Privacy risk in Australian real estate just increased
Privacy risk in Australian real estate just increased
Privacy risk in Australian real estate just increased
Privacy risk in Australian real estate just increased
Privacy risk in Australian real estate just increased
Privacy risk in Australian real estate just increased
Last Updated: February 15, 2026
Last Updated: February 15, 2026
Last Updated: February 15, 2026
Australian real estate agencies are stepping into a materially higher risk privacy environment. Targeted regulatory attention is already underway.
New enforcement tools are live. Penalties have increased dramatically. And a right to sue for serious privacy breaches has now been in force since mid-2025.
Australian real estate agencies are stepping into a materially higher risk privacy environment. Targeted regulatory attention is already underway.
New enforcement tools are live. Penalties have increased dramatically. And a right to sue for serious privacy breaches has now been in force since mid-2025.
Australian real estate agencies are stepping into a materially higher risk privacy environment. Targeted regulatory attention is already underway.
New enforcement tools are live. Penalties have increased dramatically. And a right to sue for serious privacy breaches has now been in force since mid-2025.
Key Takeaways: Privacy Reform is now a real business risk
Penalties Up to $50M
Serious or repeated privacy breaches can now attract penalties up to AU$50 million, 30 percent of adjusted turnover, or three times the benefit gained.
Regulatory Spotlight
The OAIC has launched a compliance sweep targeting rental and property businesses, focusing on in-person data collection at open homes and inspections.
Over-Collection Risks
Collecting more information than reasonably necessary - especially identity documents at inspections - is a regulatory red flag.
Online Conduct Matters
Using tenant or applicant information in public review responses or on social media can breach the Privacy Act.
Individuals Can Sue
The statutory cause of action for serious invasions of privacy has been in force since 10 June 2025. Litigation and class action risk is real and present.
Board-Level Issue
Privacy risk should sit alongside WHS and employment risk in governance frameworks and risk registers.
Penalties Up to $50M
Serious or repeated privacy breaches can now attract penalties up to AU$50 million, 30 percent of adjusted turnover, or three times the benefit gained.
Regulatory Spotlight
The OAIC has launched a compliance sweep targeting rental and property businesses, focusing on in-person data collection at open homes and inspections.
Over-Collection Risks
Collecting more information than reasonably necessary - especially identity documents at inspections - is a regulatory red flag.
Online Conduct Matters
Using tenant or applicant information in public review responses or on social media can breach the Privacy Act.
Individuals Can Sue
The statutory cause of action for serious invasions of privacy has been in force since 10 June 2025. Litigation and class action risk is real and present.
Board-Level Issue
Privacy risk should sit alongside WHS and employment risk in governance frameworks and risk registers.
Penalties Up to $50M
Serious or repeated privacy breaches can now attract penalties up to AU$50 million, 30 percent of adjusted turnover, or three times the benefit gained.
Regulatory Spotlight
The OAIC has launched a compliance sweep targeting rental and property businesses, focusing on in-person data collection at open homes and inspections.
Over-Collection Risks
Collecting more information than reasonably necessary - especially identity documents at inspections - is a regulatory red flag.
Online Conduct Matters
Using tenant or applicant information in public review responses or on social media can breach the Privacy Act.
Individuals Can Sue
The statutory cause of action for serious invasions of privacy has been in force since 10 June 2025. Litigation and class action risk is real and present.
Board-Level Issue
Privacy risk should sit alongside WHS and employment risk in governance frameworks and risk registers.
Key Takeaways: Privacy Reform is now a real business risk
Penalties Up to $50M
Serious or repeated privacy breaches can now attract penalties up to AU$50 million, 30 percent of adjusted turnover, or three times the benefit gained.
Regulatory Spotlight
The OAIC has launched a compliance sweep targeting rental and property businesses, focusing on in-person data collection at open homes and inspections.
Over-Collection Risks
Collecting more information than reasonably necessary - especially identity documents at inspections - is a regulatory red flag.
Online Conduct Matters
Using tenant or applicant information in public review responses or on social media can breach the Privacy Act.
Individuals Can Sue
The statutory cause of action for serious invasions of privacy has been in force since 10 June 2025. Litigation and class action risk is real and present.
Board-Level Issue
Privacy risk should sit alongside WHS and employment risk in governance frameworks and risk registers.
Does the Privacy Act apply to your agency?
The Privacy Act 1988 (Cth) includes a small business exemption that generally excludes businesses with an annual turnover of $3 million or less. However, the exemption is narrower than many assume, and relying on it without proper consideration is risky.
The exemption does not apply if your agency is related to a body corporate that is not a small business, has opted in to the Privacy Act (sometimes done as part of a franchise arrangement), or shares tenancy information with third parties such as tenancy databases - which can constitute "trading in personal information" and removes the exemption entirely.
Beyond the legal question, the OAIC's compliance sweep has not limited its focus to businesses above the threshold. Agencies handling sensitive financial, employment and identity information as a matter of routine are squarely in the frame, regardless of size.
When in doubt
If your agency handles tenancy applications, processes rental histories, or collects identity documents at open homes, this applies to you.
Seek advice on whether the exemption applies to your specific circumstances.
Does the Privacy Act apply to your agency?
The Privacy Act 1988 (Cth) includes a small business exemption that generally excludes businesses with an annual turnover of $3 million or less. However, the exemption is narrower than many assume, and relying on it without proper consideration is risky.
The exemption does not apply if your agency is related to a body corporate that is not a small business, has opted in to the Privacy Act (sometimes done as part of a franchise arrangement), or shares tenancy information with third parties such as tenancy databases - which can constitute "trading in personal information" and removes the exemption entirely.
Beyond the legal question, the OAIC's compliance sweep has not limited its focus to businesses above the threshold. Agencies handling sensitive financial, employment and identity information as a matter of routine are squarely in the frame, regardless of size.
When in doubt
If your agency handles tenancy applications, processes rental histories, or collects identity documents at open homes, this applies to you.
Seek advice on whether the exemption applies to your specific circumstances.
Does the Privacy Act apply to your agency?
When in doubt
If your agency handles tenancy applications, processes rental histories, or collects identity documents at open homes, this applies to you.
Seek advice on whether the exemption applies to your specific circumstances.
The Privacy Act 1988 (Cth) includes a small business exemption that generally excludes businesses with an annual turnover of $3 million or less. However, the exemption is narrower than many assume, and relying on it without proper consideration is risky.
The exemption does not apply if your agency is related to a body corporate that is not a small business, has opted in to the Privacy Act (sometimes done as part of a franchise arrangement), or shares tenancy information with third parties such as tenancy databases - which can constitute "trading in personal information" and removes the exemption entirely.
Beyond the legal question, the OAIC's compliance sweep has not limited its focus to businesses above the threshold. Agencies handling sensitive financial, employment and identity information as a matter of routine are squarely in the frame, regardless of size.
What has changed under the Privacy Act?
1
Much Stronger Enforcement Powers
The Privacy and Other Legislation Amendment Act 2024 significantly expanded the powers of the OAIC, including the ability to issue infringement notices for certain breaches, stronger investigation and information gathering powers, and public inquiries into systemic privacy practices.
2
Significantly Higher Penalties
Maximum penalties for serious or repeated interferences with privacy have been increased to the greater of AU$50 million, three times the value of the benefit obtained, or 30 percent of adjusted turnover during the breach period. These levels bring privacy penalties into the same category as major competition and consumer law breaches.
3
Individuals Can Now Sue
The statutory cause of action for serious invasions of privacy commenced on 10 June 2025. Individuals can now take legal action where a privacy invasion was intentional or reckless, serious in nature, and where they had a reasonable expectation of privacy. Damages are available for both economic loss and emotional distress, with non-economic damages capped at AU$500,000.
What has changed under the Privacy Act?
1
Much Stronger Enforcement Powers
The Privacy and Other Legislation Amendment Act 2024 significantly expanded the powers of the OAIC, including the ability to issue infringement notices for certain breaches, stronger investigation and information gathering powers, and public inquiries into systemic privacy practices.
2
Significantly Higher Penalties
Maximum penalties for serious or repeated interferences with privacy have been increased to the greater of AU$50 million, three times the value of the benefit obtained, or 30 percent of adjusted turnover during the breach period. These levels bring privacy penalties into the same category as major competition and consumer law breaches.
3
Individuals Can Now Sue
The statutory cause of action for serious invasions of privacy commenced on 10 June 2025. Individuals can now take legal action where a privacy invasion was intentional or reckless, serious in nature, and where they had a reasonable expectation of privacy. Damages are available for both economic loss and emotional distress, with non-economic damages capped at AU$500,000.
What has changed under the Privacy Act?
1
Much Stronger Enforcement Powers
The Privacy and Other Legislation Amendment Act 2024 significantly expanded the powers of the OAIC, including the ability to issue infringement notices for certain breaches, stronger investigation and information gathering powers, and public inquiries into systemic privacy practices.
2
Significantly Higher Penalties
Maximum penalties for serious or repeated interferences with privacy have been increased to the greater of AU$50 million, three times the value of the benefit obtained, or 30 percent of adjusted turnover during the breach period. These levels bring privacy penalties into the same category as major competition and consumer law breaches.
3
Individuals Can Now Sue
The statutory cause of action for serious invasions of privacy commenced on 10 June 2025. Individuals can now take legal action where a privacy invasion was intentional or reckless, serious in nature, and where they had a reasonable expectation of privacy. Damages are available for both economic loss and emotional distress, with non-economic damages capped at AU$500,000.
Why are real estate agencies in the spotlight?
The OAIC has announced its first privacy compliance sweep targeting multiple sectors, explicitly including "rental and property" businesses and real estate agents, with a focus on in-person data collection practices.
Regulators have flagged particular concern about open home sign-in processes, collection of driver licence details or copies without clear necessity, lack of transparency about how information will be used, and over-collection relative to what is reasonably necessary.
The OAIC has announced its first privacy compliance sweep targeting multiple sectors, explicitly including "rental and property" businesses and real estate agents, with a focus on in-person data collection practices.
Regulators have flagged particular concern about open home sign-in processes, collection of driver licence details or copies without clear necessity, lack of transparency about how information will be used, and over-collection relative to what is reasonably necessary.
The risk profile of real estate is obvious. Agencies routinely collect identity documents, financial records and payslips, employment information, rental histories, and sometimes health or hardship information.
This often happens face to face, in pressured environments, where individuals have limited time to understand what they're agreeing to.
The OAIC has announced its first privacy compliance sweep targeting multiple sectors, explicitly including "rental and property" businesses and real estate agents, with a focus on in-person data collection practices.
Regulators have flagged particular concern about open home sign-in processes, collection of driver licence details or copies without clear necessity, lack of transparency about how information will be used, and over-collection relative to what is reasonably necessary.
The risk profile of real estate is obvious. Agencies routinely collect identity documents, financial records and payslips, employment information, rental histories, and sometimes health or hardship information.
This often happens face to face, in pressured environments, where individuals have limited time to understand what they're agreeing to.
The risk profile of real estate is obvious. Agencies routinely collect identity documents, financial records and payslips, employment information, rental histories, and sometimes health or hardship information.
This often happens face to face, in pressured environments, where individuals have limited time to understand what they're agreeing to.
Real examples of regulatory action
Real examples of
regulatory action
Real examples of
regulatory action
The OAIC has previously made determinations against real estate agencies. In one case, an agency responded to a negative Google review by publishing a tenant's name, occupation and financial circumstances. The OAIC found this breached the Privacy Act. The agency was required to apologise and improve its training practices.
The OAIC has previously made determinations against real estate agencies. In one case, an agency responded to a negative Google review by publishing a tenant's name, occupation and financial circumstances. The OAIC found this breached the Privacy Act. The agency was required to apologise and improve its training practices.
The OAIC has previously made determinations against real estate agencies. In one case, an agency responded to a negative Google review by publishing a tenant's name, occupation and financial circumstances. The OAIC found this breached the Privacy Act. The agency was required to apologise and improve its training practices.
Key obligations under the Australian Privacy Principles
APP 1 – Privacy Policy
Agencies must have a clear, accurate and accessible privacy policy explaining what is collected, why, how it is used, whether it is disclosed overseas, and how complaints are handled.
APP 3 and 5 – Collection
Only collect information that is reasonably necessary. Notify individuals at or before collection about the purposes and handling of their data. Open homes and inspections are a specific risk point here.
APP 6 - Use and Disclosure
Information must generally only be used for the purpose for which it was collected. Public online responses using client data can breach this principle.
APP 1 –
Privacy Policy
Ready-to-use privacy policies, marketing opt-ins, and data forms that save you time while building customer trust.
APP 3 and 5 –
Collection
Only collect information that is reasonably necessary. Notify individuals at or before collection about the purposes and handling of their data. Open homes and inspections are a specific risk point here.
APP 6 -
Use and Disclosure
Information must generally only be used for the purpose for which it was collected. Public online responses using client data can breach this principle.
APP 1 –
Privacy Policy
Ready-to-use privacy policies, marketing opt-ins, and data forms that save you time while building customer trust.
APP 3 and 5 –
Collection
Only collect information that is reasonably necessary. Notify individuals at or before collection about the purposes and handling of their data. Open homes and inspections are a specific risk point here.
APP 6 -
Use and Disclosure
Information must generally only be used for the purpose for which it was collected. Public online responses using client data can breach this principle.
APP 7 – Direct Marketing
Personal information cannot be used for marketing without consent or a compliant opt-out mechanism. The OAIC can issue infringement notices for certain direct marketing breaches.
APP 11 – Security
Agencies must take reasonable steps to protect information from misuse, interference, loss and unauthorised access.
APP 12 and 13 – Access
Individuals must be able to access and correct their information. Penalty notices can apply for failures to comply.
APP 7 –
Direct Marketing
Personal information cannot be used for marketing without consent or a compliant opt-out mechanism. The OAIC can issue infringement notices for certain direct marketing breaches.
APP 11 –
Security
Agencies must take reasonable steps to protect information from misuse, interference, loss and unauthorised access.
APP 12 and 13 – Access
Individuals must be able to access and correct their information. Penalty notices can apply for failures to comply.
APP 7 –
Direct Marketing
Personal information cannot be used for marketing without consent or a compliant opt-out mechanism. The OAIC can issue infringement notices for certain direct marketing breaches.
APP 11 –
Security
Agencies must take reasonable steps to protect information from misuse, interference, loss and unauthorised access.
APP 12 and 13 –
Access
Individuals must be able to access and correct their information. Penalty notices can apply for failures to comply.
What agencies should do now
Immediate (0-3 months)
Fix critical privacy gaps now
Medium Term (3-12 months)
Build governance and processes
Strategic (12-18 months)
Embed long-term privacy strategy
Immediate (0-3 months)
Fix critical privacy gaps now
Medium Term (3-12 months)
Build governance and processes
Strategic (12-18 months)
Embed long-term privacy strategy
Immediate (0-3 months)
Fix critical privacy gaps now
Medium Term (3-12 months)
Build governance and processes
Strategic (12-18 months)
Embed long-term privacy strategy
Privacy compliance requires a structured approach across three timeframes. Immediate actions address critical gaps, medium-term work builds governance capability, and strategic initiatives position your agency for ongoing reform.
Fix the privacy policy.
Clean up open home data collection.
Stop risky online practices.
Tighten marketing compliance.
Implement basic security hygiene including removing dormant CRM accounts and implementing stronger authentication.
Immediate: 0 to 3 Months
Appoint a privacy lead.
Document a privacy management plan.
Conduct data mapping across your applications, portals and CRM.
Define retention periods for tenancy applications and identity documents.
Review vendor contracts.
Deliver annual privacy training with real estate-specific scenarios.
Medium Term: 3 to 12 Months
Monitor the next tranche of Privacy Act reforms.
Conduct privacy impact assessments for higher-risk initiatives, particularly AI-assisted tenant screening tools.
Integrate privacy risk into board reporting and risk registers.
Review insurance coverage. Consider privacy capability as a genuine differentiator.
Strategic: 12 to 18 Months
Practical checklist
Use this as an accountability tool. Assign an owner in your team to each item and track progress against it.
Fix the privacy policy.
Clean up open home data collection.
Stop risky online practices.
Tighten marketing compliance.
Implement basic security hygiene including removing dormant CRM accounts and implementing stronger authentication.
Immediate: 0 to 3 Months
Appoint a privacy lead.
Document a privacy management plan.
Conduct data mapping across your applications, portals and CRM.
Define retention periods for tenancy applications and identity documents.
Review vendor contracts.
Deliver annual privacy training with real estate-specific scenarios.
Medium Term: 3 to 12 Months
Monitor the next tranche of Privacy Act reforms.
Conduct privacy impact assessments for higher-risk initiatives, particularly AI-assisted tenant screening tools.
Integrate privacy risk into board reporting and risk registers.
Review insurance coverage. Consider privacy capability as a genuine differentiator.
Strategic: 12 to 18 Months
How Savira can help
Savira works with Australian real estate agencies and franchise groups to conduct privacy risk reviews aligned to the Privacy Act and APPs, redesign open home and inspection collection processes, update privacy policies and collection notices, deliver practical scenario-based staff training, implement privacy management frameworks suitable for board reporting, and support incident response and regulator engagement.
Whether you are a single office, a multi-office franchise network, or building tools for the sector, Savira can help you move from reactive compliance to structured, defensible governance.
Structured Privacy Governance
Navigating privacy reform in real estate is no longer optional. It is a governance issue that requires expert guidance and practical implementation.
How Savira can help
Savira works with Australian real estate agencies and franchise groups to conduct privacy risk reviews aligned to the Privacy Act and APPs, redesign open home and inspection collection processes, update privacy policies and collection notices, deliver practical scenario-based staff training, implement privacy management frameworks suitable for board reporting, and support incident response and regulator engagement.
Whether you are a single office, a multi-office franchise network, or building tools for the sector, Savira can help you move from reactive compliance to structured, defensible governance.
Structured Privacy Governance
Navigating privacy reform in real estate is no longer optional. It is a governance issue that requires expert guidance and practical implementation.
How Savira can help
Structured Privacy Governance
Navigating privacy reform in real estate is no longer optional. It is a governance issue that requires expert guidance and practical implementation.
Savira works with Australian real estate agencies and franchise groups to conduct privacy risk reviews aligned to the Privacy Act and APPs, redesign open home and inspection collection processes, update privacy policies and collection notices, deliver practical scenario-based staff training, implement privacy management frameworks suitable for board reporting, and support incident response and regulator engagement.
Whether you are a single office, a multi-office franchise network, or building tools for the sector, Savira can help you move from reactive compliance to structured, defensible governance.
Company
Explore
© Savira 2026. All rights reserved.
Subscribe to our newsletter for the latest features and updates.
By subscribing, you agree with our Terms of Service and Privacy Policy
Company
Explore
© Savira 2026. All rights reserved.
Subscribe to our newsletter for the latest features and updates.
By subscribing, you agree with our Terms of Service and Privacy Policy
© Savira 2026. All rights reserved.
Company
Explore
Subscribe to our newsletter for the latest features and updates.
By subscribing, you agree with our Terms of Service and Privacy Policy