30/04/2026
The Office of the Australian Information Commissioner (OAIC) has issued a landmark determination against a major rental technology (RentTech) platform, sending a clear message that is it is not acceptable to collect as much information as possible without a clear reason for doing so.
OAIC found that the “2Apply” platform, a popular tool used by property managers to collect information about rental applicants, collected excessive personal information and did so by unfairmeans. This decision has reiterated that organisations must have a clear use for the personal information they collect and clarified what constitutes the collection of personal information by ‘unfair means’.
What the Privacy Commissioner found (and why it matters)
The OAIC concluded that 2Apply contravened Australian Privacy Principle (APP) 3.2 by collecting personal information that was ‘not reasonably necessary’ for its functions or activities, and APP 3.5 by collecting personal information by ‘unfair means’.
Regarding the collection of information ‘not reasonably necessary’ for its functions or activities, the Commissioner noted certain categories of renter information including gender, student status, citizenship status, visa expiry, and elements of previous living history were not relevant to assessing a renter’s application or managing their tenancy and required that 2Apply stop collecting this information.
The Commissioner also emphasised that over-collection increases exposure if information is compromised in a data breach or cyber incident—an especially acute concern given the volume of sensitive material involved in rental applications.
Regarding the collection by unfair means, the Commissioner noted the circumstances of limited choice and a pronounced power imbalance between renters and the real estate sector. The Commissioner highlighted that renters often face a stark trade-off: hand over highly personal documents or risk housing security.
While the determination applies directly to the 2 Apply platform, the Commissioner explicitly urged other RentTech platforms to align their practices with the findings.
A first for OAIC: analysis of dark patterns in platform design
Dark patterns are manipulative techniques used in user interface design for websites or webforms that use deliberate techniques to pressure users towards a desired outcome for the web designer. The Commissioner indicated in their determination that the use of dark patterns may mean that a collection of personal information is not by a fair means and could violate APP 3.5.
The determination observed and commented on the following dark patterns used by 2Apply:
‘Confirmshaming’
The use of emotive language designed to guilt users into providing personal information. For example, when applying for a rental, users are prompted that providing additional information may ‘help speed up your application process’ and conversely, not providing the information may ‘affect whether you are considered as a suitable tenant for the property’.
Biased framing
Presenting options in a way that emphasises supposed benefits/downsides without being inherently inaccurate. This can be seen with the same example as above, as while those two framings are not inaccurate, they do not present the individual with a complete picture.
Bundled consent
Seeking consent for multiple uses of personal information in a single request. The Commissioner noted that 2Apply requires individuals to consent to the collection of their personal information for the purpose of their application, and for direct marketing in a single click. The fact that individuals can later opt out of the direct marketing is insufficient.
What should organisations do now? A practical checklist
If you operate a RentTech product or use a form to collects personal information from individuals, this determination should prompt you to:
- Map your collection: identify every data field collected, where it flows, and who accesses it.
- Apply strict necessity tests: remove or justify each field against the platform’s purpose (e.g. processing/managing applications), not convenience or “nice-to-have” screening.
- Consider the user interface: eliminate ‘confirmshaming’ language, biased framing, and bundled consent structures that pressure disclosure.
- Minimise sensitive documents: review what identity, employment and income evidence is requested and whether less intrusive alternatives exist.
- Prepare for incidents: over-collection increases breach exposure; ensure breach response, retention/deletion, and access controls match the sensitivity of data held.
GL’s Privacy team are experts in all matters privacy and can help you in preparing your business against any privacy risks.