INSIGHT

Children’s privacy: what’s next for the upcoming OAIC code?

By Gavin Smith, Emily Cravigan, Renee Preketes-Tardiani, Cassandra Reilly
Cyber Data & Privacy Risk & Compliance Technology, Media & Telecommunications

Bolstering safeguards without restricting use 11 min read

The second phase of the process run by the Office of the Australian Information Commissioner (OAIC) to develop a new Children's Online Privacy Code has commenced, with the release of an Issues Paper on 12 June 2025. The OAIC is inviting industry submissions on critical focus areas to assist in determining which services should be covered by the Code and how existing privacy principles could be enhanced to safeguard children's privacy rights.

This consultation process will inform the development of a draft Code to be released by the OAIC early next year for public comment before a final Code is registered prior to 10 December 2026.

Key takeaways 

  • As one of the more significant outcomes of the first tranche of privacy reforms under the Privacy and Other Legislation Amendment Act 2024 (Cth), the OAIC is mandated to finalise the Code by 10 December 2026.
  • The Code will capture entities regulated by the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) (Privacy Act), specifically targeting social media services, Relevant Electronic Services or Designated Internet Services likely to be accessed by children.
  • In its most recent phase of targeted consultations, the OAIC released an Issues Paper on 12 June 2025 and is currently seeking submissions on the potential scope of the Code, as well as specific questions regarding how the Code should deal with each of the APPs.
  • Although it is too early to predict exactly what the Code will cover, we expect it may seek to impose more specific requirements regarding privacy policies and collection notices provided to children. It also appears the OAIC may explore imposing specific obligations regarding targeted advertising to children, default privacy settings and children's rights to have their information deleted.
  • Affected organisations should consider proactively engaging in this consultation process, which closes on 31 July 2025.
  • See here for more information about the upcoming consultation.

What is the Code?

Background

In 2023, the Government signalled broad support for the Privacy Act to be overhauled, agreeing (or agreeing in principle) with the majority of reforms proposed in the Privacy Act Review Report. One of those Proposals (Proposal 16.5) was a recommendation to consult broadly (with children, parents, experts, industry and the eSafety Commissioner) to introduce a Children's Online Privacy Code that applies to services that are ‘likely to be accessed by children’. In late 2024, this recommendation was passed into law pursuant to the Privacy and Other Legislation Amendment Bill 2024 (Cth) (although the bulk of the other expected Privacy Act reforms were parked for a later date). It is not currently known when the next tranche of reforms will be introduced, but we could see movement on this within the next 12 months.

What the Code can and can't do

The Code aims to enhance existing privacy principles to create a more secure digital environment and uphold the privacy rights of children without restricting their use of digital technologies. Building upon the existing APPs, the Code will specify how the APPs should apply to children's personal information. Importantly, the Code will not restrict children's use of digital technologies and will not implement new prohibitions.

Will your organisation be captured by the Code?

The Code will apply to entities covered by the Privacy Act that offer any of the following services that are 'likely to be accessed by children':

  • social media services;
  • Relevant Electronic Services (as defined in the Online Safety Act 2021 (Cth))—broadly, these are services that allow people to communicate, such as messaging apps and online games with chat functions; or
  • Designated Internet Services (as defined in the Online Safety Act 2021 (Cth))—including websites and other online platforms where people store and share content.

The Code could capture other types of organisations, eg manufacturers or providers of internet-connected devices that collect children's personal information, such as baby monitors, smart toys and wearables.

The Code will not apply to health service providers (so as not to impact the provision of essential services to children). This is consistent with the scope of the UK Information Commissioner's Age Appropriate Design Code that became mandatory in the United Kingdom in 2021 (the UK Code). Note that it is intended that the scope of the Code will align with the scope of the UK Code.1 The UK Code applies to 'information society services likely to be accessed by children' in the United Kingdom, including many apps, programs, connected toys and devices, social media platforms, streaming services, online games, and news or educational websites.

Consultation timeline

The OAIC has adopted a robust, strategic and phased approach to develop the Code.

  • Phase 1 commenced in January 2025 and is focused on gathering the views of children, parents and organisations concerned with children's wellbeing, through youth polls and workshops. As part of this phase, submissions are being sought directly from children and parents as part of the OAIC's child-rights-based approach. This consultation period runs concurrently with Phase 2 and concludes on 30 June 2025.
  • Phase 2 commenced in April 2025 and broadened the consultation to civil society organisations, academia and industry stakeholders. In addition to the Issues Paper just released, this consultation phase will also feature stakeholder roundtables in early July 2025.
  • Phase 3 will begin in early 2026 with a draft Code published on the OAIC’s website. This will be open for comment for a minimum of 60 days, offering additional opportunities for the public and industry to provide feedback.
  • The final Code must be finalised and registered by 10 December 2026.

Key focus areas for consultation

Key findings from initial consultations with children (Phase 1)

The OAIC reports that in its initial consultations with children, it gained crucial insights into children's perspectives on their digital rights. The OAIC notes that children want increased control over their information, particularly when it comes to targeted advertising and the collection of geolocation data. There is also concern about the accessibility of privacy policies, with current consent mechanisms often perceived as inadequate and many children feeling disempowered. See section, 'Looking ahead: What might the Code seek to cover' below for our analysis regarding what the OAIC's findings from Phase 1 might tell us about potential areas of focus moving forward.

Questions the OAIC seeks to address in the current Phase 2 consultation

In the current Phase 2 consultation, organisations are encouraged to provide submissions on a range of questions. Some examples are below.

  • Scope of services covered by the Code: What types of services should be included under the Code, such as AI chatbots and EdTech services, and what services should be excluded or subject to alternative requirements?
  • Threshold for the Code to apply: what should constitute 'likely to be accessed by children', and what steps should organisations be required to take to ascertain if children are likely to access their services? During a webinar on 13 June 2025 hosted by Dr Kate Bower, Director of the OAIC's Taskforce, organisations were encouraged to assess the nature and content of their services, their appeal to children and existing data regarding user demographics and children's usage patterns.
  • Age and developmental stage protections: how should protections vary based on children's age and developmental stage? What role, if any, should age-gating or other access control mechanisms play in meeting obligations under the Code?
  • Security of children's data: what organisational and technical measures should be considered reasonable to safeguard children's data?

Collaboration with the eSafety Commissioner

The OAIC has flagged it will consider holding targeted roundtables with organisations affected by amendments to the Online Safety Act 2021 (Cth), which will ban social media for under-16s, set to take effect by December 2025. The OAIC has also indicated it has been actively collaborating with the eSafety Commissioner to evaluate how these bodies can work together and deliver clear, unified messaging to stakeholders regarding their obligations under both regimes.

Additionally, the OAIC is partnering with the Government to examine the compatibility of the Code with the proposed digital duty of care which, if introduced, would also impact many of the same stakeholders. Legislating a digital duty of care is expected to be high up the legislative agenda for the Government following recommendations arising from the independent statutory review of the Online Safety Act and the Joint Select Committee's report on Social Media and Australian Society, titled ‘Social media: the good, the bad and the ugly’. The proposed duty would require digital platform providers to take reasonable steps to prevent foreseeable harms and undertake regular risk assessments against enduring harms. Whilst the model to legislate this duty has not yet been earmarked, it has been recommended that Australia leverages lessons from, and harmonises with, the prescriptive rules-based approach adopted in the UK Online Safety Act 2023 and the principles-based risk assessment and mitigation obligations imposed under the EU Digital Services Act.

Looking ahead: what might the Code seek to cover?

As noted above, the Code cannot introduce new requirements that are inconsistent with the APPs or that fundamentally change the current model regarding personal information collection and use. The OAIC must work within the current principles-based framework that generally allows entities to collect, use and share personal information on the basis of consent or that such handling would be reasonably expected.

Of course, it is too early to predict exactly what the Code will contain—the purpose of the current consultation is to assist the OAIC to frame up the draft Code it will release for further consultation early next year.

Our assessment of the most likely areas of focus for the OAIC are set out below. These draw upon areas of emphasis in the Issues Paper, the current state of the more general proposed Privacy Act reforms and international developments. We expect that the OAIC's Taskforce will work closely with the Attorney-General's Department on the manner in which the Code will interact with any proposed upcoming tranche 2 amendments to the Privacy Act.

  • More prescriptive notification and transparency obligations (APPs 1 and 5): the Issues Paper suggests that a theme arising from consultation to date is that current notification practices are not sufficiently transparent—privacy policies and collection notices do not enable children to understand how their data is being used. There is also a concern that children's consent to data use may not be informed or meaningful. This commentary in the Issues Paper indicates that the OAIC may seek to impose more prescriptive requirements regarding the presentation of privacy policies and collection notices for children, including the mandatory use of certain user-friendly layouts and icons to improve readability. This would align with Proposal 10.1 of the 2023 Privacy Act Review Report (that collection notices be concise and understandable) as well as Proposal 10.3 (that standardised templates, layouts, terminology and icons be developed for use in privacy policies and collection statements). This type of reform would be in step with the UK Code (which requires that privacy policies be easily understandable for children) as well as the GDPR which requires privacy policies to use age-appropriate terminology and visualisation where appropriate.
  • Targeted advertising (APP 7): the Issues Paper flags concerns with targeted advertising to children, citing a potential lack of transparency and informed consent. It remains to be seen how the proposed draft Code may interact with any attempt to move forward with Proposals 20.5 and 20.6 of the 2023 Privacy Act Review Report (which have been accepted by the Government in principle). These Proposals seek to prohibit direct marketing and targeting to a child unless in the child's best interests. Note that the UK Code requires that profiling (creating user profiles for targeted advertising) should be switched off as default (unless there is a compelling reason to use it) and that the best interests of the child must be a primary consideration in all data-processing activities, including targeted marketing.
  • Data minimisation: the Issues Paper makes specific mention of data minimisation, stating that Australian children 'want default privacy settings on online platforms to be automatically set to high, and default geolocation settings to be automatically turned off.' This aligns with Proposal 11.4 of the Privacy Act Review Report (accepted in principle by the Government) that online privacy settings should reflect the privacy by default framework of the Act, and that online service providers should be required to ensure privacy settings are clear and easily accessible. Note that the UK Code requires that services offer the strongest privacy settings by default and that only data strictly necessary for providing the specific online service is collected from children. The UK Code also provides that the collection of geolocation data requires an express opt-in.
  • Right to erasure: the Issues Paper asserts that children want the ability to direct that their data be deleted, eg after consent is withdrawn or a period of inactivity. It remains to be seen whether the Government will seek to introduce a right of erasure into the Privacy Act in accordance with Proposals 18.3 and 18.5, which were accepted in principle.

Actions you can take now

  • Review your services: conduct an assessment to determine which of your organisation’s digital services could be 'likely to be accessed by children'.
  • Engage with OAIC consultations: consider whether your organisation wishes to participate in the current OAIC consultation, which closes on 31 July 2025 (noting that submissions may be made available to the public on the OAIC's website).
  • Stakeholder roundtables: stay informed about the upcoming stakeholder roundtables scheduled for July 2025.
  • Monitor developments: track further announcements from the OAIC regarding the draft Code expected early next year.

Footnotes

  1. See the explanatory memorandum to the Privacy and Other Legislation Amendment Bill 2024 (Cth).