In brief
On 31 March 2026, the Office of the Australian Information Commissioner (OAIC) released an exposure draft of the Privacy (Children’s Online Privacy) Code 2026 (“Code”) and accompanying Explanatory Statement. The Code proposes the introduction of age assurance measures and other obligations for certain online providers, with the aim of strengthening privacy protections for children online. Once in force (no later than 10 December 2026), the Code will apply to a range of online service providers, in addition to the requirements of the Australian Privacy Principles (APPs).
Who will be affected?
The draft Code draws on definitions in the Online Safety Act 2021 (Cth) (OSA). The Code is proposed to apply to an APP entity if it is a provider of a social media service, relevant electronic service, or designated internet service (as defined in the OSA) but only if the service:
(i) Is likely to be accessed by children or
(ii) Is primarily concerned with the activities of children.
While the first category is required pursuant to the triggering provisions for the Code already in the Privacy Act 1988 (Cth) (“Act”), the Explanatory Statement notes the addition of the second category extends the operation of the Code not only to services which are used by children themselves, but also to services “that are not directly accessed by children but are nonetheless primarily concerned with children’s activities”, such as “applications that track early childhood development, family photo sharing applications, online school management systems that monitor student performance and internet-connected baby monitors”.
Health services and carriage service providers are specifically excluded from the operation of the draft Code. As the Code is intended to apply to APP entities, the existing small business exemption under the would also apply, carving out entities with an annual turnover of AUD 3 million or less.
The Code would apply only at the level of specific services, rather than entity-wide. The Explanatory Statement uses the example of a bank which offers a pocket money app, business banking services, and home loan apps. In this scenario, the pocket money app is likely to be accessed by children, whereas the business banking and home loan apps are not likely to be accessed by children. In this case, only the pocket money app would be affected by the operation of the Code.
Age assurance and age ascertainment
Importantly, the draft Code contains an obligation for an entity to take steps as are reasonable in the circumstances to ascertain the age of end-users before collecting their personal information (section 8).
Entities may collect limited personal information as needed for the purposes of ascertaining an end-user’s age, but must destroy any sensitive information so collected as soon as practicable after this purpose is achieved, subject to some narrow exceptions.
Notably, the age ascertainment obligation would not apply where an entity elects to apply the child-specific protections required by the Code to all end-users, regardless of age.
The Explanatory Statement does not contain specific guidance on what constitutes reasonable steps, and there is room for significant complexity around this, especially given the introduction of other online safety age assurance requirements in Australia in recent years. While there are obvious similarities, it is possible that what is reasonable in respect of age assurance may differ for privacy compliance purposes from what is reasonable from an online safety perspective, given the differences in the context and rationale for the requirements under each regime. The OAIC has released guidance separately on age assurance technologies in the context of the OSA here.
For the Code, steps that are reasonable in the circumstances would depend on the risk of harm arising from the collection and the use or disclosure of personal information. The Explanatory Statement describes this as a risk-based approach, where lower risk services could accept a higher degree of uncertainty as to an end-user’s age, but higher risk services would require a greater degree of certainty. Risk in this context is specific to privacy risks, and entities should take into account the types and volume of personal information that is collected and whether it is shared with third parties in assessing such risks. Entities should also consider the availability, costs and efficacy of age assurance and their data and privacy implications for end-users.
Additional obligations
The Code also proposes to introduce a range of additional obligations. As mentioned above, an entity may elect not to ascertain the age of end-users if it applies the child-specific protections required by the Code to all end-users.
Draft Code obligations include:
- Privacy Impact Assessments register: conducting privacy impact assessments (PIA) when providing any new service or activity or making a change in the way it handles personal information in relation to an existing service or activity, that is likely to be accessed by children or will be primarily concerned with the activities of children. Notably, an entity must maintain a register of PIAs it conducts and publish this register online.
- Best interests of the child: collection, use and disclosure of personal information about a child must be consistent with the best interests of the child.
- Consent: subject to limited exceptions, children under 15 cannot provide consent, meaning that such consent must be obtained from a person with (reasonably confirmed) parental responsibility for that child. More specific requirements for the consent - that it be informed, current, not withdrawn, specific, unambiguous and voluntary - are also included. There are also requirements to obtain age-appropriate assent from under 15 end-users in some circumstances. The consent requirements are intended to provide a scaffold for children’s privacy rights throughout their development, with children under 15 providing assent and the person with parental responsibility providing consent, then children 15 to 17 being supported by age-appropriate transparency and notice provisions, before they move out of the scope of the Code at age 18.
- Default settings/measures: entities must implement technical and organisational measures that are set to high privacy by default to ensure that they only collect, use and disclose personal information about children as strictly necessary (including by enabling end-user control of any collection, use or disclosure that is not strictly necessary).
- Direct marketing: direct marketing to children will be significantly limited. Use or disclosure of personal information for this purpose must be consistent with the best interests of the child and will generally require consent, and a simple, easy and age-appropriate means of opting out.
- Transparency: some entities may be required to develop a separate child-specific privacy policy or provide a singular privacy policy that is written in clear, simple, and accessible language so it can be understood by both children and adults.
- Children’s rights: the Code includes mechanisms and enhanced rights for children to request access to and the destruction, correction and handling of their personal information as well as enhanced mechanisms to enable inquiries and complaints.
- Monitoring and controls: children must be notified when an entity enables a person with parental responsibility for a child to control or monitor that child’s use of the service or their geolocation data.
- Training: entities must also ensure employees, and other people it engages, participate in education and training on the protection of children’s personal information.
Consultation process
The OAIC is seeking comments on the draft Code.
Stakeholders are encouraged to submit written submissions on the draft Code via email to copc@oaic.gov.au by close of business on Friday, 5 June 2026. Stakeholders can also register their interest to attend a Virtual Roundtable here.
* * * * *
Camilla McDonald, Junior Associate, has contributed to this legal update.