Draft Children’s Online Privacy Code released for consultation: Submissions close 5 June 2026

The Code’s application

The Code will apply to an entity covered by the Act if:

• the entity provides one or more of the following:
  • a “social media service” being a platform on which individuals can interact and share content – these platforms include social media platforms, review platforms and chat forums;
  • a “designated internet service” which enables users to receive or access material online, for example, streaming platforms, cloud storage and consumer smart devices; and
  • a “relevant electronic service” whereby users can communication with other users, for example. online games with chat functions, email services, messaging applications and video call platforms,

    as defined in the Online Safety Act 2021 (Cth);

• children are likely to access the online service or the service primarily concerns children’s activities; and
• the entity is not a health service provider.

Accordingly, the Code will apply much more broadly than just to social media platforms and will also capture online games, messaging services, educational tools and streaming platforms where these online services are likely to be accessed by children or are primarily concerned with their activities.

Key obligations

There are a range of new obligations which may impact significantly on online services providers required to comply with the Code. Key obligations include:

• Age verification: Reasonable steps must be taken to ascertain the age of end-users such as implementing age assurance measures. When determining what steps are reasonable, the risk of harm which may arise from the collection, use or disclosure of a child’s personal information must be considered. This requirement will not apply retrospectively.
• Data minimisation: Entities must implement technical and organisational measures which, by default, result in children’s personal information being collected, used and/or disclosed only to the extent strictly necessary to provide the service.
• Collection, Use and Disclosure: Any collection, use or disclosure of a child’s personal information must be consistent with their best interests.
• Consent: While children 15 and over may consent to the collection, use and disclosure of their personal information, if children are aged under 15, consent from an adult with parental responsibility must be obtained. Consent is required to be:
  • voluntary – consent that is “bundled” ie a request seeking an individual’s consent to multiple collections, uses or disclosures of their personal information will not be voluntary. Individuals must be able to consent (or not consent) to each individual collection, use or disclosure of the personal information; and
  • informed (with specific content requirements for privacy collection notices), current, specific, unambiguous and able to be withdrawn.
• Transparency: If a service is likely to be accessed by a child, an entity must have a version of each of its Privacy Policy and privacy collection notice(s) that is directed specifically at children and meet content and form requirements.
• Rights: In addition to the rights to request access to and correction of personal information, opt-out of direct marketing and make a privacy complaint, there are additional new rights, namely:
  • the right to request information about the handling of personal information; and
  • the right to request the destruction of personal information.

These new rights are not available currently to the broader community under the Australian Privacy Principles.

• Monitoring of service use and geolocation: Where a parent or carer can see a child’s location or control a child’s activity when using a service (for example where they can impose a restriction on making in-app purchases), the child must be informed that the service is being restricted or monitored or that their location may be observed. Where an end-user of a service can monitor the geolocation of another user who is a child (for example if a mobile app permits end-users to share their real-time location with friends), the child must be notified “throughout” the period while monitoring (ie sharing of location) is occurring, for example, by the display of an illuminated icon or other sign. There are requirements for the form of the notification.

Clearly, many of the changes required for relevant online services are significant and will take a considerable time and expense to implement.

Next Steps

Roundtables for industry stakeholders will be held and expressions of interest in attending a roundtable can be completed here. Industry stakeholders are also encouraged to lodge written submissions. The OAIC will also be conducting a Regulatory Impact Analysis, being a cost-benefit analysis of the Code’s implementation.

Full details of the consultation are available here.

As stated above, the Code must be registered by 10 December 2026 so there is still a great deal of work to be undertaken before this can occur.

We will be monitoring the progress of the Consultation closely. Please don’t hesitate to contact Addisons’ Privacy & Data Protection team if you require further information.