Share
  • LinkedIn
  • Facebook
  • X
  • Threads

IP Whiteboard

Privacy

Dark patterns in focus: Privacy Commissioner finds rental tech collection was not fair or reasonably necessary

Michael Swinson
Partner
Cal Samson
Senior Associate
Samantha Gates
22 May 2026

The Australian Privacy Commissioner has recently handed down an important determination in Commissioner Initiated Investigation into IRE Pty Ltd (Privacy) [2026] AICmr 24 (the Determination). The Determination reflects a notably strict interpretation of the requirement to only collect personal information that is ‘reasonably necessary’, and is also the first time the OAIC has formally considered ‘Online Choice Architecture’ (a.k.a. ‘dark patterns’) in the context of the Australian Privacy Act.

While this particular decision arose in the rental technology sector, the reasoning has broad implications for any organisation collecting personal information at scale, including streaming platforms, social media companies, and other digital services. The Determination has been appealed and so the position may still develop further.

Below, we’ve summarised the key aspects of the decision and flagged particularly significant points for digital economy businesses.

The decision at a glance

IRE Pty Ltd (trading as InspectRealEstate) (IRE) operates 2Apply, a platform used by real estate agents across Australia to process rental tenancy applications. As at March 2025, over 8.5 million applications had been processed through the platform.

In March 2025, the Privacy Commissioner commenced a ‘Commissioner Initiated Investigation’ into IRE’s practices under the Privacy Act 1988 (Cth) (Privacy Act). The rental technology sector had previously been identified by the Commissioner as a regulatory priority in light of the significant power imbalance in the rental market and Australia’s ongoing housing crisis. The investigation concerned compliance with Australian Privacy Principle (APP) 3, specifically: whether IRE’s collection of personal information was reasonably necessary for its functions or activities (APP 3.2), and whether that collection was by fair means (APP 3.5). The Commissioner found that IRE contravened both requirements:

  • APP 3.2 (reasonably necessary).  IRE collected personal information that was not reasonably necessary for its functions or activities, including gender, dependants’ names and ages, student status, bankruptcy status, retirement status, previous living history, and citizenship status and visa expiry. The Commissioner further found that IRE could have achieved its purposes by collecting less information in relation to identification documents, proof of income, and employment details.
  • APP 3.5 (fair means).  IRE did not collect personal information by fair means. This finding rested on a cumulative assessment of the power imbalance in the rental market, limited user choice, excessive collection, and the use of harmful ‘Online Choice Architecture’.

The Commissioner declared that IRE must cease collecting the offending categories of personal information within 60 days, engage an independent reviewer to audit the 2Apply platform (including its Online Choice Architecture), and report to the OAIC on remedial steps taken. IRE has applied to the Administrative Review Tribunal for the Determination to be reviewed.

What is Online Choice Architecture?

The Online Choice Architecture of the 2Apply platform formed a key part of the Commissioner’s analysis in the Determination (although the Commissioner also stressed that it is ‘but one of the many factors’ considered). According to the Commissioner, ‘Online Choice Architecture’, sometimes referred to as ‘dark patterns’, refers to the way information is presented and choices are structured. In some cases, design features built into digital interfaces can be structured in a way that is harmful to individuals, steering users towards decisions they would not otherwise make, such as sharing more personal information than intended, accepting unfavourable terms, or purchasing unwanted services. In particular, the Commissioner identified several specific techniques as relevant in the Determination: ‘confirmshaming’ (using emotive or guilt-inducing language to discourage users from taking a particular action), biased framing (presenting choices in a way that emphasises benefits to the entity while downplaying risks to the user), and bundled consent (requiring users to agree to multiple purposes in a single action).

Online Choice Architecture is not a new phenomenon and has been the subject of regulatory attention in the consumer law space for some time. The ACCC has pursued misleading and deceptive conduct proceedings in relation to manipulative interface design (Trivago NV v ACCC [2020] FCAFC 185; ACCC v Google LLC (No 2) [2021] FCA 367) and has listed ‘manipulative and false practices in digital markets’ as an enforcement priority for 2026–2027. However, the IRE determination is the first occasion on which Online Choice Architecture has been formally considered in the context of the Australian Privacy Principles. However, the Commissioner has previously endorsed ‘sweeps’ conducted by the Global Privacy Enforcement Network (GPEN) looking for similar dark patterns used by online service providers (eg see here).

The Commissioner’s Analysis

‘Reasonably necessary’? (APP 3.2)

The Commissioner approached APP 3.2 by considering three questions:

(a)  Does the respondent collect personal information? The Commissioner rejected IRE’s argument that it was collecting information merely as an intermediary on behalf of real estate agents, finding instead that IRE had operational involvement in formulating the questions put to applicants and collected personal information in its own right.

(b)  What are the respondent’s functions or activities? The Commissioner identified IRE’s primary purpose of collection as ‘facilitating the processing of complete tenancy applications’. The Commissioner rejected IRE’s submission that its purpose should be framed more broadly (such as ‘to provide a service’), holding that this interpretation was overly broad and would undermine the objectives of the APPs.

(c)  Was the collection reasonably necessary? The Commissioner emphasised that ‘reasonably necessary’ imposes a meaningful threshold and that, consistent with case law on the meaning of ‘necessary’ under Australian law, it is not sufficient that the collection is ‘merely helpful, desirable, or convenient’. The test requires an objective assessment of whether a reasonable person, properly informed, would agree the collection is necessary for the identified function or activity. In this context, that required consideration of whether the information was reasonably necessary for establishing the individual’s identity, their ability to pay rent, or the likelihood they would appropriately maintain the property. The Commissioner found that several data fields (including gender, dependants’ names and ages, student status, bankruptcy status, retirement status, previous living history, and citizenship status and visa expiry) were not reasonably necessary to assess any of those three criteria, rendering collection of that information a breach of APP 3.2.

Collection by ‘fair means’? (APP 3.5)

APP 3.5 requires that personal information be collected only by lawful and fair means. The Determination makes the point that whereas APP 3.2 is concerned with what is collected, APP 3.5 is concerned with how it is collected. The Privacy Act does not define ‘fair’. Guidance from the Commissioner available at the time states that a fair means of collection ‘is one that does not involve intimidation or deception and is not unreasonably intrusive’. In the Determination, the Commissioner stated that these examples do not represent a closed list, and that fairness must be assessed on the facts of each case, in context, and by reference to changing circumstances and community values. On the facts of this case, the Commissioner’s assessment turned on two considerations:

(a)  The broader circumstances of collection. The Commissioner identified several contextual factors weighing against a finding of fairness, including the significant power imbalance in the rental market, the national rental crisis, limited user choice regarding which rental platform to use, the practice of excessive collection, and the associated security risks.

(b)  The specific means of collection. The Commissioner considered the design and structure of the 2Apply form itself (i.e. its Online Choice Architecture) and identified three practices that contributed to unfair collection:

  1. Confirmshaming: The form warned applicants that failing to provide all requested information ‘may affect whether you are considered as a suitable tenant for the property.’ The Commissioner found this pressured individuals into disclosing more personal information than they otherwise would have.
  2. Biased framing: The form stated that providing information would ‘help speed up your application process’. The Commissioner found this framed additional data disclosure as beneficial to the applicant while failing to mention potential downsides, including privacy and security risks.
  3. Bundled consent: Applicants were required to agree to the use of their personal information for direct marketing in order to submit an application. There was no mechanism to opt out at the point of collection. The Commissioner observed this left applicants with a binary choice: accept the marketing use of their data, or do not apply for the property. Given the essential nature of housing, the Commissioner found that this may deprive the individual of any meaningful choice.

The Commissioner acknowledged that the statements on the form were ‘not necessarily untrue or misleading’. The finding of unfairness was not based on deception or inaccuracy, but on the cumulative impact of the broader context and the specific design choices on individuals who were in a vulnerable position and had limited practical alternatives.

Other types of concerning conduct identified in previous GPEN sweeps have included: use of complex and confusing language, nagging (repeated requests to take a particular action), obstruction (making it more difficult to make privacy choices like updating privacy controls or deleting an account), and forced action (like requiring more information to delete account than to open an account).

Interestingly, in the recently released exposure draft of the Children’s Online Privacy Code (see Mallesons coverage here), the Commissioner has included an express provision that a privacy consent will not be valid if it is obtained by ‘manipulative, deceptive or misleading practices’. The reference to ‘manipulative’ in this context is clearly intended to capture the types of dark patterns discussed above, and potentially other similar practices, to the extent that they may override or interfere with a user making a free choice about their privacy.

Implications and next steps

This decision has implications beyond the real estate sector – and many of the findings in relation to whether information is ‘reasonably necessary’ to collect, or collected by ‘fair’ means will have broad application. While the Commissioner’s approach will be scrutinised by the Administrative Review Tribunal, which may take a divergent approach, we think the key areas of interest to watch are:

(a)  Manipulation vs deception. The Determination suggests interface design choices can contribute to ‘unfair’ collection, even where the statements are not untrue or misleading. What matters is the cumulative effect of those choices on users, particularly where those users have limited practical alternatives.

(b)  Online Choice Architecture as a privacy issue. The Determination puts this issue in the spotlight for privacy enforcement action. Consent flows, sign-up screens, default settings and other design elements could all be relevant to the assessment of whether personal information is collected by fair means.

(c)  User vulnerability and dependence are relevant factors: The Commissioner placed significant weight on the power imbalance and limited user choice in the rental market. This suggests that more robust practices may be supported competitive markets, where users have practical alternatives to a particular platform or service and so may not be feel compelled to deal with any particular service provider, while a more conservative approach may be needed in markets where there are few practical alternatives, whether because of network effects, market concentration or the essential nature of what is being offered.

(d)  The OAIC is looking to international regulatory practice:  The UK ICO/CMA joint position paper Harmful design in digital markets (available here) is cited several times in the Determination and is the inspiration behind the Commissioner’s adoption of the term ‘Online Choice Architecture’. UK regulatory developments in this area will be relevant, as these may further inform the Commissioner’s approach in Australia.

The OAIC has also updated its guidance on APP 3 to incorporate the findings in the Determination: see our earlier post here for more information on that.

Featured image by Public Co from Pixabay.

Share
  • LinkedIn
  • Facebook
  • X
  • Threads

More Posts From This Author

Iconic? Making a song and dance about AI transparency

Iconic? Making a song and dance about AI transparency

20 May 2025
By Michael Swinson, Emily King, Luke Hawthorne
In an open letter addressed to Prime Minister Keir Starmer, more than 400 of the UK’s most celebrated artists and creative leaders, including Elton John, Coldplay, Dua Lipa, Paul McCartney, and Shakespeare’s Globe, urged the UK Parliament to protect copyright, ‘the lifeblood of the creative industries.’  The icons expressed their support for an amendment to the Data (Use and Access) Bill that could have reshaped the relationship between the creative industries and AI developers by requiring AI companies to disclose which copyrighted works have been used to train their models.
Read on
View all