Businesses – big, medium and small – found to have non-compliant privacy policies may face infringement notices and penalties up to $66,000.
Business Law WA (BLWA) is urging businesses to take privacy obligations seriously as regulatory scrutiny intensifies.
“Privacy law compliance has moved firmly from the ‘nice to have’ category to a serious business risk that cannot be ignored,” BLWA Legal Director, Commercial Law, Cass Wright said.
“Failing to have a compliant privacy policy is now a civil penalty provision under the Privacy Act.
“Having a professional to help you create or check your privacy law policies, and ensure compliance with the Privacy Act, will reduce exposure to costly regulatory action, minimise the risk and impact of data breaches and build trust from your customers.”
Industries under the microscope
In January this year, the Office of the Australian Information Commissioner (OAIC), Australia’s privacy regulator, kicked off its first privacy compliance sweep, targeting businesses that collect personal information in person.
The sweep involves a review of selected businesses’ privacy policies to assess compliance with Australian Privacy Principle 1.4, which sets strict transparency requirements around how personal information is collected, used and disclosed.
About 60 organisations from the following sectors will have their privacy policies assessed:
- Rental and property – personal information collected during property inspections.
- Chemists and pharmacists – personal and identity information collected for medication and paperless receipts.
- Licenced venues – identity information collected for venue entry.
- Car rental companies – identity and personal information collected for rental agreements.
- Car dealerships – personal information collected for vehicle test drives.
- Pawnbrokers and second-hand dealers – identity information collected when selling or pawning goods.
“In conducting a compliance sweep, the OAIC intends to ensure that entities are meeting their obligations to be transparent with consumers and customers about how they’re using the personal information they collect in-person,” Privacy Commissioner Carly Kind said.
“We hope this will also catalyse some reflection about how robust entities’ privacy practices are, and whether more can be done to improve compliance with the Privacy Act writ large.”
Online retailer breaches Privacy Act
A recent decision by the Australian Information Commissioner highlighted the importance of privacy governance, following a data breach involving online wine wholesaler Vinomofo.
The AIC found Vinomofo failed to take “reasonable steps” to protect personal information during a data migration process in 2022, in breach of APP 11.1.
Key failings included the absence of security logging, inadequate cloud security controls, insufficient real-time access monitoring, and a lack of formal policies governing the handling of personal information. The decision also pointed to broader governance and cultural shortcomings, including limited cyber security expertise at senior levels.
Importantly, the ruling clarified that using a major cloud provider does not shift responsibility for data security. While cloud platforms offer infrastructure and security tools, businesses remain accountable for how those systems are configured and managed.
Case Study: Bunnings under scrutiny for facial recognition use
- In 2018-2021, Bunnings used facial recognition technology (FRT) in up to 62 stores, comparing CCTV images to a database of known security risks.
- If the system detected a match, staff would be alerted. Otherwise, the images were deleted.
- After an investigation, in 2024, the Privacy Commissioner ruled Bunnings had breached several Australian Privacy Principles.
- On review, the Administrative Appeals Tribunal overturned some of the Commissioner’s findings but still:
* failed to provide adequate notice to customers about FRT use, and
* didn’t have appropriate privacy governance, documentation and policies. - Outcome: Bunnings can keep using FRT as long as it fixes its privacy notices, signage and customer information, privacy policy content and risk assessment processes.
How BLWA can help
For many businesses, the challenge is knowing where the gaps are before the regulator finds them. BLWA’s Red Flag Review is designed to help businesses identify high-risk areas in their privacy frameworks, policies and practices, including governance, data handling and privacy disclosures.
To find out where your business might have some privacy compliance gaps and how these can be addressed, organise your Red Flag Review by contacting the Employment Law team at [email protected] or call 08 9365 7746.
Cass Wright – Legal Director, Business Law WA
Cass has practiced as a lawyer for more than 20 years. She has assisted a large number of SMEs and businesses to put in place protections against cyber attacks and make sure businesses better protect their data assets.
Cass is well known for her easy-to-talk-to nature, proactive advice and clarity.
Make a time to chat to her and discuss your needs: [email protected] or call 08 9365 7560.
This article is authorised by Business Law WA, an incorporated legal practice and wholly-owned subsidiary of CCIWA. The content of this article is general in nature and is not legal or professional advice and should not be relied upon as such.
