ACAPS 2026: What Australians are saying about privacy and what your organisation needs to know

In May 2026, the Office of the Australian Information Commissioner (OAIC) released the latest Australian Community Attitudes to Privacy Survey (ACAPS 2026). Conducted every three years, ACAPS is one of the more influential pieces of research in the Australian privacy landscape.

In this post, we cover the key findings of this year’s survey and how those findings sit within the broader regulatory picture, including the OAIC’s growing emphasis on fair and proportionate personal information handling.

Key Takeaways

• Australians place a high value on privacy – 93% of respondents said that the protection of their personal information is important and 87% were more concerned than five years ago, yet 78% felt they have very little or no real control over how it is collected and used.
• Unfair or unreasonable practices – Around 9 in 10 Australians view practices such as selling or trading personal information (96%), targeting children (96%) or other vulnerable people (95%), and using personal information to train AI models (93%) as unfair or unreasonable.
• Trust varies sharply by sector – Trust is highest for health providers (74%) and government (68%), and lowest for social media (3%), data brokers (4%) and AI companies (4%).
• Safeguards for AI use – Australians expect safeguards to be in place for AI use, including a right to human review of AI-driven decisions (81%), being informed when AI is used (79%), and clear explanations of how AI-enabled decisions are made (63%).
• Support for stronger regulation remains high – 93% supported a legal right to erasure of personal information, alongside strong support for extending the Privacy Act to currently exempt sectors.

1. Background and Methodology

ACAPS is a long-running study that the OAIC commissions to measure Australians’ awareness, attitudes and behaviours in relation to privacy, including how those attitudes change over time. ACAPS 2026 is the seventh survey of the series (the first survey was conducted in 1990), with the most recent surveys being conducted in 2020 and 2023.

ACAPS 2026 places an emphasis on issues that have moved to the centre of the privacy debate since 2023: the fairness of data practices, data minimisation, and emerging privacy issues in relation to artificial intelligence (AI) and biometric technologies.

ACAPS findings are often used to justify and influence law reform. The OAIC has drawn on prior ACAPS in its own submissions to law reform processes (including the Privacy Act Review) to support reforms such as expanded individual rights and the removal of long-standing exemptions to the Privacy Act (e.g. the small business exemption). When the OAIC argues that the community expects a particular reform, ACAPS is often the evidence base it points to.

ACAPS 2026 surveyed a nationally representative sample of 1,504 Australians aged 18 and over. Data was collected via an online research panel and weighted to be representative of the adult population. Some question wording can change between ACAPS editions, so some year-on-year comparisons should be read with care.

2. Key Findings

Privacy matters more than ever

ACAPS 2026 found that the Australian community places a very high value on privacy: 93% of respondents said that the protection of their personal information is important to them, and 87% said they were more concerned than they were five years ago.

Source: ACAPS 2026 Infographic

However, despite that concern, Australians feel as though they have limited real control over their privacy:

• 78% of respondents reported that they had very little or no real control over how their information is collected and used
• 68% said that consenting to data use rarely or never feels like a genuine choice, and
• 65% said that sharing personal information rarely or never feels like a genuine choice.

Reflecting this, 52% of respondents said they accept personal information sharing practices, as not doing so would mean missing out on essential online services, and 69% said they always or often agree to an organisation’s data handling practices without reading the relevant privacy policy.

This gap between what people expect and what they can do in practice is a common finding across ACAPS. It demonstrates the limitations of a ‘self-management’ model of privacy regulation, in which individuals struggle to exercise control over their data across the countless entities that handle our data in the modern world, and which use vast and complex data handling practices or take-it-or-leave-it terms.[1]

Accountability and a widening trust gap across different sectors

Australians overwhelmingly expect organisations to carry the burden of privacy protection: 98% say organisations should be responsible for protecting personal information even where no immediate harm occurs and 91% hold the organisation responsible where a breach occurs.

The survey also highlights the potential for privacy to be used by organisations as a strategic differentiator. 68% of Australians said that they would be more likely to use a digital service if they believed their data was handled fairly and responsibly.

Trust is highly uneven across sectors. It remains highest for health service providers (74%) and government agencies (68%), followed by financial institutions (59%), but has fallen across insurance, telecommunications, technology, retail and real estate since 2023.

Trust is lowest by a wide margin in the data-driven sectors: social media companies (3%, down from 14% in 2023), data brokers (4%) and AI companies (4%).

Source: ACAPS 2026, page 29.

A sharp focus on fairness

Only 10% of respondents said that organisations’ real-world data practices are ‘usually fair’, while 35% say they are ‘mostly or always unfair.’

Unfairness was felt most strongly where there is a lack of transparency about how information will be used or shared (81%), stored (76%), where data collections are excessive or disproportionate (70%), and where people cannot refuse or limit a practice (66%).

Respondents also drew firm ‘red lines’ around the following practices, with many Australians considering them to be unfair or unreasonable:

• selling or trading personal information (96%, up from 87% in 2023);
• tracking, profiling and targeted advertising directed at children (96%) or other vulnerable individuals (95%);
• location tracking where not required for a location-based service (94%, up from 87% in 2023);
• using personal information to train AI models and products, such as generative AI chatbots (93%);
• data scraping from online platforms (e.g. collecting photos of people from social media platforms without their knowledge) (92%, up from 81% in 2023); and
• targeted advertising based on sensitive information (91%).

The survey also found that views around excessive data collection varied strongly by the sensitivity of the information. For example, the collection of the following types of information was considered to be excessive or unjustified in most situations: sexual orientation (72%), biometric information (71%), behavioural or psychological data (68%), and detailed online tracking (65%).

AI and biometrics

Survey respondents had a strong expectation that organisations should implement clear safeguards for their use of AI, including:

• A right to human review of AI-driven decisions (81%)
• Personal information not being retained by third-party AI providers beyond what is necessary (80%)
• Being informed when AI is being used by an organisation (79%)
• Providing clear explanations of how AI-enabled decisions are made (63%)
• Validation of AI accuracy (70%, up from 56%), and
• Testing for bias and discrimination (68%, up from 57%).

Acceptance of AI varied by use case. Fraud detection was relatively accepted (64% considering that to be very or somewhat acceptable), facial recognition and customer-service chatbots were mixed (37% each), and automated eligibility or risk decisions such as loan approvals were not broadly accepted (25%).

Comfort with biometrics was similarly context dependent. Respondents were more comfortable with one-to-one verification uses (e.g. passport control, 65%, or unlocking a personal device, 61%) and with one-to-many biometrics use by police for public safety (57%), but more uncomfortable with commercial and marketing uses, such as retail stores recognising customers to recommend products (11%). Trust to handle biometric data was far higher for border security (70%) and police (66%) than for businesses (13%, down from 24% in 2023).

Rights, redress and strong support for reform

40% of respondents said that they do not really know what data organisations hold about them or how to access it, and only 11% felt they can easily access their data and request corrections or deletion.

Even when concerns arise, action is rare: 64% had a privacy concern in the past year, but 52% did not raise it, most often because they thought it would not make a difference (56%), it would be too hard or time-consuming (51%), or they did not know how (40%). Among those who did complain, only 9% had the issue resolved to their satisfaction.

The 2026 ACAPS again found that support for law reform and the introduction of stronger privacy protections was high, including:

• 93% supporting a legal right to erasure of personal information
• strong support for removing key Privacy Act exemptions, including employee records (89%), political parties (88%), media organisations (84%), and small businesses (80%).
• 91% supporting a right to know when personal information is used in automated decision-making if it could affect the individual (e.g. when information about racial origin is used to determine what information seen in a social media feed).

3. How ACAPS fits into the wider regulatory picture

The 2026 ACAPS echoes some key themes that the OAIC has been pursuing both in recent determinations and regulatory guidance.

Fairness and proportionality

The strong emphasis on fairness in the 2026 ACAPS reinforces how the OAIC has recently been interpreting and applying the Australian Privacy Principles (APPs). The OAIC is increasingly emphasising concepts of proportionality and fairness, particularly in relation to the collection of personal information under APP 3.

This is most evident in the OAIC’s updated guidance on APP 3, which prompts entities to consider the proportionality of their personal information collections as an implicit requirement of APP 3. The revised APP 3 guidance also expands on the concept of a ‘fair means’ of collection, including with reference to online choice architecture, the potential risk of harm to the individual concerned, and the position of vulnerable individuals (we have written separately on the OAIC’s updated APP 3 guidance here).

The OAIC’s recent determinations also signal an expansive reading of APP 3 that imports concepts of proportionality and fairness. The initial Bunnings determination stated that several factors were relevant to determining whether the use of facial recognition technology is reasonably necessary for the purposes of APP 3.3, including whether the collection is proportionate (i.e. balancing the privacy impacts of the collection of sensitive information against the benefits of the use of the FRT system). On appeal, the Administrative Review Tribunal overturned the APP 3.3 finding on the basis that the collection was a reasonable response to safety risks, while upholding that Bunnings had breached its transparency and notification obligations. Additionally, in Commissioner-initiated investigation into IRE Pty Ltd [2026] AICmr 24, the Privacy Commissioner formally considered how unfair online choice architectures and design choices can pressure individuals into over-disclosing personal information.

Data-driven sectors and high-risk practices are squarely in focus

The 2026 ACAPS may signal continued regulatory scrutiny of sectors found to have the lowest levels of community trust (including data brokers and rental and real estate technology platforms), as well as practices considered to be unfair by respondents (e.g. the sale of personal information and certain forms of online tracking and targeted advertising).

In addition to the findings of the 2026 ACAPS, some of these sectors and technologies were identified in the OAIC’s statement of regulatory priorities in July 2025. The 2026 ACAPS provides a further evidence base for the OAIC in targeting areas of greatest privacy impact and concern to the public in its enforcement action.

AI transparency and the reform agenda

Community expectations around transparency of AI usage is likely to inform the implementation of the forthcoming automated decision-making (ADM) transparency obligation, which will require regulated entities to provide details regarding their use of ADM in their privacy policies from December 2026. The OAIC has recently commenced a consultation process to inform the development of guidance that will support the commencement of these new obligations.

The high support for erasure rights, coverage of exempt sectors and new individual rights also lends continued support to the case for progressing the outstanding Privacy Act Review reforms.

Conclusion

ACAPS 2026 confirms that Australians care deeply about privacy and have clear ideas of when personal information handling is fair.

For regulated entities, the message is consistent with what we are already seeing in the OAIC’s guidance and determinations: collect only the minimum amount of data needed, constrain secondary uses, and be ready to justify why all data elements that you hold are needed.

---

[1] See further, Daniel Solove, ‘The Myth of the Privacy Paradox’ (2021) 89(1) George Washington Law Review 1.