The OAIC is looking at your marketing data practices
The regulator has explicitly named advertising technology, AI, and excessive data collection as priority areas for 2025-26. The first compliance sweep is underway and the first civil penalty has been imposed.
The Office of the Australian Information Commissioner has explicitly named advertising technology, artificial intelligence, and excessive data collection as priority areas for 2025-26. The regulator is no longer issuing guidance and waiting; it is actively investigating.
The compliance sweep
In January 2026, the OAIC launched its first privacy compliance sweep, reviewing approximately 60 entities across six sectors. Non-compliant privacy policies face compliance notices, infringement notices, and penalties of up to AUD 66,000 per contravention.
This is not a sample audit. It is a systematic review designed to establish compliance baselines and identify systemic failures. The OAIC’s stated priorities make clear that organisations relying on tracking technologies, ad tech, and data-intensive marketing practices are within scope.
The enforcement precedent is set
In October 2025, the Federal Court ordered Australian Clinical Labs to pay AUD 5.8 million, the first civil penalty under the Privacy Act. The penalty framework for bodies corporate is now the greater of AUD 50 million, three times the value of any benefit obtained, or 30% of adjusted turnover.
The penalty framework is live, the first penalty has been imposed, and the numbers are material enough to require board-level attention. Read alongside the OAIC’s stated priorities, the message to ad tech, AI, and data-heavy marketing operations is direct.
What to do before the regulator gets to you
Three areas need immediate attention.
Privacy policies. The compliance sweep is reviewing privacy policies as a primary indicator. If your privacy policy has not been updated to reflect current data collection practices, automated decision-making, and third-party data sharing, it is non-compliant. (And honestly, most of the ones I read still aren’t.)
Consent mechanisms. The OAIC expects privacy-by-design configurations, minimal data collection, and clear consumer consent for tracking tools. Pre-ticked boxes and dark patterns are explicitly flagged.
Data retention. Excessive data collection and retention is a named priority. If you are collecting more data than you need, or retaining it longer than necessary, the regulatory risk is direct and immediate.
The OAIC’s 2025-26 priorities read as a diagnostic checklist in their own right. The question is whether your organisation passes it without remediation, or only after.