OAIC's Children's Online Privacy exposure draft: from consultation to code

The Office of the Australian Information Commissioner (OAIC) has released an exposure draft of the proposed Privacy (Children's Online Privacy) Code 2026 (the Code) for public consultation. The Code would represent a significant shift in the Australian regulatory landscape for any organisation whose digital products and services involve the collection, use or disclosure of children’s personal information.

What is the Children’s Online Privacy Code?

The Code is a legislative instrument under the Privacy Act 1988 (Cth) (Privacy Act) that would specify how online services (e.g. apps, games and websites) would need to comply with the APPs when they handle children’s personal information.

Many of the proposed new rules correspond with equivalent international instruments such as the UK’s Age Appropriate Design Code (UK Children’s Code). However, the OAIC has noted that the Code would also include some novel protections developed for the Australian context. 

There is a draft Explanatory Statement that accompanies the draft Code.

When will the Children’s Online Privacy Code come into effect?

The Code will be registered by 10 December 2026. However, the commencement date and transition period have not yet been confirmed. The OAIC is seeking public comment on an appropriate commencement date for the Code.

Who and what does the Children’s Online Privacy Code apply to?

The Code would apply to the activities of an APP entity to the extent that those activities consist of the following services (as defined in the Online Safety Act 2021 (Cth) (OSA)). These services are ones that are likely to be accessed by children or are primarily concerned with the activities of children: 

• social media services (SMS), which generally refers to services where the primary purpose is to enable online social interaction between end users;
   
• relevant electronic services (RES), which generally refers to services that allow people to communicate, such as messaging apps and online games with chat functions; or
   
• designated internet services (DIS), which refers to services that allow users to upload and access material using an internet carriage service, such as cloud-based storage websites.

The Code would recognise that children’s personal information may be handled by services that are not likely to be accessed by children, but are nonetheless primarily concerned with children’s activities (e.g. online school management systems that parents and teachers use to monitor student performance). The OAIC has also noted that the Code may apply to a broad range of APP entities that are not typically considered to be technology providers if they provide any of the specified services (e.g. a bank that provides a RES that is likely to be accessed by children may be captured by the Code).

To the extent that an APP entity provides a health service (as defined under the Privacy Act), such health services would not be subject to the Code. This exclusion intends to ensure that the Code does not pose a barrier to providing essential health services to children. APP entities that are Carriage Services Providers (as defined under Telecommunications Act 1997 (Cth)) would also be specifically excluded from the Code.

Proposed obligations and requirements

Many of the Code’s provisions would include requirements that information given under a notice, explanation or other form are ‘age appropriate’. Information would be considered age appropriate if it is:

• appropriate for a child of the youngest age in a targeted age range, where the entity’s service is targeted at a particular age range of children; or
   
• otherwise, where the information is appropriate for a child aged between 10 and 12 years. 

In contrast, the UK Children's Code does not prescribe a fixed default age bracket, instead directing services to consider the developmental needs of children across five suggested age ranges (0–5, 6–9, 10–12, 13–15, and 16–17), tailored to the actual or likely profile of their users. 

A high-level overview of the key requirements contained in the Code is set out below.

Best interests of the child

With some limited exceptions, all collection, use and disclosure of children's personal information would need to be consistent with the ‘best interests of the child’ (BIC), a principle taken from the United Nations Convention on the Rights of the Child. 

When assessing whether any collection, use or disclosure of children’s personal information is consistent with BIC, the draft Explanatory Statement for the Code indicates that entities would need to consider:

• child exploitation risks;
   
• likely mental, physical or developmental impacts on the child;
   
• the extent to which the child’s ability to develop and express themselves, or their freedom of association, play, leisure or participation in social, cultural or educational activities, may be affected;
   
• whether particular groups of children may be disproportionately or adversely impacted (e.g. children with disabilities); and
   
• the evolving capacities of children (e.g. differences in age, maturity and development stages across childhood).

While collecting, using, or disclosing personal information in a manner consistent with the BIC would not preclude an entity from pursuing its own commercial or other interests, the Code would require that entities prioritise a child's interests where they conflict with their own commercial purposes.

Effectively, the BIC requirement would impose additional requirements on top of existing APP obligations (such as APP 3 for collection, APP 6 for use and disclosure, and APP 7 for direct marketing specifically) and would remove the ability for entities to rely on certain exceptions currently provided under APP 6 or APP 7.3. For example, in complying with APP 6.1 (Use or Disclosure) an entity would not be permitted to use or disclose personal information about a child unless the child has consented to the use or disclosure and the use or disclosure is consistent with the BIC. An entity could no longer rely on the exception under APP 6.2, which would otherwise permit the use or disclosure of an end user’s personal information for a secondary purpose of collection, in the absence of consent, even where that secondary purpose was within the reasonable expectations of the end user and related to the primary purpose. 

Similarly, under APP 7, using or disclosing personal information about a child for the purpose of direct marketing would only be permissible if, among other requirements, consent has been obtained, use or disclosure is in the BIC, and the personal information has been collected directly from the child. This would now preclude an entity from using personal information about a child that is collected from a third party to undertake direct marketing. 

The UK Code also adopts a BIC standard, but treats this as an overarching design principle to be considered when developing online services. In contrast, the Australian Code would impose BIC as a condition on individual acts of data handling.

Ascertaining age

Entities would need to take steps that are reasonable in the circumstances to ascertain end-user age before collecting personal information. Assessing what steps are reasonable would depend on the risk of harm arising from handling the end-user’s personal information for any given service. Relevant factors would include the type of personal information collected, the volume that is collected and whether the personal information is disclosed to third parties. Higher risk services would require a higher degree of certainty on end-user age. 

The Code would also enable personal information to be collected to the extent necessary to ascertain the end-user's age. However, any sensitive information would need to be deleted if collected for this purpose, unless limited exceptions apply. This requirement to ascertain end-user age would not apply if the protections afforded to children in the Code were applied by the entity to their services irrespective of end-user age.

Entities that have collected personal information before the Code commences would not be required to ascertain the age of existing users. However, they would be expected to take reasonable steps to ascertain the age of users before any further information is collected after the Code commences. 

Privacy by default

Emulating the UK Children’s Code, the Code would also effectively mandate that online services are configured to ‘high privacy by default’, given that many children simply accept the default settings they are provided upon first using a service and never change them. The Code would require entities to implement technical and organisational measures that ensure the default design of the service only enables personal information about a child to be collected, used or disclosed where it is strictly necessary (as distinct from reasonably necessary) to provide the entity's service. The collection of personal information about a child that is reasonably necessary (but not strictly necessary) for providing the service must not be enabled by default. Rather, it must be the subject of transparent and active choice by the end user.

The ‘privacy by default’ obligation would apply to both existing and new user accounts once the Code commences. This means that entities would need to take measures to ensure that all service accounts captured by the Code are set to ‘high privacy by default’. 

Age of consent

The Code would set the age of consent by a child to the collection, use or disclosure of their personal information at 15 years old, and would require parental consent for children under that age (with limited exceptions). Where consent is obtained from a person with parental responsibility, the entity would need to take reasonable steps to verify that the person, in fact, has parental responsibility for the child. The entity would need to provide an age appropriate notice detailing, amongst other prescribed matters, how the information would be handled to the child. In contrast, the UK Children's Code follows UK GDPR Article 8, which provides that where an entity relies on consent, only children aged 13 or over may provide it themselves. Parental authorisation is otherwise required for children under 13.

Consent requirements

Consent to the collection, use or disclosure of personal information about a child would need to be:

• voluntary (bundled consents would be prohibited), 
   
• informed (written notices would be required before collection, use or disclosure), 
   
• current (consent may last for a maximum of 12 months), 
   
• specific (express designated purposes would need to be identified), 
   
• unambiguous (which would effectively preclude entities from seeking consent through, for example, silence or opt-outs), and 
   
• capable of being withdrawn at any time. 

Coercion

Consent to collection, use or disclosure could not be obtained by coercion (e.g. no ‘confirmshaming’ by using guilt-inducing language to manipulate individuals into opting in). Use of coercive consent methods would likely infringe APP 3.5, which requires the collection of personal information by lawful and fair means.

Assent

The Code would introduce the novel concept of ‘assent’. When a child under 15 years of age enables an entity to collect sensitive information or use / disclose their personal information for a secondary purpose or for direct marketing, the entity would need to seek the child’s assent: 

1. to that collection, use or disclosure; and 
    
2. for the entity to contact a relevant person with parental responsibility to obtain their consent to that collection, use or disclosure. 

The assent requirement would maintain parental consent as the legal authorisation for the collection, use or disclosure while still involving the child in this process. There would effectively be a two-step permission process: the entity would first need to obtain assent from the child (via an age appropriate notice) then obtain consent from the person with parental responsibility. 

Transparency for privacy documents

Entities whose services are likely to be accessed by children would be required to have a privacy policy specifically directed at children. They would also need to ensure that any collection notices provided to children are suitable. This may either be in the form of a separate version of its privacy policy or singular version of the privacy policy that can be understood by both children and adults. These policies and notices would need to be clear, concise, transparent, age appropriate, free of legal jargon / technical expressions, and incorporate non-text material such as graphics or video where appropriate. The privacy policy would also need to specifically include age appropriate explanations of how an end-user may deal with the entity anonymously or by pseudonym.

The draft Explanatory Statement clarifies that these requirements are not intended to extend to an entity whose service is primarily concerned with the activities of children, but is not likely to be accessed by them.

Annual review

Entities would be required to review and update their privacy practices (those required under APP 1.2) at least annually to ensure compliance with the APPs and the Code, and keep records of those reviews for possible production to the Commissioner. 

Enhanced access right

The Code would introduce an enhanced right for children (or persons with parental responsibility) to request information about an entity's handling of their personal information. This would be subject to specific timeframes. The general requirement is a response within 30 days (or a shorter period, if reasonable), with a 60-day extension available for significantly complex requests where notice is given. 

Access and correction requests

The Code would impose the same specific timeframes (i.e. the 30/60-day requirement) on organisations to respond to access and correction requests under APPs 12 and 13. If the entity provides a child with access to their personal information, access would need to be provided in a simple, easy to understand and age appropriate way that enables the child to meaningfully understand what personal information is held by the entity.

Destruction of personal information about a child

Entities that hold personal information about a child would be required to destroy specified personal information about a child if they are asked by the child or a person with parental responsibility to do so. This obligation would be subject to limited exceptions (e.g. if the entity is required by law to keep it). If an entity refuses a destruction request, it would be required to provide an age appropriate written notice of its reasons and information on the available complaint mechanisms. In any case, organisations would generally be required to respond to a request within 30 days after the request is made, or within 60 days in complex cases.

Notifications for control / monitoring mechanisms

Entities would be required to notify the child if it has mechanisms that enable a person with parental responsibility to control / monitor their use of the service or to monitor their geolocation data. If an end user is using a mechanism to monitor the child’s geolocation data, entities would be required to additionally notify the child of this fact while the monitoring is occurring. The notification would need to be age appropriate, given as soon as practicable after the mechanism is used, and easily accessible to the child.

Inquiries and complaints

Entities would be required to have child-friendly processes that enable children and people with parental responsibility to make requests / complaints (including requests to access, correct or destroy personal information about the child). The draft Code sets out specific requirements for such information and processes (e.g. an entity would need to take reasonable steps to deal with an inquiry or complaint within 30 days after it is made).

Privacy impact assessment (PIA)

Entities would be required to conduct a PIA before launching a new service or activity that is likely to be accessed by children or that will be primarily concerned with the activities of children. The draft Code sets out the content that would need to be included in the PIA. Entities would also be required to maintain and publish online a register of these PIAs, and provide copies of the register and any PIA to the Commissioner upon request. 

Privacy education and training

Entities would be required to provide privacy education and training at least annually to all personnel who have regular or frequent access to children's personal information. Entities would also be required to keep records of the education and training provided, and provide these records to the Commissioner on request.

What are some of the potential consequences of breaching the Children’s Online Privacy Code?

Once the Code is registered, a breach may constitute an interference with the privacy of an individual under section 13 of the Privacy Act and be subject to an investigation by the Commissioner under Part 5 of the Privacy Act. Serious or repeated interferences with privacy can attract civil penalties under section 13G of the Privacy Act.

Preparing for anticipated reform

The OAIC is mandated to register the Code by 10 December 2026. Accordingly, the question is not whether the Code will be enacted, but what its final form will look like after the current consultation closes. 

If enacted in its current form, the Code would have significant and fundamental implications for APP entities collecting and handling children’s personal information in digital or online environments. For entities, major technical, operational, process and policy changes would be required to ensure compliance. Early preparation would need to involve, amongst a raft of other considerations:

• auditing current data collection and handling practices; 
   
• stress testing age assurance mechanisms; 
   
• examining current default mechanisms when collecting children’s personal information; and 
   
• considering how the BIC test would be overlayed across each decision in the lifecycle of collecting and handling a child’s personal information. 

The Children’s Online Privacy Code’s consultation period

The Code is open for public consultation until 5 June 2026. Industry organisations may engage with the consultation process by making a written submission or by participating in a Virtual Roundtable. Following the consultation, the OAIC will consider any submissions made within the consultation period and must register the Code by 10 December 2026. The commencement date for the Code, together with a proposal for a grace or transition period, is yet to be determined. The Attorney-General's media release announcing the release of the exposure draft stated that the Code ‘will be in place’ by 10 December 2026.