The Office of the Australian Information Commissioner (OAIC) has kicked off its first-ever privacy compliance sweep — and licensed venues are squarely in the firing line. Around 60 businesses across six sectors are being reviewed, including pubs, clubs, rental agencies, pharmacies, car rental firms, car dealerships, and second-hand dealers. The sweep, which began in January 2026, is checking whether privacy policies meet the requirements of Australian Privacy Principle (APP) 1.4, with penalties of up to $66,000 for each infringement. The details were published on the OAIC website.

As the OAIC noted, consumers confronted with in-person requests for their personal information often don’t have the information they need to make informed choices — and the regulator is now backing that concern with real enforcement action. With expanded powers under the December 2024 privacy reforms, the OAIC has genuine teeth to follow through.

What the OAIC Is Looking For

If you run a pub, club, or restaurant that collects customer details — whether through ID scanning at the door, loyalty programs, Wi-Fi sign-ups, booking forms, event registrations, or RSA compliance records — your privacy policy needs to clearly spell out how that information is collected, used, disclosed, and eventually destroyed. The OAIC is also checking that businesses notify customers about data collection at or before the point they hand over their details, as required under APP 5.1. Privacy Commissioner Carly Kind has made it clear this isn’t just a box-ticking exercise.

Why This Matters Now

From 1 July 2026, an estimated 100,000 additional small businesses will fall under the Privacy Act for the first time. If your venue hasn’t been subject to the Act before, that changes in a matter of months. And for those already covered, the OAIC’s sweep signals a shift from guidance to enforcement.

What You Should Do This Week

Pull up your privacy policy and read it. Does it explain:

• What personal information you collect and why?
• Who you share it with, including any overseas recipients?
• How someone can access or correct their data?
• How you handle privacy complaints?

If any of those elements are missing or vague, you’ve got a compliance gap that could cost you. Venues relying on outdated boilerplate templates should be especially wary — they likely no longer meet current requirements.

Beyond the policy itself, audit your actual data flows. Map how personal information moves through your POS systems, booking platforms, guest Wi-Fi portals, digital sign-in processes, and staff devices. Your privacy policy needs to match what’s actually happening on the ground.

Get Ahead of the Sweep

Hospitality venues handle a surprising amount of personal data — from patron ID scans to booking details and payment information. If you’re unsure whether your current privacy practices meet the mark, it’s worth getting a professional review done before the OAIC comes knocking. All IT Services works with hospitality venues across eastern Australia on exactly this kind of compliance groundwork.

If you operate licensed venues and need specialist IT support for compliance, see our dedicated IT services for hospitality venues.