OAIC invites consultation on Children’s Online Privacy Code 

10 July 2025

Last year, the Privacy and Other Legislation Amendment Act 2024 (Cth) updated the Privacy Act 1988 (Cth) (Privacy Act) and introduced a mandate for the Office of the Australian Information Commissioner (OAIC) to develop and register the Children’s Online Privacy Code (Code) within 2 years. The Code will be in place by 10 December 2026.

You can read our article on the Code here, as well as an overview of the other recent changes to the Privacy Act here.

The OAIC is now consulting on the content of the Code, which will specify how online services accessed by children must comply with the Australian Privacy Principles (APPs) and may impose additional requirements, provided they are not inconsistent with the APPs.

The Privacy Act has not kept pace with changes in our digital environment, children’s digital engagement or the scale of personal information collection online. In response, the recent changes to the Privacy Act introduced a mandate for the OAIC to develop the Code, placing children at the centre of privacy protections in Australia.

The Code is being developed to address the particular vulnerabilities of children and the privacy risks they are exposed to when interacting online. Children may not fully understand the implications of their online activity, particularly the serious risks related to scams, identity theft, fraud, data breaches and certain marketing practices.

The concept of the Code has been informed by similar legislation established in overseas jurisdictions such as the UK’s Age Appropriate Design Code and Ireland’s Children’s Fundamentals for Data Processing.

The OAIC has engaged in initial consultation directly with children which has assisted in shaping the framing of the Issues Paper. Feedback from this group of stakeholders has underscored that existing protections and consent mechanisms are not sufficient for children online, reinforcing the need for stronger, more tailored privacy safeguards. The themes emerging from the children’s consultation process include:

  • overall concerns about privacy and a call for stronger protections;
  • calls for more transparency about data use practices and age-appropriate communication;
  • clarification on requirements for informed consent;
  • improving children’s digital literacy;
  • fortifying children’s agency over their personal information;
  • calls for data minimisation, privacy by default and design; and
  • concerns about data security and protection from online harms.

The OAIC has now invited other stakeholders, including digital platforms, advertisers, civil society, academics and other interested parties to respond to an Issues Paper seeking information and views to inform the OAIC’s development of the Code. This phase of consultation builds on the insights gathered from children and is intended to complement those perspectives by exploring, from an industry point of view, how the Code may impact the current digital landscape in Australia and how it can be designed to more effectively protect children’s privacy in the context of our digital environment and existing legal framework.

General questions in Issues Paper

The Issues Paper seeks feedback on the scope of services covered by the Code, when and how the Code should apply to entities and whether protections should vary depending on the age and developmental stage of children, and how the Code will interact with relevant APPs including in relation to issues such as clear privacy policies, informed consent and giving children greater control over their personal information.

The Code will apply to online services likely to be accessed by children, which includes social media platforms, certain websites, games, messaging and other apps and streaming platforms, but will not apply to health service providers.

The OAIC has raised the possibility of age-based guidance so that protections and interfaces are tailored effectively. The Issues Paper proposes age-ranges for this guidance, acknowledging the different developmental stages and needs of children. The Issues Paper also acknowledges the impact that factors such as neurodiversity and learning differences can have on developmental needs. The following age-ranges have been identified:

  • 0-5: pre-literate and early literacy;
  • 6-9: core primary school years;
  • 10-12: transitional years;
  • 13-15: early teens; and
  • 16-17: approaching adulthood.

Issues Paper and Australian Privacy Principles

The Issues Paper is structured around each of the APPs, setting out targeted questions on how these principles apply in the context of children’s privacy. It highlights the OAIC’s focus on ensuring that privacy policies are accessible for children, so they are better equipped to understand their rights. It also emphasises the importance of ensuring that consent, where required, is meaningful and appropriately obtained. More broadly, the Issues Paper outlines the OAIC’s objective to strengthen protections for children’s personal information in the online environment, recognising that children often begin interacting with digital services at an early age and are regularly subject to data collection, use and disclosure by the organisations they engage with.

APP 1 Open and transparent management of information

The Issues Paper asks questions relating to how information can be made accessible to children, whether that be privacy policies of entities in a format best understood by children or information on how children and their parents can make a complaint or inquiry about privacy and how APP entities can respond in a child friendly way.

APP 2 Anonymity and pseudonymity

Through the Issues Paper, the OAIC seeks information on how APP entities can provide children with meaningful options to use services anonymously or under pseudonyms. The Paper asks stakeholders to consider scenarios where it would be justifiable to require children to identify themselves to access an APP entity’s service and whether there are instances where age assurance technologies conflict with an individual’s right to remain anonymous or pseudonymous.

These questions overlap greatly with the Social Media Minimum Age legislation which has prompted the Age Assurance Technology Trial and the development of age verification technologies.

APP 3 Collection of solicited personal information 

APP 3 stipulates that APP entities must only collect personal information that is reasonably necessary for or directly related to their functions or activities. The Issues Paper seeks context on what should be considered ‘necessary’ and ‘fair’ in the context of personal information. It also seeks to learn how APP entities can obtain genuine consent from children, or their parents or guardians, for the collection of sensitive information.

APP 4 – Dealing with unsolicited personal information

The OAIC is seeking stakeholder feedback on processes APP entities should implement in relation to unsolicited personal information related to children. The OAIC also questions how APP 4 should apply specifically in relation to the privacy of children.

APP 5 – Notification of the collection of personal information

The Issues Paper seeks stakeholder feedback on methods that can be employed by APP entities to ensure children are aware of data collection practices in a manner that is age-appropriate and can easily be understood by children, taking into consideration children with diverse needs including those from culturally and linguistically diverse backgrounds or living with disability.

These questions highlight the OAIC’s attempt to encourage a best practice approach regarding notification and awareness of collection of personal information.

APP 6 – Use or disclosure of personal information

The Paper asks for suggestions on how APP entities can seek genuine consent from children, parents or guardians for the use or disclosure of personal information which ensure that they comprehend the implications of such use or disclosure.

APP 7 Direct marketing

While direct marketing can sometimes be permissible under APP 7 on the basis that the individual would ‘reasonably expect’ this to occur, it may be arguable whether it is appropriate to do so for minors. The Issues Paper seeks stakeholder views on how an entity could ensure that it creates a reasonable expectation that it may use or disclose a child’s personal information for the purposes of direct marketing.

The Paper also seeks feedback on how entities can ensure mechanisms are in place for children to opt-out of receiving direct marketing communications in a simple and accessible way.

APP 8 Cross-border disclosure of personal information

The OAIC has raised awareness to the need for APP entities to ensure that cross-border transfers of children’s personal information are conducted in a way that protects children’s privacy rights, particularly when laws in other countries may not offer equivalent protections.

The Issues Paper also highlights the need for APP entities to communicate with children about the risks of cross-border data transfers.

APP 10 Quality of personal information and APP 13 – Correction of personal information

The Issues Paper seeks consultation on what ‘accurate’, ‘up to date’, ‘complete’ and ‘relevant information’ means in the context of children’s personal information, specifically considering the evolving developmental and digital engagement stages, and the dynamic nature of a child’s life and the potential challenges in maintaining this data.

The Paper also considers processes or mechanisms which should be established to allow children to request corrections of their personal information easily.

APP 11 Security of personal information

The Issues Paper separates measures into specific technical measures and specific organisation measures that the APP entities should adopt to safeguard children’s personal information from security risks.

APP 12 Access to personal information 

The OAIC is asking stakeholders to consider the mechanisms around how children could easily access their own personal information and to consider whether there are circumstances where providing a child access may not be in their best interests as well as circumstances where a parent or guardian may be able to make an access request on behalf of their children and when this is appropriate.

APP 9 regarding the adoption, use or disclosure of government related identifiers is not mentioned in the Paper.

What next?

Input from industry, civil society, academia and other interested stakeholders is being sought until the end of this month, with submissions closing on 31 July 2025.

The OAIC is also inviting children, young people and parents to share their views on children’s online privacy to ensure the Code reflects their voices and experiences through a separate open consultation, available through the OAIC Consultation page.

HWL Ebsworth’s Privacy, Data Protection and Cyber Security team has extensive experience advising on privacy obligations and issues. If you have any questions or concerns about the upcoming Children’s Code and your potential obligations, please do not hesitate to contact us.

This article was written by Daniel Kiley, Partner, Lucy Hannah, Special Counsel, and Bellarose Watts, Law Graduate.

Daniel Kiley

Partner | Adelaide

Lucy Hannah

Special Counsel | Melbourne

Important Disclaimer: The material contained in this publication is of general nature only and is based on the law as of the date of publication. It is not, nor is intended to be legal advice. If you wish to take any action based on the content of this publication we recommend that you seek professional advice.

Subscribe to HWL Ebsworth Publications and Events

HWL Ebsworth regularly publishes articles and newsletters to keep our clients up to date on the latest legal developments and what this means for your business.

To receive these updates via email, please complete the subscription form and indicate which areas of law you would like to receive information on.

  • This field is hidden when viewing the form
    What type of content would you like to receive from us?

Contact us

GET IN TOUCH