Australian Children’s Online Privacy Code could impact ‘wide array’ of businesses

The planned Children’s Online Privacy Code is aimed at enhancing privacy protections for children and will apply to social media services, messaging apps, online games and cloud storage platforms, as well as any other service that is likely to be accessed by children.

Veronica Scott, an expert in privacy law at Pinsent Masons, said: “The proposed code will not apply to health services, but the Office of the Australian information Commissioner (OAIC) is considering extending it to cover additional sectors such as education technology and wearables.”

“Although the code may not apply directly to all entities, it will still serve to inform how entities should be considering online privacy risks,” she said.

“The code will provide further guardrails for what strong privacy practices look like, as well as how to consider the privacy impacts of digital engagement with vulnerable members of the community.”

Under amendments made the Privacy Act 1988 (Cth) in December 2024, following the Privacy Act Review conducted under former attorney-general Mark Dreyfus, the OAIC is required to consult on and develop the code, and register it by December 2026

The first consultation phase, with certain stakeholders – including children and young people, representative groups, educators, frontline services and the First Nations community – ended on 11 June.

A second phase of consultation will be open to “civil society, academia and industry stakeholders to gather insights and perspectives”. Submissions for this phase will close on 31 July.

The code is being developed ahead of the introduction of The Online Safety Amendment (Social Media Minimum Age) Act 2024 on 10 December, which will require specified social media companies to take reasonable steps to bar children under the age of 16 from having accounts on their platforms.

Susan Kantor, an expert in privacy law at Pinsent Masons, said: “To prepare for the code’s introduction, businesses should assess whether any of their digital services are likely to be accessed by children and review their current privacy practices for compliance with Australian Privacy Principles (APPs).”

“Businesses should also consider engaging with the consultation and issues paper to understand how their services may be affected and inform how they plan to respond to the code, including particular risks that are identified throughout the consultation process,” she said.

 “If you are considering how the Children’s Online Privacy Code might apply to your organisation, now is a good time to start reviewing your current practices and identifying any areas that may need adjustment.”

Dr Kate Bower, director of the Privacy Reform Implementation and Social Media Taskforce at the OIAC, said in a briefing that a 13-year-old child already has an estimated 72 million data points collected about them, which Scott said underscores the urgency of stronger protections.

The consultations aim to address how the code should apply to entities, the meaning of ‘likely to be accessed by children’ by drawing on international standards, the role of age verification and gating in light of new online safety laws, how key APPs apply in the context of children’s data, the right to request deletion, varying protections depending on the age and developmental stage of children, the ability for children to access and correct their information, and the fairness of data collection practices and the appropriateness of consent mechanisms to ensure informed consent and increase choice and control.