What Australia’s proposed online privacy code for children means for service providers

The consultation on the ’exposure draft’ of the code, which is accompanied by an explanatory statement, is being undertaken by the Office of the Australian Information Commissioner (OAIC). It follows extensive preliminary engagement with children, families, industry and civil society, and is aimed at responding to growing concern about the scale and sensitivity of personal information collected about children in digital environments. The consultation is open until 5 June 2026. The final code must be registered by 10 December 2026 – the same date that the new privacy-related automated decision making (ADM) disclosure obligations take effect.  

To support the process, the OAIC has launched a dedicated online ‘Privacy for Kids’ hub, which brings together consultation materials, guidance and child‑facing resources intended to provide more accessible information and encourage engagement form all stakeholders.  

Online service providers should use the consultation period to assess whether any of their services are likely to fall within the proposed scope of the code, to make submissions on any concerns they have about its impact, and to consider what uplifts to existing privacy governance settings may be required. 

Legal status

The code is being developed under the amendments made in 2024 to the Privacy Act 1988 (Cth) by the Privacy (Online Services and Other Measures) Act 2024 (Cth), which mandates the Privacy Commissioner to develop and register a children’s online privacy code.  

Once registered, the code will operate as a binding legislative instrument under the Privacy Act, specifying how online services that are subject to the code must comply with the obligations in the Australian Privacy Principles (APPs) and imposing child‑specific obligations. Importantly, APP codes may also apply to acts or practices that would otherwise be exempt from the Privacy Act, including exemptions to employee records and journalism, to the extent specified in the code. 

Purpose and impact 

The exposure draft code marks a major proposed shift in the expansion of APP-related obligations and privacy protections for children who are under the age of 18. The OAIC has emphasised that the code is not intended to restrict children’s online participation, but rather to raise digital privacy standards and place responsibility squarely on online service providers. 

Community demand for stronger children’s privacy protections predates the mandate. According to the OAIC, by early adolescence, children may already have tens of millions of data points collected about them, increasing the risks of data breaches, identity theft, discrimination, algorithmic bias and harmful targeted advertising. 

Code threshold – the online services in scope

An important feature of the draft code is its service‑level application. Organisations with multiple digital products may find that some of their online services are within scope, even while others are not. In simple terms, the code is intended to broadly apply to online services where children face heightened privacy risks, including: 

• apps, games and websites; 

• services primarily directed at children or commonly used by children; and 

• services processing large volumes of children’s personal information. 

The draft code applies to organisations: 

• that are providers of social media services, relevant electronic service or designated internet services under the Online Safety Act 2021 (Cth);  

• if their online service is likely to be accessed by children or is primarily concerned with the activities of children; and 

• they are not providing a health service. 

While health services are excluded, the OAIC confirmed that the scope otherwise spans a wide range of sectors, including education and early‑childhood platforms, gaming and streaming services, financial services, gaming and retail applications where children are users. Examples expressly listed in the draft code include “applications that track early childhood development, family photo sharing applications, online school management systems that monitor student performance and internet-connected baby monitors”. 

Importantly, the question of whether a service is in scope will depend, not on whether a service is intended for children but whether it is either likely to be accessed by children or the service is primarily concerned with children’s activities – a concept that will require careful factual assessment. By way of comparison, guidance under the UK children’s code indicates that a service is “likely to be accessed” by children where the nature, content or presentation of the service would lead the provider to reasonably expect that children, of any age up to 18, will want to use it, or where children constitute a substantive and identifiable user group, even if the service is not specifically designed for them. 

The code will only apply to online services provided by Australian federal agencies and the private sector with an Australian link. It will not apply directly to services provided by state or territory agencies. This means that there could be inconsistent coverage in practice, given the mixed delivery model for childrens’ services – for example, state‑run versus private early childhood services and schools and government‑operated versus commercial child‑focused digital platforms. 

Obligations proposed in the draft code

Central to the draft code is the  principle that the best interests of the child must underpin all practices in relation to the collection, use and disclosure of children’s personal information. This principle is derived from international human rights law and the United Nations Convention on the Rights of the Child, to which Australia is a signatory. How this should be applied in practice will require careful consideration. 

Other main features of the proposed new code include: 

• stricter limits on direct marketing and targeted advertising – direct marketing would generally be limited to circumstances where valid consent has been obtained from the child or from a person with parental responsibility, and where the information is collected directly from the child; 

• a strengthened right for children to request deletion of their personal information, sometimes described as a “reset” right, recognising that children’s views, behaviours and identities evolve over time. There is currently no express right to erasure or deletion in the APPs so this would be a new right;  

• enhanced transparency and accessibility obligations, requiring privacy notices and policies to be clear, age‑appropriate and understandable, rather than adult‑centric or legalistic; 

• strengthened consent requirements, including an emphasis on informed and voluntary consent, and obligations to notify children, using child‑friendly explanations, where a parent has consented on their behalf;  and

• a proposed age of consent of 15, reflecting a policy objective of progressively building children’s privacy literacy as they mature. This is consistent with the current OAIC APP guidance on childrens’ capacity to consent which is a key element for obtaining valid consent.

What to expect next and what actions to take

The current consultation period to 5 June 2026 presents a critical opportunity for organisations to consider how the code will affect their operations and services, as well as to provide their input into the final elements of the code and make a submission directly or through their industry forums. A significant challenge will be operationalising the proposed new or enhanced additional requirements in the context of the existing compliance practice and frameworks and the new overarching ‘best interests of the child’ principle. The potential challenges and risks could see online services being reduced or withdrawn. The OAIC will want to hear about these potential impacts.

To inform their approach and to start preparing, online service providers should be considering the following:

• scope and threshold assessments: mapping their digital services to determine which are likely to fall within the scope of the code, taking into account actual and potential child access rather than intended audiences, and how they would address the outcome of this scope assessment and if they would take any steps to limit their services – and, if so, what this would mean;
• gap analysis against current privacy practices: reviewing current privacy notices, consent flows, parental identification and consent mechanisms and data handling practices against the draft requirements and the ‘best interests of the child’ principle;
• privacy by design uplift: assessing how child‑centric privacy considerations are embedded into service design, default settings, data minimisation, retention and deletion practices, including in AI‑enabled features;
• privacy rights and complaints handling: evaluating whether current processes adequately support children’s rights, deletion requests and accessible complaints pathways for children and carers.

The OAIC will review the submissions it receives to its consultation and could revise the draft, and undertake further targeted engagement as required, before registering the final code. Pinsent Masons is working with clients to help them understand, assess and prepare for this significant reform and the forthcoming ADM disclosure obligations.