top of page

Happy New Year: Check Your Privacy Policy

  • Jan 15
  • 5 min read

Happy New Year! And you know what that means – new year, new… privacy updates for your website! I suppose it’s better than a ‘new year, new me’ gym membership?


Naturally you should always be keeping your website’s Privacy Policy up to date, but why should you be taking extra care now, and in 2026? Let’s break this down.


TL;DR


  • At the end of 2025, the Australian Information Commissioner (OAIC) announced a privacy compliance sweep focussing on sectors which traditionally collect information in person

  • Use this as a reminder to review and update your website’s Privacy Policy and data collection procedures

  • Check your Privacy Policy has all of the required information as per the OAIC’s guidance

  • When you make updates to your Privacy Policy, make sure you have let your team know and update your customers of the changes


Privacy Policy changes in 2026 for Australia


At the end of 2025, the Office of the Australian Information Commissioner (OAIC) announced it was going to do its first ‘sweep’ of privacy compliance for around 60 Australian organisations. These have been targeted at sectors which traditionally collect information in person, including:


  • Rental and property industry

  • Chemists and pharmacists

  • Licensed venues

  • Car rental companies and dealerships

  • Pawnbrokers and second-hand dealers


In-person data collection


The reason they are focusing initially on ‘in person’ data collection, is due to the lack of transparency when you verbally hand over your details.


When you fill in a form online, you will almost always tick a box to say you agree to the data being collected and have access to the Privacy Policy. However, to use the OAIC’s example, think about when you’ve been at a house viewing and the agent asks for your details. More times than I care to remember, they have simply typed it into their notes on their phone – ready for the Monday morning ring around! 


And what are they doing after that? Do they delete the notes, add it to the company’s database or sign you up to their marketing list and send you three emails a week with completely irrelevant properties that you can’t afford on emails so long you can’t find the unsubscribe button. (Yes, you know who you are!)


How not to capture in person data


If you capture in-person personal data such as names, emails and phone numbers or even snaps of drivers licences, consider where you’re going to keep that data and how you are going to manage it. If you are doing any of the following, it’s time to reconsider your data privacy process:


  • Adding it to an online database without an opt-it source

  • Contacting people directly with marketing messages

  • Sharing it with another company

  • Leaving it on your device in non-secure apps

  • Saving it in a spreadsheet on your desktop


If you have a data capture form on your website, or any other channels, and you'd like some help setting up some privacy options, please get in touch with me for support!



How to review and update your Privacy Policy


Given this proactive approach from the OAIC, this is a great opportunity to take a look at your own policy and procedures. Here’s a quick checklist of things to look out for, and the privacy principles to check for your website.


Does your Privacy Policy contain these required pieces of information?


  • Types of personal information you collect and hold

  • How you collect and hold personal information

  • Why you collect the personal information

  • How an individual may access their personal information and seek its correction 

  • How an individual may make a complaint and how you will handle their complaint

  • If you are likely to disclose personal information to overseas recipients, and if so, to which countries.


Source: Office of the Australian Information Commissioner (OAIC), What is a privacy policy? https://www.oaic.gov.au/privacy/your-privacy-rights/your-personal-information/what-is-a-privacy-policy


Is your Privacy Policy up to date?


If you have added new marketing tags or pixels, or perhaps changed where you host your website you need to make sure this is up to date in your policy. I most often see that users have added a new TikTok or Meta pixel to help in remarketing campaigns, but they have not updated their privacy or cookie policy to state that.


Is it easy to understand your Privacy Policy?


Perhaps you’ve asked your incredibly skilled legal friend to write your policy, but it reads like an old legal textbook. It’s required that you write your policy in a clear and transparent manner which is easy for customers to understand.


Give your policy a quick read and make sure you fully understand it, and then give it to a friend and ask them to do the same. I also like to give it to an older relative, to see if it passes ‘the boomer test’. If they understand it, then you should be okay.



How to let people know about your updated Privacy Policy


In Australia, if you make a ‘material change’ to your Privacy Policy, you are required to let your users know about it. However, you don’t need to re-obtain consent from individuals like you would under GDPR laws – but you do need to offer your users a chance to retract or update their consent based on the changes (as per APP 13).


Some good ways to notify your customers of a Privacy Policy update could be:


  • Using a website banner or pop-up notice

  • Sending an email update (non-marketing)

  • Creating a blog or news post


If it is a big change, then I’d always recommend sending an email to make sure that all people whose data you hold are aware, including those who are unsubscribed. Not everyone will come back to your site and see your post or pop-up.


Don't forget: Make sure you update your ‘last updated’ date on your Privacy Policy as well!


What is considered a ‘material change’ to your policy?


A “material change” to a website Privacy Policy is any change that would reasonably affect how personal information is handled or how an individual would understand, consent to, or be impacted by that handling. 


This could include new marketing tools or implementing a new pixel, working with a new third-party who will access the data or if privacy laws have changed. You could also notify your customers if there has been a data breach, including what you have done to rectify this.


I’d always err on the side of caution and let your users know if you make any changes to your policy, and decide on the appropriate communication method based on the type of change you have made.


Don’t forget to tell your team!


One thing often forgotten is letting your team and partners know too. Don’t surprise them with a change in policy, as they might have other business activities planned, like a campaign launch, development release or a big customer meeting – so don’t catch them off guard.



The information contained in this article is intended as general commentary and should not be regarded as legal advice. Should you require specific advice on the privacy topics, please contact a qualified legal consultant.

 
 
 

Comments

Commenting on this post isn't available anymore. Contact the site owner for more info.
bottom of page