Regulator issues privacy guidance on age assurance technologies in Australia

Organisations and entities deploying age and identify verification, or planning to do so, should ensure that their chosen methods and polices adhere to the guidance to avoid regulatory, legal and reputation harm.

The Office of the Australian Information Commissioner (OAIC) issued its privacy guidance on age assurance technologies three months after Australia's social media minimum age came into effect and shortly after the introduction of the restricted material codes on 9 March 2026. The guidance mandate search engines, social media platforms, pornography websites, app stores, gaming providers and AI companion chatbots to take “meaningful steps” to limit children’s access to age-inappropriate content, including through age verification.

The OAIC said it has observed an increase in age checks being deployed. It cautions organisations against over-collecting data or treating age assurance as a justification for broad or ongoing identity verification.

Privacy Commissioner, Carly Kind, said of the requirements: “Age assurance is not a blank cheque to use personal or sensitive information in all circumstances and must not erode Australians’ privacy rights.”

“Offering individuals transparent, data-minimising options to validate their age is important if entities want to use these technologies as a gateway to age-appropriate experiences online,” she said.

Entities implementing any of these age assurance measures for the purposes of enforcing the social media minimum age obligation should ensure they have considered and are adhering to the OAIC’s new guidance, in conjunction with OAIC-specific guidance on privacy obligations under the scheme.

Age assurance technologies and privacy obligations

In the guidance, the OAIC states that it expects entities and organisations to use a risk assessment, including identification of relevant laws or regulations, to help determine whether it would be suitable to implement age assurance, and, if so, whether the scope of the proposed personal information handling is proportionate to risk.

Only deploy age verification when required

Establishing age may not be needed if a service, or aspects of a service, can be designed for individuals of any age. The OAIC also warned against deploying age checks across an entire service where only certain high-risk features require them.

The guidance makes clear that age assurance is not a free pass to collect whatever data is technically available. Organisations need to be able to justify why a particular method is needed for the specific service and risk profile. The message is that necessity must be defensible.

Start with low-intrusion methods and escalate only if needed

Where more defined age-gates are required to address higher-risk services or legal requirements, entities may adopt a ‘waterfall’ approach, meaning that more privacy-invasive methods are applied only when prior methods are insufficient or inconclusive to validate the age of an individual.

Requiring individuals to undergo a single, highly intrusive age verification process may be difficult for an organisation to justify if alternative options could achieve the same regulatory outcome with less privacy impact. Having multiple pathways can reduce friction for users and help organisations demonstrate that they have actively considered less intrusive options.

Apply stronger safeguards for sensitive information and biometric data

Where sensitive information is required to verify identity and age, the OAIC expects additional safeguards. In her statement, Kind highlighted “the adverse consequences that may arise from the inappropriate handling of such (sensitive) information” and stressed the consequent need to minimise both collection and retention.

Purposes and transparency, consent and choice

Entities should clearly communicate to users through consent requests, privacy policies and notifications why an age check is being conducted and how it will take place, explaining the specific method or methods and the information handled. 

The OIAC expects entities to clearly define and communicate the primary purpose for collecting personal information for age assurance, and to distinguish any secondary purposes, using descriptions that are concise, current and visible to individuals at the point they would reasonably expect to see them.

Due diligence

The OAIC’s guidance also stresses the importance of organisations undertaking due diligence across their age assurance supply chain, particularly where multiple vendors are involved, and ensuring that each provider has appropriate privacy governance in place.These vendor relationships should be supported by contractual arrangements that clearly allocate responsibility and require compliance with the Australian privacy obligations.

Destroying or de identifying inputs once the purpose is met

Organisations should design systems to avoid retaining personal and sensitive information, such as biometric data, that has been collected for age assurance purposes.

The expectation is that entities use solutions that temporarily process inputs, such as document images or fields and face frames, without storing them. Once age verification is complete and the information is no longer needed, those inputs should be promptly destroyed or deidentified. 

Ensure accuracy and provide an appeals pathway

Entities should consider the accuracy and effectiveness of the age assurance method used and ensure it does not create unjustified adverse outcomes, such as unjust discrimination or digital exclusion, and entities must also have appropriate mechanisms in place for individuals to appeal an age check.

Considering these obligations, entities deploying age assurance technology should: 

• map where age assurance is legally required and avoid deploying checks by default;
• apply privacy by design and conduct a privacy impact assessment before selecting or expanding age assurance methods;
• start with low intrusion techniques and document why any more intrusive approach is necessary;
• possess clear retention schedules and build technical controls to destroy or de identify inputs promptly once age verification is complete;
• review consent and transparency flows to ensure explanations are clear and provided at the point of collection;
• offer alternative assurance methods where feasible to reduce privacy impact; and
• strengthen vendor governance, contracts and monitoring across the age assurance ecosystem.

Co-written by Matthew Wilson of Pinsent Masons.