For businesses, the latest Australian community attitudes to privacy survey (ACAPS), which, every three years, tracks Australians' attitudes to privacy, experiences of privacy risks and misuse of personal information, and expectations of organisations and government, provides an insight into where concerns lie and where there are advantages to be derived if they can address them.
Below, we review the survey’s main findings against core APP obligations and consider how these community expectations can inform a compliance approach that enhances opportunity and future proofs risk.
What ACAPS 2026 reveals about community attitudes
Almost nine in 10 Australians (87%) say they are more concerned about their privacy than they were five years ago. Yet that growing concern is not matched by a corresponding sense of control. Only 20% report feeling in control of their personal information, down from 32% in 2023, and just a quarter believe that most organisations are transparent about how personal information is used, itself a striking fall from 42% in 2023. Overall, the biggest privacy risk concerns identified by Australians in ACAPS 2026 include:
- data breaches (82%, up from 74% in 2023);
- organisations not storing personal information securely (77%, up from 60% in 2023);
- scammers attempting to access personal information (75%, up from 71% in 2023);
- organisations sending information overseas (70%, up from 50% in 2023); and
- concern about AI systems using personal information (69%, up from 43% in 2023).
What this tells us, in short, is that Australians are increasingly aware of privacy risks, and increasingly resigned to being unable to do much about them. The gap between what Australians expect of organisations and what they actually experience is widening. For organisations, these shifting community attitudes are increasingly consequential, shaping not only the reputational risk of maintaining trust but also the standard against which regulatory compliance is assessed and the potential for individuals to look for other legal remedies or options.
ACAPS and the wider regulatory framework
The regulatory cornerstone for the handling of personal information in Australia is established by the Australian Privacy Principles (APPs), which embed individual rights and impose corresponding obligations on organisations across the information lifecycle, from collection and use to disclosure and security.
When the OAIC assesses whether an organisation has met its obligations under the APPs, concepts such as what counts as "reasonable steps" to protect personal information and what is proportionate need to be considered. These concepts, however, are not measured against a fixed technical standard but rather against what a reasonable person in the community would expect. So, as community expectations rise and the extent of the data collected and types of processing expands, the bar for what counts as compliant behaviour under the APPs rises with it.
The ACAPS 2026 findings highlight the areas in which this shift in community expectations is most pronounced. Those areas include transparency, data collection, the use of personal information – particularly in the context of AI – data security, cross-border disclosure, and individual control.
Transparency obligations
The APPs impose baseline transparency obligations at the point of collection. APP 1 requires organisations to maintain a clearly expressed and up-to-date privacy policy, while APP 5 requires individuals to be notified of the collection of their personal information, including the purposes for which it is collected and to whom it may be disclosed.
ACAPS 2026 suggests that these obligations are no longer regarded by the community as sufficient on their own. Transparency is increasingly expected not only at the point of collection, but throughout the data lifecycle, particularly in relation to how personal information is used in practice. This is most evident in attitudes towards AI, with 79% of Australians expecting to be informed when their personal information is used in AI systems, up from 71% in 2023.
From December 2026, this expectation will be partially reflected in the new transparency obligations concerning automated decision-making (ADM) under APP 1, which will require more detailed disclosure of ADM that uses personal information.
Collection of personal information
APP 3 limits the collection of personal information to what is reasonably necessary for an organisation's functions or activities, embedding a principle of data minimisation within the statutory framework.
The ACAPS findings indicate that community expectations in this area are becoming more restrictive. Over nine in 10 Australians (92%) believe there are limits to what personal information organisations should collect, regardless of the purpose, with certain categories of data, including biometric information, behavioural data and detailed online tracking increasingly viewed as excessive or unjustified. This suggests that the threshold for what will be considered “reasonably necessary” may be narrowing in practice, particularly for more intrusive forms of data collection.
Use of personal information and fairness in AI
APP 6 restricts the use and disclosure of personal information to the primary purpose for which it was collected, or to a permitted secondary purpose. This principle is central to assessing the lawfulness of emerging practices such as the use of customer data to train AI models.
ACAPS 2026 indicates strong community resistance to such uses where they are not clearly expected or understood. A significant majority of Australians (93%) consider the use of personal information in AI systems to be unfair or unreasonable in certain contexts, particularly where it informs decisions that affect individuals. This highlights the growing importance of aligning data use practices not only with formal purpose limitations, but with broader expectations of fairness.
Cross-border disclosure and loss of control
APP 8 regulates the disclosure of personal information to overseas recipients, requiring organisations to take reasonable steps to ensure that those recipients do not breach the APPs unless an exception applies such as explicit informed consent. The use of offshore AI providers means offshore disclosures are increasingly common. ACAPS 2026 highlights growing concern about this practice, with 97% of Australians expressing concern about their personal information being sent overseas.
Security and organisational accountability
APP 11 requires organisations to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access or disclosure. This obligation aligns closely with community expectations reflected in ACAPS 2026.
Nine in 10 Australians (91%) consider organisations responsible for data breaches, a position that has strengthened as reported data breach notifications have risen by around 30% since the start of 2022. This convergence suggests that failures in data security will carry both regulatory and reputational consequences, and that what constitutes “reasonable steps” under APP 11 will be assessed against increasingly high community expectations.
Individual rights and control over personal information
APPs 12 and 13 give individuals the right to access and request correction of their personal information, as an important mechanism through which individuals can exercise control. However, ACAPS 2026 indicated that awareness and use of these rights in practice remain low, with fewer than half of Australians aware that the right to access exists and only 11% having exercised it. At the same time, there is a strong support for expanding individual rights in this area, with more than nine in 10 Australians supporting the introduction of a right to erasure. While such a right does not yet exist under the Privacy Act, it is anticipated as part of forthcoming legislative reforms. The new ADM transparency disclosure obligation may result in an increase in the exercise of access rights as individual learn more about the uses of the information.
Direct marketing
APP 7 regulates the use and disclosure of personal information for direct marketing purposes and requires easy to use functional opt-out mechanisms. The Spam Act also requires functional unsubscribe mechanisms in electronic direct marketing. Failures in this area were among the most commonly reported concerns in ACAPS 2026, with 41% of Australians reporting an inability to unsubscribe from marketing communications in the past 12 months, up from 25% in 2023.
AI, privacy, and the December 2026 deadline
From 10 December 2026, mandatory ADM transparency obligations in privacy policies will begin to apply. The new requirements in APP 1.7 - 1.9 will cover a broad range of technologies, including AI-enabled systems, rule-based tools and automated assessment technologies, and apply to any decision made on or after 10 December 2026, irrespective of when the underlying systems were deployed.
The ACAPS 2026 findings make clear that this obligation arrives at a moment of growing community concern. Nearly all Australians (96%) say some conditions should be in place before AI is used in decision-making that may affect them, and 81% expect to have the right to human review of such decisions, up from 73% in 2023. AI-informed decision-making that has a significant effect on an individual is considered unfair or unreasonable by 91% of Australians, up from 70% in 2023. Acceptance varies considerably by use case: AI use for fraud detection is more widely accepted (64%), while acceptance for automated eligibility or risk-based decisions such as loan approvals or benefit eligibility is very low, with only one-quarter (25%) viewing this as acceptable.
The adjacent issue of biometrics compounds this picture. Comfort with biometric analysis remains generally low, with Australians more likely to report discomfort across most applications, and unease appears to be increasing. Trust in organisations to collect and use biometric information has fallen sharply, from 24% in 2023 to just 13% in 2026. Comfort is lowest for personalisation and advertising uses, with only one in 10 Australians comfortable with retail stores recognising customers to recommend products (11%, down from 19%) or shopping centres targeting advertisements using biometrics (9%, down from 17% in 2023).
Given that biometric analysis increasingly relies on AI systems, these two areas of declining community present a compounding compliance and reputational risk for organisations operating in both spaces.
Trust as a commercial asset
The ACAPS 2026 findings make clear the growing importance of privacy compliance. Around two-thirds of Australians say they would be more willing to use digital services if they felt their personal information was handled fairly and responsibly and, for industries that depend on data-driven business models, that finding represents a commercial opportunity as much as a regulatory signal. Organisations that limit collection and retention, constrain secondary uses, and provide complaint, access and correction pathways that are accessible and effective are better placed to build the trust on which digital engagement depends.
While further reforms to update the Privacy Act are still expected, the OAIC is not waiting. It is taking a risk based and proportionate approach to regulation on a number of different fronts including FRT and tracking pixels, through a lens of what are "fair and reasonable" practices and spelling out its expectations. Organisations that approach privacy as a strategic and commercial imperative, rather than a constraint, will be better positioned for the regulatory environment that is now arriving and to avoid the amplified privacy risks from AI deployment.