and in such cases, we may consider issuing a fine."

The OAIC says the sweep is designed not just to enforce compliance, but to push businesses to reassess how much data they collect in the first place.

"The first building block of better privacy practices is a clear privacy policy."

What consumers can take away

For consumers, the sweep signals a shift in expectations.

Businesses can no longer rely on vague, catch-all privacy statements to justify excessive data collection, particularly when people are asked to hand over personal information face-to-face, with little warning or choice.

Few Australians will suddenly start reading privacy policies cover to cover, but the regulator says transparency is no longer optional and will report on the outcomes of the sweep in the coming months.

Get stories like this in our newsletters.

Related Stories

Ryan Johnson was a journalist at Money from October 2024 to April 2026. He previously worked covering the Australian and New Zealand mortgage and banking industries. He has also written on superannuation, insurance, and personal finance. Ryan has a Bachelor of Communication (Journalism) from Curtin University, Perth. Connect with Ryan Johnson on LinkedIn.