Digital platforms now shape many parts of daily life, including the rental housing market. Prospective tenants often rely on online applications to secure a property. These systems promise convenience and efficiency. However, they also collect large amounts of personal information.
A recent determination by Australia’s Privacy Commissioner highlights the risks when these systems gather more data than necessary. The ruling found that the rental application platform 2Apply, operated by InspectRealEstate (IRE), collected excessive personal information and used unfair methods during the process.
The decision followed a year-long investigation conducted by the Office of the Australian Information Commissioner (OAIC). The findings highlight why organisations must adopt responsible data practices and why independent oversight – including support from a certified cyber security consultant in Australia — is essential when handling sensitive information.
For businesses operating digital platforms, the message is clear. Collect only what you need. Be transparent about how data is used. And protect every piece of information entrusted to your systems.
The Investigation and Its Outcome
The OAIC investigation examined how the 2Apply platform gathered information from people applying for rental properties. The Commissioner concluded that the platform collected personal information that was not reasonably necessary for its operations.
The determination found that applicants were required to provide details such as:
• Gender
• Student status
• Citizenship status
• Visa expiry dates
• Extensive rental history
Under the final decision, the platform must stop collecting these details as part of the rental application process.
InspectRealEstate agreed to revise its information collection practices. The agreement occurred on a without-admissions basis, meaning the organisation committed to changes without formally accepting wrongdoing.
Still, the ruling sends a strong signal across the rental technology sector.
Digital systems cannot gather personal data simply because it is technically possible. Organisations must justify why they collect each piece of information and show that it is necessary for their services.
From a security perspective, limiting data collection also reduces exposure during breaches. This is one reason many companies consult a certified cybersecurity consultant in Australia to assess privacy risks and ensure compliance with data protection frameworks.
Understand why cybersecurity is a boardroom call.
The Power Imbalance in the Rental Market
The Commissioner’s determination also highlighted a deeper issue within the rental market. Australia currently faces housing pressure in many cities. Limited supply and rising costs create a strong imbalance between renters and property providers.
In this environment, applicants often feel they have little choice but to provide any information requested.
Privacy Commissioner Carly Kind explained the situation clearly. Renters must often choose between handing over sensitive personal information or risking the loss of housing opportunities.
That pressure raises two serious concerns.
First, the data may influence rental decisions in ways that are not fair or transparent.
Second, the information itself may become exposed during a data breach or cyber incident.
Personal documents such as identification, financial records, and employment details carry high value for cybercriminals. If platforms fail to secure them, the impact on individuals can be severe.
This is where organisations often rely on structured cyber governance, regular risk assessments, and support from a cyber incident response team to detect and manage threats quickly.
Violations of Australian Privacy Principles
The OAIC determination identified two key breaches of the Australian Privacy Principles (APPs).
• APP 3.2 – Collection of Unnecessary Personal Information
APP 3.2 requires organisations to collect personal information only when it is reasonably necessary for their functions or activities.
The investigation found that the 2Apply platform collected details that were not required for evaluating rental applications. This excessive collection violated the principle.
• APP 3.5 – Unfair Collection Practices
APP 3.5 focuses on how organisations collect information.
The Commissioner concluded that the platform gathered personal data through unfair means. Applicants faced limited options during the application process, and the structure of the system pressured them into sharing additional information.
Together, these findings show how design decisions in digital platforms can create privacy risks even when the intent is operational efficiency.
Strong governance, supported by a certified cybersecurity consultant in Australia, can help organisations identify these risks early and adjust their systems before regulators intervene.
The Role of Online Choice Architecture
One of the most notable aspects of the decision is the OAIC’s use of online choice architecture as part of its analysis.
Choice architecture refers to how digital platforms present options to users and how that presentation influences behaviour.
The investigation found that the 2Apply system used several techniques that nudged applicants toward sharing more information. These techniques included:
• Confirmshaming
Confirmshaming uses emotionally charged language that makes users feel guilty for declining a request. When users try to opt out of providing information, the wording implies that refusing may harm their chances of success.
• Biased Framing
Biased framing highlights the benefits of sharing information while downplaying the risks. This approach can steer users toward choices they might not otherwise make.
• Bundled Consent
Bundled consent combines multiple permissions into a single approval request. Users must agree to several unrelated uses of their data at once, making it difficult to provide informed consent.
These design choices may seem subtle. However, they can strongly influence user behaviour and limit genuine choice.
For organisations handling personal data, reviewing digital interfaces from both a privacy and security perspective is now critical. This process often involves collaboration between privacy specialists, developers, and a cyber incident response team that understands how user data flows through systems.
Implications for the RentTech Industry
Although the determination directly applies to InspectRealEstate, its implications extend across the entire rental technology industry.
The Privacy Commissioner made it clear that other RentTech providers should review their data collection practices to ensure they align with the findings.
To support this effort, the OAIC has shared the determination with real estate peak bodies. These organisations will help agents, landlords, and property managers understand how the ruling affects their own processes.
For platform providers, this means reviewing several areas:
• The amount of personal information collected
• How application forms are structured
• How consent requests are presented
• How long is personal data stored
• How data is protected against breaches
Many organisations now conduct independent cyber security audits and privacy reviews to address these issues. In sectors that manage highly sensitive information, assessments may also involve specialists such as HIPAA cybersecurity auditors, particularly when systems intersect with health or identity data.
These audits help confirm that data protection practices meet regulatory expectations and industry standards.
Explore what happens when government data reaches unvetted third parties.
Why Responsible Data Practices Matter
Digital platforms have become essential tools across industries. Yet every platform that collects personal data carries responsibility.
Collecting unnecessary information creates three major risks:
• Privacy harm for individuals if data is misused or exposed
• Regulatory penalties for organisations that breach privacy laws
• Operational risk if systems become targets for cyber attacks
Reducing data collection lowers all three risks.
A structured privacy program – guided by a certified cyber security consultant in Australia, supported by a cyber incident response team, and reviewed through independent audits such as those performed by HIPAA cyber security auditors – helps organisations manage these responsibilities effectively.
For digital service providers, privacy is no longer a secondary consideration. It is a core element of trust. And in today’s data-driven economy, trust is one of the most valuable assets any organisation can maintain.
Get in touch with Cybernetic GI for privacy-safe software and applications.