On 22 April 2026, Australia's Privacy Commissioner Carly Kind issued determination [2026] AICmr 24 against IRE Pty Ltd, operator of the 2Apply rental-application platform. The Commissioner found that IRE breached Australian Privacy Principle (APP) 3.2 by collecting personal information that was not reasonably necessary — gender, student and citizenship status, visa expiry, and previous living history — and APP 3.5 by collecting it through unfair means. In a first for the Office of the Australian Information Commissioner (OAIC), the decision applied an 'online choice architecture' analysis, identifying confirmshaming, biased framing, and bundled consent as 'dark patterns' that pressured applicants into oversharing (OAIC media release, 22 April 2026).
The strongest case for the determination
Start with what the regulator got right, because it is substantial. 2Apply is not a marginal player: it has processed more than 8.5 million tenancy applications since 2020, and renters using it are routinely asked for more than 50 categories of information (The Conversation). The market dynamics are genuinely coercive. As Commissioner Kind put it, renters 'often lack real choice when making rental applications. Either they hand over personal and private information, including ID documents and payslips, or risk housing precarity or even loss' (iTnews, 22 April 2026).
That power imbalance is the crux. Ordinary consent theory assumes a user who can walk away. A prospective tenant in a tight rental market cannot. The Commissioner also noted that collecting attributes like gender, citizenship, and visa status 'could increase the risk of discrimination against applicants' — and that minimising collection is the most reliable way to prevent that discrimination from occurring at all. When a platform asks an applicant their citizenship status to rent a flat, the data serves no function for the landlord that justifies the discrimination risk it creates. On the core APP 3.2 finding, the OAIC is plainly correct, and the result is good for both renters and a healthier RentTech market.
Why the excess-collection finding is the pro-innovation outcome
It is tempting to file every privacy enforcement action under 'regulatory overreach.' This one does not belong there. Data minimisation is not the enemy of innovation — indiscriminate data hoarding is. A platform that warehouses 50-plus fields on 8.5 million applicants, including sensitive attributes it does not need, is carrying breach liability, discrimination exposure, and storage cost for no product benefit. The APP 3.2 finding simply tells RentTech firms to collect what the transaction requires. That is a discipline good engineering already imposes; the determination puts a legal floor under it.
The remedy was also calibrated rather than punitive. IRE agreed to cease collecting the excessive categories on a without-admissions basis, with the platform's design subject to review (OAIC media release). No headline penalty, no shutdown — a corrective order proportionate to a first-of-its-kind interpretation. That is how a regulator should introduce a novel doctrine: fix the conduct, signal the standard, and let the market adjust.
Where the choice-architecture doctrine needs guardrails
The APP 3.5 'unfair means' analysis is the genuinely new move, and it deserves more scrutiny than the applause it has received. The OAIC imported a concept — online choice architecture — that has no statutory definition in the Privacy Act 1988. 'Confirmshaming,' 'biased framing,' and 'bundled consent' are useful descriptive labels borrowed from consumer-protection and UX literature, but they sit on a spectrum. The clearest 2Apply example — telling applicants that withholding information 'may affect whether you are considered' — is coercive. But persuasive framing, default selections, and bundled requests are also the ordinary grammar of every onboarding flow on the internet. A doctrine that brands manipulative design 'unfair' is only workable if firms can tell in advance which side of the line a given form sits on.
That predictability problem is real because the standard is now being set case by case through determinations rather than through rules. Bird & Bird's analysis of the decision frames it precisely as a question of 'what the IRE determination means for platform design' — an open question, not a settled one (Bird & Bird). When the boundary of lawful design is discoverable only after an investigation, smaller developers without compliance teams bear the uncertainty disproportionately, and the safe response is to collect less and build blander, less helpful interfaces — a chilling effect on legitimate UX, not just on dark patterns.
The durable fix is legislation, not regulator creativity
The deeper lesson is that the OAIC is doing work Parliament has left undone. Australia's stalled Privacy Act reform was meant to introduce a 'fair and reasonable' test for collection and clearer rules on consent and design. In its absence, the Commissioner is stretching APP 3.5's 'unfair means' to cover ground a modern statute would address explicitly. Renters benefit in this instance, but as The Conversation notes, other platforms may simply ignore a single determination absent stronger legislation. A doctrine grounded in statute — with defined terms, safe harbours, and proportionate penalties — would protect renters more reliably and give builders the certainty that lets good products ship.
The 2Apply determination is the right result reached partly by the wrong instrument. Australia should codify it before it has to litigate it again.