OAIC finds RentTech platform 2Apply interfered with individuals’ privacy and collected unnecessary personal information

This determination has implications beyond the real estate sector:

• While interpretations will differ as to what collection of personal information is ‘reasonably necessary’ for one or more of an APP entity’s ‘functions and activities’, organisations should avoid adopting an overly expansive view that risks undermining the objectives of the APPs;
• the novel application of online choice architecture principles (which are principles informing how digital environments are designed to influence user decision-making) to the Privacy Act 1988 (Cth) highlights the need to ensure data collection practices (including user interface and experience) provide meaningful choice and support individuals in providing informed consent;
• organisations should not solely rely on third party digital platforms to meet privacy obligations, particularly where such platforms collect personal information based on instructions or preferences of the organisations; and
• the findings reinforce the Commissioner’s readiness to pursue investigations aligned with its stated priorities over 2025-26, including addressing power imbalances, and rights preservation in new and emerging technologies.^[1]

RentTech platforms have become the primary channel through which prospective tenants submit rental applications. 2Apply is one of the most widely used platforms in Australia, having processed more than 8.5 million tenancy applications since its launch in 2020. 

The determination concerns personal information collected via 2Apply between March 2020 and 18 March 2025. In broad terms:

• 2Apply collected personal information through its default application form on its website, which sought extensive personal information from applicants;
• real estate agencies could customise the form (without adding new fields) and were notified upon submission of an application. Agencies could then access, download and store application information (including in their own CRM systems);
• applicant information was retained for different periods depending on application outcomes (noting 2Apply’s information retention periods were not the subject of the determination). 

Findings in relation to APP 3.2

APP 3.2 prohibits an APP entity from collecting personal information (other than sensitive information) unless the information is reasonably necessary for one or more of the entity’s functions or activities. 

The Commissioner applied a two-step analysis, involving: (1) identifying 2Apply’s functions or activities; and (2) determining whether the particular collection of personal information was reasonably necessary for one of those functions or activities. The Commissioner found:

• while 2Apply characterised its functions broadly as providing a suite of products and services for the rental property management industry, its functions, having regard to its publications and submissions, were more properly limited to: (1) facilitating the processing of complete tenancy applications; (2) facilitating the administration and management of successful tenancy applications; and (3) improving service offerings and fields on the 2Apply form;^[2]
• where the precise purposes of collecting personal information are unclear (eg to provide a product or service), an APP entity’s primary purposes for collection should be construed narrowly, in favour of protecting individual privacy;^[3] and
• what is ‘reasonably necessary’ is context-specific and can be informed by current standards and practices (including, in this case, state and territory-based tenancy legislation and guidelines). Here, collecting personal information was required for facilitating the processing of complete tenancy applications, where the personal information established: (1) the individual’s identity and contact details; (2) the individual’s ability to pay the rent; or (3) whether the individual is likely to appropriately maintain the property. 

On that basis, the Commissioner determined that 2Apply collected information beyond what was ‘reasonably necessary’ for one or more of its functions or activities. In many cases the information collected did not establish an individual’s ability to pay rent or likely capacity to appropriately maintain the property. In particular, 2Apply could perform its functions or activities:^[4]

• without collecting information such as gender, dependant details, student status, bankruptcy status, retirement status, previous living history details, current ownership of principal place of residence or investment property, current applications for other properties, bond and rent assistance application status, citizenship status and visa expiry; and
• collecting a lesser amount of details with regards to emergency contacts, vehicle details, identification documents and particular details, proof of income documents, and employment details. 

Findings in relation to APP 3.5

APP 3.5 requires an APP entity to collect personal information only by lawful and fair means. The Commissioner noted:

• APP 3.5 could be breached where collection was unlawful or unfair; and
• as ‘fair’ is not defined in the Privacy Act1988 (Cth), it is necessary to ‘undertake an open-textured, evaluative assessment… including by considering the circumstances of collection.’^[5]

The Commissioner then considered that the collection of information occurred within the context of:^[6]

• an inherent and significant power imbalance in the rental property market favouring real estate agents, property managers and landlords;
• a rental crisis;
• limited choices for rental platforms in applying for properties;
• excessive collection of personal information (see findings relating to APP 3.2 above);
• security risks of information collected in the real estate sector; and
• ‘online choice architecture’ practices. 

In a novel application of ‘online choice architecture’ in determining fairness, the Commissioner examined how the design and structure of the 2Apply form may have shaped applicant decision making and behaviour. Three ‘dark pattern’ techniques deployed by 2Apply were identified as undermining rental applicants’ choice and control over their personal information:^[7]

1. ‘Confirmshaming’: where the form used emotive language to shame users for not taking actions beneficial to the information-collecting entity, using language like ‘You will be able to submit your application without supporting information, but this may affect whether you are considered as a suitable tenant for the property’;
2. Biased Framing: where the form suggested that providing data would ‘help speed up your application process’ without disclosing the privacy risks of doing so; and
3. Bundled Consent: which required the rental applicants to also consent to the use of their personal information for direct marketing purposes in order to submit their application, with no opt-out at the point of collection.

The Commissioner found that these techniques unfairly pressured individuals into making choices misaligned with their actual preferences. When viewed collectively with other contextual ‘fairness’ factors, this resulted in a contravention of APP 3.5. 

[1] ‘OAIC Regulatory Priorities’, Office of the Australian Information Commissioner (Web page, 29 July 2025).

[2] Commissioner Initiated Investigation into IRE Pty Ltd (Privacy) [2026] AICMr 24, [60] (‘IRE Determination’).

[3] IRE Determination, [70].

[4] IRE Determination, [94] - [95]. 

[5] IRE Determination, [107]. 

[6] IRE Determination, [110]. 

[7] IRE Determination, [113] - [117].