Mariola Grobelska (unsplash)
When Consent Is Not Enough
The 2Apply Privacy Decision
- Online businesses and e-commerce stores.
- Membership organisations.
- Educational institutions and training providers.
- Health and wellness businesses.
- Professional service firms.
- Real estate agencies.
- Online marketplaces.
- App developers.
- Software-as-a-Service (SaaS) providers.
- Businesses using online forms, customer registration processes or digital onboarding systems.
- Any organisation that collects personal information through a website or app.
What Happened?
The case involved the 2Apply rental application platform, which allows prospective tenants to submit rental applications online.
The platform included a range of questions and document requests that could be selected by real estate agents when processing rental applications.
The Privacy Commissioner concluded that some of the information being requested went beyond what was reasonably necessary to assess a person’s suitability as a tenant.
Importantly, the Commissioner also criticised certain design features of the platform which were said to encourage or pressure users into providing more information than they might otherwise have disclosed.
The decision demonstrates that regulators are increasingly focusing not only on what information businesses collect but also how they collect it.
Why Is This Decision Significant?
The decision suggests that privacy compliance may no longer be satisfied simply by obtaining consent or including information in a privacy policy.
Instead, the Commissioner appears to be asking a more fundamental question:
Why are you collecting this information in the first place?
Businesses may increasingly need to demonstrate that each category of information collected is reasonably necessary for the activity being undertaken.
In practical terms, organisations may need to justify information requests with objective business reasons rather than relying solely on user consent.
This reflects a broader international trend towards data minimisation and proportionality.
What Are “Dark Patterns”?
“Dark patterns” are website or app design techniques that encourage, manipulate or pressure users into making decisions that they may not otherwise make.
Examples can include:
- Making it difficult to opt out.
- Using emotionally loaded wording.
- Presenting choices in a biased manner.
- Creating unnecessary urgency.
- Bundling multiple consents together.
- Making privacy-protective choices harder to find.
- Using language that makes users feel guilty for declining a request.
The Privacy Commissioner was critical of design practices that appeared to encourage applicants to provide additional information by suggesting that failure to do so might negatively affect their rental application.
As regulators become more focused on online user experience and digital design, businesses should be reviewing their websites and apps through a privacy and consumer law lens.
Why This Matters Beyond Real Estate
Although the case arose in the context of rental applications, the implications are much broader.
Many businesses routinely ask customers to provide information that may be useful, interesting or commercially valuable.
Examples include:
- Date of birth.
- Demographic information.
- Employment details.
- Location information.
- Marketing preferences.
- Additional profile information.
- Social media information.
The Commissioner appears to be signalling that businesses should carefully consider whether each piece of information is genuinely necessary rather than merely desirable.
What Should Businesses Review?
Businesses should consider reviewing:
- Website enquiry forms.
- Customer account registration processes.
- App onboarding workflows.
- Membership applications.
- Newsletter subscription forms.
- Marketing consent mechanisms.
- Online checkout processes.
- Customer profile creation systems.
- Loyalty programs.
- Digital onboarding procedures.
The key question is whether each item of personal information being collected can be justified as reasonably necessary for the relevant business activity.
A Growing Focus on Digital Design
One of the most interesting aspects of the decision is that it reflects a broader regulatory trend.
Privacy regulators, consumer regulators and online safety regulators are increasingly looking beyond legal documents and disclosures and examining the actual design of digital products.
In other words, regulators are becoming interested in how websites and apps influence user behaviour.
This means that privacy compliance is no longer simply a matter of having a privacy policy or obtaining consent. Increasingly, businesses may need to demonstrate that their online systems have been designed fairly and transparently from the outset.
Practical Takeaways
Businesses should not assume that consent alone will solve privacy concerns.
Instead, organisations should consider:
- Whether the information being collected is genuinely necessary.
- Whether forms and applications can be simplified.
- Whether users are being pressured into providing information.
- Whether consent requests are appropriately separated and explained.
- Whether website and app design could be perceived as manipulative.
- Whether privacy impact assessments should be undertaken for new projects.
The decision is currently subject to appeal. However, it provides an important indication of the direction in which privacy regulation appears to be heading.
Businesses that begin reviewing their information collection practices now are likely to be better positioned if the Commissioner’s approach is ultimately upheld.
Would Your Website Pass?
Imagine the Privacy Commissioner is sitting beside one of your customers while they use your website.
Would they see:
- Clear choices?
Transparent explanations? - Easy opt-outs?
- Simple privacy settings?
Or would they see:
- Pre-ticked boxes?
- Guilt-inducing wording?
- “Are you sure you want to miss out?” messages?
- Hidden unsubscribe options?
- Forms asking for information that is not really needed?
If the second list sounds familiar, your website may need a privacy tune-up.
Need Advice?
If your business collects personal information through a website, app, online marketplace, membership platform or customer portal, it may be time to review whether your information collection practices align with current privacy expectations.
Obtaining legal advice early can help reduce risk and identify potential issues before they attract regulatory attention.
Further Reading
Commissioner Initiated Investigation into IRE Pty Ltd (Privacy) AICmr 24 – OAIC Commissioner‑initiated investigation into the IRE rental platform, focusing on excessive collection and “fair means” of collection under APP 3 (including discussion of online choice architecture/dark patterns). Full decision (PDF):
https://www.oaic.gov.au/__data/assets/pdf_file/0022/263254/IRE-Pty-Ltd-Privacy-2026-AICmr-24.pdf
Privacy Act 1988 (Cth) – the primary legislation governing privacy and personal information handling in Australia, including the Australian Privacy Principles (APPs):
https://www.legislation.gov.au/id/C2004A03712
Office of the Australian Information Commissioner (OAIC) – the privacy regulator’s website, including investigation reports, determinations and guidance on compliance with the Privacy Act and APPs:Investigation reports overview:
https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions/investigation-reports
OAIC homepage:
https://www.oaic.gov.au/
Australian Privacy Principles (APPs) – set out in Schedule 1 to the Privacy Act and summarised in OAIC guidance (APP guidelines and resources):
APP overview and resources:
https://www.oaic.gov.au/privacy/the-privacy-act/australian-privacy-principles
Privacy and Other Legislation Amendment Act 2024 (Cth) – the 2024 amending Act that implements a first tranche of reforms arising from the Privacy Act Review, including increased penalties and expanded OAIC powers (and relevant to the enforcement context around IRE):
Government summary and links to the Amendment Act:
https://www.ag.gov.au/rights-and-protections/publications/government-response-privacy-act-review-report
Privacy Act Review Report – Attorney‑General’s Department report outlining the broader package of proposed reforms (including the “fair and reasonable” test that the IRE decision anticipates):
https://www.ag.gov.au/rights-and-protections/publications/privacy-act-review-report
Please note the above article is general in nature and does not constitute legal advice.
Please email us info@iplegal.com.au if you need legal advice about your brand or another legal matter in this area generally.