Online platforms face civil penalties for breaching new rules protecting children's data
Australia's privacy regulator released rules on 31 March to protect children's personal data online.
The Office of the Australian Information Commissioner (OAIC) published the exposure draft of the Privacy (Children's Online Privacy) Code 2026, establishing new obligations for online services that children access or that primarily concern children's activities. The Code covers social media services, relevant electronic services, and designated internet services, and applies to entities bound by the Privacy Act 1988.
The Code introduces a central "best interests of the child" standard across data collection, use, and disclosure. Entities must collect only personal information that is strictly necessary to provide their service. They cannot collect, use, or disclose children's data for direct marketing without explicit consent, and that consent must be voluntary, informed, specific, current, and unambiguous. The Code requires entities to implement technical and organisational measures ensuring children's data defaults to minimal collection.
Consent to the collection, use, or disclosure of personal information about a child may only be given by the child if the child is at least 15 years of age. For children under 15, entities must obtain consent from a person with parental responsibility and must notify the child of the consent given on their behalf. The Code explicitly prohibits bundled consent requests, pre-ticked boxes, and coercive or manipulative consent practices.
Children themselves, persons with parental responsibility for a child under 15, and persons with parental responsibility for a child aged 15 or over who lacks the capacity to make the request, may all request the destruction of personal information an entity holds about that child. If a request is made, the entity must destroy the information, subject to limited exceptions including legal proceedings, regulatory retention obligations, and public safety concerns. Entities must respond to destruction requests within 30 days, or 60 days in complex cases. Entities must also conduct privacy impact assessments before launching new services likely to be accessed by children, and must publish a register of those assessments online.
A breach of the Code will amount to a breach of the Privacy Act and may carry significant civil penalties. The Code complements Australia's Social Media Minimum Age obligation, which took effect in December 2025, but covers a broader range of digital services including games, streaming platforms, and educational tools.
In a news release, Privacy Commissioner Carly Kind noted that estimates suggest around 72 million pieces of data are collected about a child by the time they turn 13, exposing them to risks from data breaches, discrimination, algorithmic bias, and targeted advertising of harmful products, amongst other risks. Public consultation runs for 60 days, until 5 June 2026, before the Code becomes law in December 2026. The OAIC works towards registering the Code on 10 December 2026.
The OAIC developed the Code under the Privacy and Other Legislation Amendment Act 2024, following consultation with children, young people, experts, parents, and carers.
