The guidance updates to Australian Privacy Principle 3 (APP 3) do not change the wording of APP 3 itself. However, they significantly expand how the existing obligations are interpreted and enforced, particularly in the context of modern data practices such as AI tools, tracking technologies, and data aggregation.

One significant matter incorporated into the updated guidance includes that if an entity creates personal information through the use of AI (or via automated decision making and data analytics) by generating or inferring from other information or data already held by an entity, then this will constitute a collection for the purpose of APP 3.

Key Takeaways

The updated APP 3 guidance represents a substantive recalibration of expectations, particularly for entities using modern data collection and management technologies, including to generate and infer data. If your business collects personal information, it is important to reassess how and why that information is gathered, and whether current practices remain compliant.

The key message is clear:

• If an entity cannot clearly explain why it collects each type of personal information, and demonstrate that it is reasonably necessary, the entity will be exposed to regulatory risk
• The OAIC is applying a broad definition to ‘collection’. The adoption and use of AI and other technologies by entities means that the entity may be collecting personal information by generating or inferring information from data already held
• Entities should treat this as a trigger for immediate review of collection practices and their privacy policies, rather than a purely technical update to regulatory guidance.

APP 3: The Starting Point – When Can You Collect Personal Information?

APP 3 regulates when and how personal information can be collected.

At its core:

• Entities may only collect personal information if it is ‘reasonably necessary’ for their functions or activities
• Sensitive information generally requires consent, unless an exception applies
• All collection must occur by lawful and fair means and usually directly from the individual.

The updated guidance does not alter these requirements. However, the updated guidance tightens how they must be applied in practice.

Expansion of ‘Collection’: Almost All Data Capture Now Counts

A key development is the OAIC’s broad interpretation of ‘collection’.

The updated guidance makes clear that collection can occur even if:

• Personal information is held only momentarily (including milliseconds)
• Data is captured via:
  • Tracking pixels
  • Web scraping tools
  • Routers or digital infrastructure
  • AI chatbots and automated systems.

Many entities will be collecting personal information more often than they assume, triggering APP 3 obligations even for passive or automated data capture.

A Stronger Regulatory Focus on Data Minimisation

The most significant thematic shift is the OAIC’s emphasis on data minimisation.

The guidance clarifies that:

• The ‘reasonably necessary’ test embeds a concept of proportionality
• Entities must actively justify why each category of personal information is collected
• Over‑collection increases privacy, security and breach risk.

It is no longer sufficient that personal information is ‘useful’ or ‘nice to have’, it must be reasonably necessary in a real and documented sense.

Modern Technology in Scope: AI, Tracking and Data Broking

The updated guidance explicitly addresses contemporary digital practices, including:

• AI and automated decision‑making tools
• Facial recognition technologies
• Data scraping and web crawling
• Tracking pixels and behavioural analytics
• Data broking and third‑party datasets.

The OAIC also emphasises that:

• Publicly available information is not automatically free to collect and use
• Reasonable expectations of individuals and fairness remain central.

Entities operating digital platforms, marketing technologies, or AI tools face heightened scrutiny, particularly if personal information and data is aggregated or inferred.

Increased Scrutiny on ‘Functions and Activities’

The guidance sharpens how entities should define their functions and activities:

• These must be objectively identifiable
• Proposed activities must be supported by clear decisions and established plans
• Public‑facing materials (e.g. website descriptions) may be used to assess legitimacy.

Overly broad or vague descriptions of business activities will not justify wide‑ranging data collection.

Fairness and Transparency: Not Just Formal Compliance

The OAIC has expanded guidance on ‘fair means’ of collection, reinforcing that:

• Collection practices must align with community expectations
• Individuals should not be misled or surprised by how their data is obtained.

Combined with a broader privacy reform agenda, this signals a move toward a substantive fairness standard, not just formal compliance.

Third‑Party and Indirect Collection Risks

The updated guidance also highlights:

• Ongoing liability if third parties collect information on behalf of an entity
• Risks in relying on:
  • Data brokers
  • External platforms
  • Third‑party analytics providers.

Outsourcing collection does not reduce compliance risk and entities must ensure end‑to‑end compliance across data supply chains.

Practical Steps for Entities

Based on the updated guidance, entities should act now to reduce regulatory and litigation risk.

Immediate actions

• Conduct a personal information/ data collection audit:
  • What personal information and data is collected?
  • How is it collected (including automated means)? When?
  • Is each category reasonably necessary? Why?
• Review digital infrastructure:
  • Websites (tracking pixels, cookies, analytics)
  • AI tools (chatbots, transcription tools, use of AI to generate or infer information)
  • Marketing platforms and integrations.

Governance and documentation

• Clearly define and document functions and activities
• Align privacy policies and collection notices with actual practices, especially regarding the use of AI to generate or infer information and data
• Implement a personal information/ data minimisation framework.

Third‑party risk management

• Review vendor arrangements involving personal information/ data collection
• Ensure contractual controls reflect APP 3 requirements.

Risk focus areas

• AI and automated tools
• Behavioural tracking and AdTech
• Aggregation of publicly available data.

Why This Matters Now

The updated APP 3 guidance reflects a broader shift in Australia’s privacy regime toward:

• More active enforcement. The OAIC recently announced its intention to undertake a ‘privacy policy sweep’ and has expanded powers to issue infringement notices
• Greater accountability for digital practices
• Alignment with global data protection standards.

Regulators are increasingly focused on how entities actually collect and manage personal information and data in practice and not just what is outlined in privacy policies and collection notices.

Should you wish to discuss this guidance update, privacy rights and obligations, and privacy policies please do not hesitate to contact Bill Fragos, Special Counsel or Christina Segaan, Senior Associate. We also deliver presentations and training to our clients on privacy laws, serious invasions of privacy, data breaches and the implications of privacy law reforms.