This guide explains what has changed, why real estate is under regulatory scrutiny, and what your agency must do now to avoid enforcement action.
Privacy reform is now a real business risk
Penalties up to $50M
Serious or repeated privacy breaches can now attract penalties up to AU$50 million, 30 percent of adjusted turnover, or three times the benefit gained.
Regulatory spotlight
The OAIC has launched a compliance sweep targeting rental and property businesses, focusing on in-person data collection at open homes and inspections.
Over-collection risks
Collecting more information than reasonably necessary, especially identity documents at inspections, is a regulatory red flag.
Online conduct matters
Using tenant or applicant information in public review responses or on social media can breach the Privacy Act.
Individuals can sue
The statutory cause of action for serious invasions of privacy has been in force since 10 June 2025. Litigation and class action risk is real and present.
Board-level issue
Privacy risk should sit alongside WHS and employment risk in governance frameworks and risk registers.
Does the Privacy Act apply to your agency?
The Privacy Act 1988 (Cth) includes a small business exemption that generally excludes businesses with an annual turnover of $3 million or less. However, the exemption is narrower than many assume, and relying on it without proper consideration is risky.
The exemption does not apply if your agency is related to a body corporate that is not a small business, has opted in to the Privacy Act (sometimes done as part of a franchise arrangement), or shares tenancy information with third parties such as tenancy databases - which can constitute "trading in personal information" and removes the exemption entirely.
Beyond the legal question, the OAIC's compliance sweep has not limited its focus to businesses above the threshold. Agencies handling sensitive financial, employment and identity information as a matter of routine are squarely in the frame, regardless of size.
From 1 July 2026, the question may be settled for many agencies regardless. Under AML/CTF Tranche 2, real estate agencies providing designated services must enrol with AUSTRAC and comply with anti-money laundering obligations. Once you are a reporting entity under the AML/CTF Act, the small business exemption under the Privacy Act no longer applies - even if your turnover is below $3 million. This means many agencies that previously fell outside the Privacy Act will be brought into scope by the AML/CTF reforms alone.
What has changed under the privacy act?
Much stronger enforcement powers
The Privacy and Other Legislation Amendment Act 2024 significantly expanded the powers of the OAIC, including the ability to issue infringement notices for certain breaches, stronger investigation and information gathering powers, and public inquiries into systemic privacy practices.
Significantly higher penalties
Maximum penalties for serious or repeated interferences with privacy have been increased to the greater of AU$50 million, three times the value of the benefit obtained, or 30 percent of adjusted turnover during the breach period.
Individuals can now sue
The statutory cause of action for serious invasions of privacy commenced on 10 June 2025. Individuals can now take legal action where a privacy invasion was intentional or reckless, serious in nature, and where they had a reasonable expectation of privacy.
WHY IT MATTERS
Why are real estate agencies in the spotlight?
The OAIC has announced its first privacy compliance sweep targeting multiple sectors, explicitly including rental and property businesses and real estate agents, with a focus on in-person data collection practices.
The risk profile of real estate is obvious. Agencies routinely collect identity documents, financial records and payslips, employment information, rental histories, and sometimes health or hardship information.
Regulators have flagged particular concern about open home sign-in processes, collection of driver licence details or copies without clear necessity, lack of transparency about how information will be used, and over-collection relative to what is reasonably necessary.
This often happens face to face, in pressured environments, where individuals have limited time to understand what they are agreeing to.
WHY IT MATTERS
Real examples of regulatory action
Under the APPs, both a digital agency and its client can bear responsibility for how personal information is used in marketing campaigns. If an agency uses a client-supplied email list without verifying that consent was obtained for the specific purpose of marketing, both parties may be found to have interfered with privacy - the client for unlawful disclosure, and the agency for unlawful use. The OAIC's APP 7 guidance makes clear that engaging a third party to conduct marketing does not transfer or reduce the originating entity's obligations.
Key obligations under the Australian Privacy Principles
APP 1 – Privacy Policy
Agencies must have a clear, accurate and accessible privacy policy explaining what is collected, why, how it is used.
APP 3 and 5 – Collection
Only collect information that is reasonably necessary. Notify individuals at or before collection about the purposes and handling of their data. Open homes and inspections are a specific risk point here.
APP 6 – Use and Disclosure
Information must generally only be used for the purpose for which it was collected. Public online responses using client data can breach this principle.
APP 7 – Direct Marketing
Personal information cannot be used for marketing without consent or a compliant opt-out mechanism. The OAIC can issue infringement notices for certain direct marketing breaches.
APP 11 – Security
Agencies must take reasonable steps to protect information from misuse, interference, loss and unauthorised access.
APP 12 and 13 – Access
Individuals must be able to access and correct their information. Penalty notices can apply for failures to comply.
What real estate agencies should do now
Privacy compliance requires a structured approach across three timeframes. Immediate actions address critical gaps, medium-term work builds governance capability, and strategic initiatives position your agency for ongoing reform.
Immediate (0-3 months)
Fix critical privacy gaps now
Medium term (3-12 months)
Build governance and processes
Strategic (12-18 months)
Embed long-term privacy strategy
Immediate: 0 to 3 months
- Fix the privacy policy.
- Clean up open home data collection.
- Stop risky online practices.
- Tighten marketing compliance.
- Implement basic security hygiene including removing dormant CRM accounts and implementing stronger authentication.
Medium term: 3 to 12 months
- Appoint a privacy lead.
- Document a privacy management plan.
- Conduct data mapping across your applications, portals and CRM.
- Define retention periods for tenancy applications and identity documents.
- Review vendor contracts.
- Deliver annual privacy training with real estate-specific scenarios.
Strategic: 12 to 18 months
- Conduct privacy impact assessments for higher-risk initiatives, particularly AI-assisted tenant screening tools.
- Integrate privacy risk into board reporting and risk registers.
- Review insurance coverage.
- Consider privacy capability as a genuine differentiator.
Practical checklist
Use this as an accountability tool. Assign an owner in your team to each item and track progress against it.
How Savira can help
Savira works with Australian real estate agencies and franchise groups to conduct privacy risk reviews aligned to the Privacy Act and APPs, redesign open home and inspection collection processes, update privacy policies and collection notices, deliver practical scenario-based staff training, implement privacy management frameworks suitable for board reporting, and support incident response and regulator engagement.
Whether you are a single office, a multi-office franchise network, or building tools for the sector, Savira can help you move from reactive compliance to structured, defensible governance, and help your agency align it's customer due diligence processes with Australian Privacy Principle requirements, so you collect what you need without over-collecting.
Staying current with privacy reform
This guide was last updated 22 March 2026 to reflect AML/CTF Tranche 2 obligations commencing 1 July 2026, updated OAIC privacy guidance for reporting entities, and the latest compliance sweep announcements. Australian privacy law continues to evolve. Register to stay across regulatory changes affecting real estate agencies.