OAIC consults on new Children’s Online Privacy Code

Key takeaways

The OAIC has released a draft Children’s Online Privacy Code for public consultation.

The Code will apply to all social media services, messaging services, and other online services likely to be accessed by children or which are primarily concerned with the activities of children (subject to limited exemptions).

The Code is complex and entities that provide services online that are accessed by or directed to children will face a significant additional compliance burden as a result. This could include a wide range of online services beyond social media, gaming platforms and other online services obviously focused on children. Compliance requirements will include:

• reasonable steps to ascertain user age before collecting personal information
• ensuring that by default information is only collected from a child if it is ‘strictly necessary’
• obtaining strict time-limited consents from the child (or from a parent if the child is under 15) for secondary uses
• new rights for children to seek destruction of their information, and
• enhanced transparency and governance.

The consultation is open until 5 June 2026. The Code must be registered by 10 December 2026, but may take effect at a later date.

Background to the Children's Online Privacy Code

On 31 March 2026, the Office of the Australian Information Commissioner (OAIC) released an exposure draft of the Privacy (Children’s Online Privacy) Code 2026 (Code) for public consultation. This follows initial consultation on the design of the Code that took place in mid-2025. If registered in its current form, the Code will have significant practical and operational implications for organisations that provide online services likely to be accessed by children or primarily directed towards children’s activities.

The notion that specific rules are required to safeguard the privacy of children is not a new one.

• In October 2021, the Attorney-General’s Department released an exposure draft of an Online Privacy Bill that proposed the introduction of an online privacy code for children, albeit one that was to be developed by industry in the first instance and was to be relatively narrowly focused on social media services, data brokerage services, and ‘large online platforms’ with more than 2.5 million end users in Australia.
• While that Bill was not progressed, subsequent reviews of the Privacy Act also recommended the development of a dedicated online privacy code for children, with the Government endorsing that recommendation while noting societal concerns ‘that children are increasingly being ‘datafied’, with thousands of data points being collected about them, including information about their activities, location, gender, interests, hobbies, moods, mental health and relationship status’.
• In 2024, amendments were made to the Privacy Act obliging the OAIC to develop the Code, following a mandatory consultation process.

Australia is not alone in recognising and seeking to address the special vulnerability of children when it comes to matters affecting privacy. Targeted regulations dealing with children’s privacy online have also already been implemented in several other jurisdictions, such as the Age Appropriate Design Code in the UK and the Children’s Online Privacy Protection Act (COPPA) in the US. While the draft Explanatory Statement for the Code indicates an intention to align, where possible, with international frameworks (and with the UK Age Appropriate Design Code in particular), the Code has been adapted to fit within the existing framework of the Privacy Act and so is uniquely Australian in its design and application. This means that it will be important for all online service providers operating in Australia to pay close attention to the development of the Code.

Purpose and scope of the Children's Online Privacy Code

The Code will operate in addition to the requirements of the Australian Privacy Principles (APPs) and will set out how the APPs are to be applied or complied with in relation to personal information of children.

The Code may also impose additional requirements so long as they are not contrary to, or inconsistent with, the APPs. Once the Code is registered and in effect, a breach of the Code will constitute an interference with privacy under the Privacy Act and may attract enforcement action in the same way as any breach of the APPs.

The application of the Code will be broad.

The Privacy Act provides that the Code will automatically apply to social media services, relevant electronic services and designated internet services (each as defined in the Online Safety Act) that are likely to be accessed by children. Given the broad nature of the definitions used – the category of ‘designated internet services’ essentially covers any entity with a website accessible to users in Australia – just about every business that has an online presence in Australia will be captured to the extent that it is likely to attract users under the age of 18.

The relevant explanatory memorandum for the Privacy Act amendments under which the Code is being developed indicates that in assessing whether a service is ‘likely to be accessed by children’ it will be relevant to consider factors such as:

• the nature and content of the service, and whether it has a particular appeal to children;
• market research, current evidence on user behaviour, the user base of similar or existing services and service types; and
• the way in which the service is accessed, and whether any measures put in place are effective in preventing children from accessing the service.

The places where children spend most of their time online, such as social media sites, electronic messaging services, video streaming platforms and gaming networks are all clearly within scope. However, there are many other services that, while not specifically designed to appeal to children, are also highly likely to have users who are children and so may also be caught. For example, most online banking services and online retailers will have customers who are children. In some cases, these may be services that deliberately target a younger market segment (e.g., a pocket money app offered by a bank or an app for learner drivers to claim against care insurance). However, services intended for all ages may be caught if they are commonly used by children even though they are not specifically targeted at that demographic.

The Code itself extends its application to services that may not even be directly accessed by children, but which handle information about children, such as school management tools or baby monitors.

While a similarly broad net is cast under the Online Safety Act, compliance requirements under that regime are largely either very specific in nature (e.g., to respond to specific take down notices) or limited to platforms with a specific risk profile (e.g., under industry codes and standards made under the Online Safety Act, the most stringent compliance requirements are reserved for services that have been assessed as presenting higher levels of safety risk). By contrast, the Code in its current form will apply general compliance requirements to a wide cross-section of online businesses beyond the type of child-centric platforms that policymakers may originally have had in mind. The practical implications of this may be significant, particularly for businesses that do not have the technical resources or knowhow to effectively distinguish between users based on age and so have little choice but to comply with the requirements of the Code in relation to all users, children and adults alike.

Some headline issues arising from the Children's Online Privacy Code

The Code is complex and summarising all the compliance requirements it will impose is not possible within the space allowed in this alert (though please get in touch with a Mallesons contact if you would like a copy of our detailed line-by-line analysis). However, some key aspects that we think may be of interest to many digital businesses are:

1. Mandatory age assurance requirements

Service providers will need to take reasonable steps to ascertain an end-user's age before collecting their personal information. The level of age assurance required for a given service will likely depend on the level of privacy risk, the typical user demographic, and other contextual factors. However, as the Code also effectively sets 15 as the age of consent, services will need to be able to reliably distinguish users under 15 from those over 15 so that they can design compliant consent processes.

There are now a number of different age boundaries in play for online services, including 13 (a minimum age threshold for many online services that is rooted in the COPPA, which applies to information about children under 13), 15 (the threshold for consent under the Code), 16 (the age threshold that applies under the social media minimum age framework established under the Online Safety Act) and 18 (the minimum age for accessing certain types of age-restricted content). This creates a high level of complexity, particularly when many age estimation technologies are still at a relatively early stage of development, with residual doubts as to their level of accuracy in practice, meaning that service providers may need to rely on more intrusive age verification processes to reliably determine user age.

The draft Explanatory Statement expressly states that a service provider is not required to take any steps to ascertain user age ‘if the entity applies the privacy protections afforded to children in the Code to all end-users.’ This may lead some service providers to apply the requirements of the Code as a baseline standard for end-users of all ages.

2. ‘Strictly necessary’ data collection

By default, only personal information that is ‘strictly necessary’ to provide the relevant online service may be collected, used or disclosed under the Code. This is a significantly higher threshold than the existing ‘reasonably necessary’ standard under APP 3. Online service providers may face uncertainty about whether user safety measures, content moderation tools, ongoing service improvement, and other activities that may be beneficial for users in a holistic sense, but not essential for delivering core service functionality, fall within this narrow standard.

By contrast, under the UK Age Appropriate Design Code exceptions may apply where there is a ‘compelling reason’. The UK Code explains that ‘One clear example of a compelling reason is data sharing for safeguarding purposes, preventing child sexual exploitation and abuse online, or for the purposes of preventing or detecting crimes against children such as online grooming.’ The lack of a similar exception in Australia may lead to doubts about what services can and cannot do without seeking express consent from their users.

3. Parental consent and verification for children under 15

For children under 15, consent must be obtained from a person with parental responsibility, and providers must take reasonable steps to verify that person's parental responsibility. The draft Explanatory Statement suggests verification methods such as email, token-based vouching via a bank or telco, video conferencing, or government digital ID. However, such methods may be unreliable or susceptible to abuse, operationally burdensome and difficult to implement at scale, particularly for services with low-touch onboarding or for users who wish to remain anonymous (a right that all users, including children, currently have and is a privacy-protective practice).

While human behaviour is always difficult to predict, it is not hard to imagine that some underage users would balk at having to defer to their parents to configure consent settings on every online service they wish to use and so may deliberately work to obscure their true age as a way of avoiding these requirements. This may make it more difficult for service providers, particularly smaller operators without easy access to advanced age prediction technologies, to accurately identify younger users. Early experience with the social media minimum age framework under the Online Safety Act has shown that accurately identifying underage users online is easier said than done and that regulator expectations may depart from industry practice. The alternative of only offering a stripped-down basic service experience for users who are unable to positively establish their age may also be undesirable from a policy perspective, as it could result in many users being denied access to richer online experiences.

4. 12-month consent validity

Apart from requiring that consents must be voluntary, informed, current, specific, unambiguous, capable of being easily withdrawn and not obtained by coercion or manipulation, the Code will impose a time limit on consents obtained from a child so that they may only apply for a maximum period of 12 months. This means that online service providers will need to obtain fresh consents from child users on at least an annual basis and may need to automatically convert those users to a lower-feature version of the service if consent is not refreshed on time.

The annual re-consenting process is likely to create significant administrative burden for services with large user bases. The fact that consents must be unbundled by design (to ensure they remain voluntary and sufficiently specific), with individual consents capable of being given and withdrawn at different times, will only increase the operational complexity with each individual consent potentially running on a different annual cycle. It is not hard to imagine children (and parents) being bombarded with requests to renew consents, which may quickly lead to consent fatigue and disengagement with online privacy settings. Striking the right balance between giving children control and not overwhelming them with consent requests will not be straightforward.

5. New right to data destruction

Children (and parents in the case of those under 15) will have a new right to require destruction of specified personal information. Unlike the present position under APP 11, which provides for information to be either de-identified or destroyed once it is no longer required, de-identification will not be sufficient to satisfy this new compliance requirement. This is likely to be challenging for online service providers, as true deletion can be difficult to achieve across backups, shared systems, fraud and safety logs, and processor chains.

A right to data erasure has been raised in past reviews of the Privacy Act. The Productivity Commission in its 2025 report on Harnessing Data and Digital Technology recommended against a legislated ‘right to erasure’ on the basis that the high compliance costs would outweigh the privacy benefits of such a right. While a right to erasure was recommended as part of the Attorney-General Department’s 2023 Privacy Act Review Report, this was subject to exceptions, such as where compliance would be technically impossible or unreasonable or where the request is frivolous or vexatious. In proposing such a right without any equivalent wriggle room, the Code risks setting a compliance standard that is burdensome at best and impossible to meet at worst.

Enforcement — why does the Children's Online Privacy Code matter?

Once registered, the Code will operate as an APP Code under s 26GC of the Privacy Act. That means a breach of any of its provisions will be, by operation of law, an interference with the privacy of an individual and the full weight of the Privacy Act's enforcement machinery will follow.

That machinery now has real bite. The maximum civil penalty for a body corporate for a serious or repeated interference with privacy will be the greater of:

• AU$50 million;
• three times the value of the benefit obtained from the conduct; and
• 30% of the entity's adjusted annual turnover during the breach period.

For digital products that monetise children's data at scale — through targeted advertising, behavioural profiling, or secondary data sales — the ‘benefit obtained’ and ‘turnover’ limbs of that formula may produce exposures that dwarf the AU$50 million floor.

The structure of the Code presents interesting challenges for investigation and litigation risk.