Share
  • LinkedIn
  • Facebook
  • X
  • Threads

IP Whiteboard

Not child’s play! What you need to know about the Children’s Online Privacy Code

18 June 2025

On 12 June 2025, the Office of the Australian Information Commissioner (OAIC) announced the release of its Issues Paper on the forthcoming Children’s Online Privacy Code (the Code). This is the latest step in ongoing efforts to ensure that an aging regulatory framework keeps pace with the challenges presented by the always evolving digital economy.

The OAIC has invited submissions from a wide range of stakeholders on several key topics:

The challenges children face in the digital environment and their expectations of privacy. The appropriate scope and coverage of the Code. How privacy policies can be made clear and age-appropriate. Strengthening consent mechanisms for children’s data collection and use.

Limiting use and disclosure of children’s personal information for marketing or profiling. Implementing robust security measures for children’s data. Suggestions for additional requirements that should be imposed on organisations. How to align with international frameworks while recognising Australian legal and social contexts.

Why this Code matters

The Privacy Act 1988 (Cth) was amended in December 2024 to require the OAIC to develop the Code. The Code must set out how the Australian Privacy Principles (APPs) are to be applied or complied with in relation to the privacy of children. The Code may also introduce additional requirements, provided they are not inconsistent with the APPs.

The Code will apply to APP entities that provide the following types of online services likely to be accessed by children:

  • Social media services: Platforms where users connect, share content, and interact, such as social networks, media-sharing sites, forums, and review platforms.
  • Relevant electronic services: Online services that facilitate communication, including messaging apps, email, video calling platforms, and online games with chat functions.
  • Designated internet services: Online services that allow users to access or receive material over the internet, such as cloud storage, streaming platforms, and consumer IoT devices.

The Code is not proposed to apply to health service providers. However, the OAIC also retains the discretion to include or exclude certain APP entities or classes of entities, which means that the health sector could potentially be included if the OAIC determines it is appropriate in the future.

Importantly, the Issues Paper indicates that the intention is not to prevent children from engaging with these services, but rather to protect them when they do so by ensuring that strong privacy protections apply. The Issues Paper suggests that this may be an opportunity to elevate privacy practices across the economy, by providing an indication of what the OAIC considers to be best practice from a compliance perspective. Accordingly, even companies that do not provide services targeted at children should pay heed.

What will the Code do

Key APPs that may be affected include:

 

APP 1 (Open and Transparent Management of Personal Information): The Code may require entities to ensure their privacy policies and practices are clear, accessible, and understandable to children. This could involve using child-friendly language, graphics, or multimedia content to explain privacy matters. APP 5 (Notification of the Collection of Personal Information): Entities may be required to provide clear and age-appropriate notifications to children about what information is being collected and why. The Code may dictate particular or specific requirements.

 

 

APP 3 (Collection of Solicited Personal Information): The Code may propose stricter standards for obtaining consent from children or their guardians before collecting personal information and may require entities to minimise the amount of data collected from children. APP 6 (Use or Disclosure of Personal Information): The Code is likely to propose restrictions on the use and disclosure of children’s personal information, particularly for marketing or profiling purposes, unless clear and informed consent is obtained.

 Practical implications for privacy practitioners

  1. Increased regulatory scrutiny: Privacy practitioners should be aware that regulators, including the OAIC and eSafety, are focussed on protecting the interests of children and other vulnerable people. These regulators will work together to scrutinise the practices of organisations that provide services to children and ensure that appropriate safeguards are in place. The social media ban for children under 16, which will come into effect in December 2025, is one example of how these regulators will be working hand in hand on these issues.
  2. International considerations: Some multinational organisations may already be required to comply with similar requirements overseas, such as the UK’s Children’s Code (also known as the Age-Appropriate Design Code). Where possible, organisations should leverage experience from those jurisdictions to inform their approach to the new Code. In addition, we expect that many submissions in response to the Issues Paper will encourage the OAIC to ensure that any Code in Australia is able to operate in harmony with regulatory frameworks that apply overseas. A disjointed and inconsistent international regulatory framework presents significant challenges for digital businesses looking to operate on a global basis.
  3. Internal governance: The Issues Paper asks what ‘reasonable steps’ look like for key privacy obligations when children are involved. Privacy practitioners should ensure that decisions about age-assurance, default privacy settings, and consent processes are well documented and can be explained to regulators if needed. Making a submission to the OAIC now is the best way to ensure best practice or technical workability is reflected in the Code.
  4. Transparency and risk management: The Code may require child-specific privacy impact assessments, clear and accessible notices, and opt-in consent processes. Failing to meet these requirements could be seen as a systemic compliance issue, with both privacy and online safety regulators taking an interest.

A new compliance landscape for privacy practitioners

 

 

OAIC enforcement powers

The 2024 reforms have given the OAIC stronger enforcement tools, including a three-tier civil penalty regime, infringement notices, and the ability to order compensation. Once made, a breach of the new Code will also be considered an ‘interference with privacy.’ For serious breaches, penalties can be extremely high. Even less serious breaches can result in significant fines.

eSafety’s expanding role

At the same time, the eSafety Commissioner is developing new industry codes and pushing for stronger protections for children online. The review of the Online Safety Act 2021 (Cth) recommended more investigatory powers and higher penalties. Many platforms will be regulated by both the OAIC and eSafety, so privacy practitioners need to be aware of overlapping obligations and enforcement risks.

Future litigation risk

A key risk is the right of action under the amended section 80UA of the Privacy Act. This provision allows individuals to seek compensation and other remedies from organisations, but only after the Federal Court has determined that a civil penalty provision has been contravened.

After a civil penalty finding is made — potentially as a result of a breach of this new Code — affected individuals can apply to the court for orders including compensation for loss or harm, corrective action, preventative orders, and public disclosures. This right is not independent, being triggered by successful regulatory action, but it opens the door to follow-on litigation from individuals, including the possibility of class actions if breaches affect large numbers of children.

For organisations, this means that a regulatory penalty for breaching the Code could be just the beginning. Once a contravention is established in court, the organisation may face a wave of individual claims or a class action, significantly increasing both financial and reputational exposure.

Further, the uncertainty surrounding the practical application of section 80UA — such as the types of harm that will be compensable and the potential for emotional distress to be included — adds another layer of unpredictability. The lack of a cap on damages under section 80UA, in contrast to the statutory tort for serious invasions of privacy, means that the financial consequences of a breach could be substantial.

Final thought

This is not the final consultation. After this initial engagement, the OAIC will prepare a draft of the Code, which is expected to be released in early 2026. The OAIC will then be required to consult on the draft for 60 days. Ultimately, the Code is unlikely to come into effect until December 2026. Accordingly, this is simply an early step in what will be a long process. While there is ample opportunity to contribute to the debate, organisations that hope to influence the development of the Code should seek to engage at an early stage.

The Code is intended to embed child-centric privacy protections into the heart of Australia’s digital economy, directly shaping how the APPs are interpreted and applied to services accessed by children. While this may increase compliance requirements for digital businesses, it also presents opportunities for innovation, trust-building, and alignment with international standards. Nonetheless, its interaction with the updated Privacy Act, the direct right of action, and eSafety’s growing mandate, will all create a complex set of obligations for organisations in a crowded regulatory landscape.

Featured image: ‘Security, castle, secure, internet‘ by TBIT, 17 February 2016, PixabayCC0.

Share
  • LinkedIn
  • Facebook
  • X
  • Threads

More Posts From This Author

Iconic? Making a song and dance about AI transparency

20 May 2025
In an open letter addressed to Prime Minister Keir Starmer, more than 400 of the UK’s most celebrated artists and creative leaders, including Elton John, Coldplay, Dua Lipa, Paul McCartney, and Shakespeare’s Globe, urged the UK Parliament to protect copyright, ‘the lifeblood of the creative industries.’  The icons expressed their support for an amendment to the Data (Use and Access) Bill that could have reshaped the relationship between the creative industries and AI developers by requiring AI companies to disclose which copyrighted works have been used to train their models.
Read on