A new determination from Australia’s privacy regulator offers lessons about design, power, and what ‘fairness’ requires of organisations handling personal information.
Collection practices in the spotlight
In April 2026, the Australian Privacy Commissioner, Carly Kind, found that IRE Pty Ltd, operators of the 2Apply rental application platform, had breached Australian Privacy Principles (APPs) 3.2, by collecting personal information that was not reasonably necessary, and 3.5, by collecting information by unfair means.
With implications far beyond the RentTech sector or even other technology providers, this new determination is a story about design, power, and what ‘fairness’ requires of organisations that collect personal information.
While this case is a finding against one company, it also serves as a warning to many. This is consistent with the broader regulatory direction set by Kind, a strategic enforcement approach, which uses individual cases to send economy-wide signals about how the regulator will interpret – and enforce – the law.
The background
Imagine you are applying for a rental property and being asked for your gender, student status, citizenship, visa expiry date, whether you’ve ever claimed bond assistance, and the full rental history of everywhere you’ve lived for the past two years. Plus your payslips, annual income, evidence of identity documents, smoker status, student number, children’s names, Centrelink support details, child support statements, car make / model and registration, and even your pet’s name and breed.
Now imagine that the platform collecting all this information has been designed to make you feel guilty for refusing to hand over your data – or afraid of the consequences should you refuse.
That was the reality facing millions of Australian renters using 2Apply, the country’s dominant tenancy application platform, with approximately 37% market share and more than 8.5 million applications processed. As Kind described it:
“Either they hand over personal and private information, including ID documents and payslips, or risk housing precarity or even loss.”
In March 2025, the Office of the Australian Information Commission (OAIC) initiated a year-long ‘own motion’ investigation into APP-regulated entity IRE Pty Ltd’s 2Apply rental application platform.
Platforms are More than a Post Box
IRE proffered a defence: it was simply a technology platform facilitating information exchanges – a mere conduit, passing data between prospective renters and estate agents. A post box, not a collector of personal information, so APP 3 rules should not apply.
However, Kind rejected that characterisation. Her determination stated that RentTech platforms are “more than just a ‘middleman’ between renters and real estate agents”, as they directly collect personal information and may bear independent obligations under the Privacy Act.
This has implications for any businesses operating technology platforms that facilitate data collection: you cannot shift the privacy compliance responsibility to other organisations upstream or downstream, if the APPs apply to you.
‘Just in Case’ is Not Good Enough
Kind found that IRE had breached APP 3.2 by collecting personal information that was not reasonably necessary, and APP 3.5 by collecting information by unfair means.
This determination followed the tone of previous decisions such as 7-Eleven, Property Lovers Pty Ltd, and Master Wealth Control Pty Ltd t/a DG Institute. Under APP 3.2, collection of personal information must be “reasonably necessary” for the collector’s activities / functions. Kind was explicit: the legal threshold was not met by information that is merely “helpful, desirable or convenient” for a landlord or agent.
Further, she assessed each category of data being collected against IRE’s core purpose: processing tenancy applications. The process found that several data points being collected were not justified to the extent needed to perform the function. IRE’s ‘just in case’ collection practices were excessive.
Kind confirmed that data minimisation – in other words, collecting only the information that is relevant, minimal and not excessive – is both implicit in APP 3.2, and best practice for APP entities. It is not a constraint on doing business, but a discipline that reduces risk.
Dark Patterns in Plain Sight
However, what makes this determination genuinely landmark is how the Commissioner analysed how the information was collected and not just what was collected. For the first time, the OAIC applied the concept of ‘online choice architecture’ to assess whether collection was fair.
Online choice architecture is the way digital forms present and structure choices to shape user behaviour. It is not always harmful, but it becomes problematic where it undermines a person’s ability to make a free and genuine choice about the handling of their personal information. Tactics which reduce choice are called ‘dark patterns’.
The 2Apply form deployed three specific dark patterns:
- Confirmshaming: Using emotionally charged or guilt-inducing language to make users feel bad about declining to share information. For example, the 2Apply platform suggested to users that by not submitting certain requested information they may not be considered a suitable tenant. Technically the user may be free to skip a data field, but practically they feel pressured to complete it.
- Biased Framing: Presenting choices in such a way that options which require sharing your data appear obvious and beneficial, while privacy-protective options are framed as disadvantageous or unusual.
- Bundled Consent: Combining multiple consent requests into a single prompt, preventing users from making nuanced decisions about different uses of their information. For example, the 2Apply platform presented only one tick box to users, to indicate their consent for their information to be used for the rental application and for direct marketing.
These are not accidental design choices. They are deliberate techniques, well known in UX and behavioural economics, engineered to extract more data than users would freely give. The Commissioner’s willingness to name these practices and find them ‘unfair’ as a means of collection – and thus unlawful in the context of APP 3.5 – is a watershed moment for Australian privacy enforcement.
However, it is important to understand that this finding was also informed by the context in which these dark patterns were deployed.
Between a Rock and a Rental Application
Central to the analysis of fairness was something no amount of form design could override: the Australian housing crisis.
Kind determined that fairness must be assessed in context and include the cumulative effect of several factors: the structural power imbalance between renters and landlords; the intensity of competition for properties; rising costs of living; renters’ inability to choose which platform to use; excessive collection; security risks in the real estate sector; and platform design that pressured users into disclosure.
“In the absence of any legislated right to housing, the competitiveness of the current rental market means that individuals are at a disadvantage when trying to rent a home and are more vulnerable.”
The importance of this dimension of the decision was that the OAIC was not simply looking at what IRE did in isolation. The OAIC also looked at the ecosystem in which IRE operated, including factors entirely outside IRE’s control, such as housing supply, interest rates, and market competition. The cumulative effect of those conditions, viewed through the lens of the platform’s design choices, tipped the scales to ‘unfair’.
The Commissioner is therefore signalling that the bar for fairness is higher in sectors with inherent power asymmetries, when the people you are collecting from have limited alternatives, and/or where the user is more vulnerable or dependent.
No Fine. But Far From Finished.
The investigation chapter may be closed, but the story for IRE is not over. While some consequences for IRE are immediate, such as ceasing within 60 days the collection of certain categories of information listed in the determination, others are ongoing. IRE must engage, at its own expense, an independent privacy expert to comprehensively audit its data collection practices, form design, and data retention policies. Written compliance reports need to be sent to the OAIC at certain intervals.
Although there was no direct financial penalty, the remedial costs of redesign, independent audit, ongoing oversight and compliance uplift will be substantial. And unlike a fine, those obligations are ongoing.
Accountability mechanisms such as independent reviews or sustained oversight, rather than one-time penalties, may be more common going forward. These obligations could represent significant and ongoing operational costs for entities investigated by the OAIC.
Why This Decision Matters
Kind, the keynote speaker at the IAPP’s launch event for Privacy Awareness Week 2026, specifically highlighted this determination, calling out the importance of agency and the ability of individuals to exercise meaningful control over their personal information. That framing is deliberate. When design diminishes agency, it interferes with privacy.
The 2Apply decision is not just about one company, or one platform. It advances the regulator’s strategic enforcement approach which uses individual cases to send sector-wide signals, with the intention of reshaping business practices economy-wide. The Commissioner was explicit about this in her speech, noting that the finding would be disseminated to industry peak bodies, and that other RentTech providers were expected to align their practices accordingly.
This case also matters because it demonstrates that privacy is not an island. By naming discrimination risk as a consequence of excessive collection, Kind affirmed that data minimisation supports compliance not only with the Privacy Act but with anti-discrimination law more broadly. Privacy, as the reasoning makes clear, is an umbrella right, one that supports and protects a wider range of human rights beneath it.
This determination also consolidates the OAIC’s approach to assessing practices against the APP 3.2 ‘reasonably necessary’ test, while also taking a novel approach to assessing ‘unfair means’ of collection under APP 3.5. In so doing, this determination builds on what we have called the OAIC’s ‘privacy pub test’, adding to the growing body of jurisprudence interpreting the law as it stands today, while also setting up the OAIC to enforce the law as it might be in the future, if the much anticipated ‘fair and reasonable’ test is introduced in the proposed Tranche 2 Privacy Act reforms.
Finally, this case points to the importance of assessing personal information handling practices in context: the organisation, the customer, the data, the use case, power imbalances and the surrounding ecosystem can all influence what might be considered ‘necessary’ or ‘fair’. Privacy Impact Assessments (PIAs) can do the heavy lifting to examine compliance risk in context – so long as your PIAs are not simply a tickbox exercise.
If you need assistance assessing the privacy implications of your platform, digital forms or new technologies — including conducting a PIA— please get in touch.
Photograph © by Pawel Czerwinski on Unsplash
