Publications

Children’s Online Privacy Code: What you need to know?

Australia is set to introduce a landmark Privacy (Children’s Online Privacy) Code 2026 (Code). It signals a new involvement of the privacy regulator and the e-Safety regulator each pursuing child protection mechanisms. An exposure draft of the Code was released by the Office of the Australian Information Commissioner (OAIC) on 31 March 2026. The Code is part of the broader tranche 1 privacy law reforms¹ and is expected to be in place by 10 December 2026. Consultation is in its third stage and closes on 5 June 2026.

Who will it apply to?

The Code will apply to a broad range of services likely to be accessed by children under 18 years old, or that are primarily concerned with the activities of these children – whether or not children are the intended audience. It will apply beyond the recent social media ban, and have reach to apps, websites, online platforms and digital tools including, for example, early childhood development trackers, family photo-sharing apps and school management systems. Importantly for the NFP sector, this is not limited to “tech companies”. It may capture organisations offering:

• educational platforms or learning tools;
• community or youth‑focused digital services; and
• donation or engagement apps used by young people.

Even services not designed for children may be caught if children are reasonably likely to access them.

What will change?

The Code introduces new and higher standards for handling children’s personal information. Some proposed changes include:

• best interests obligations;²
• data minimisation by default;³
• stronger consent and assent rules;⁴
• age assurance;⁵
• destruction obligations;⁶
• notification of parental control and monitoring⁷; and
• cross-border disclosure and consent⁸.

The Code also contemplates mandatory privacy impact assessments and child-specific privacy training⁹ as well as annual review of privacy practices¹⁰.

Additional obligations for services likely to be accessed by children include:

• a standalone child-friendly privacy policy;
• age appropriate privacy collection notices; and
• child friendly language in inquiry and complaints.

Looking ahead

The Code is part of a broader move to align privacy, online safety and digital regulation in Australia. We consider compliance whether or not an NFP falls under the Code is best practice. The regulatory message is clear: privacy by design is no longer optional.

Sophia Chen, Special Counsel
Josephine Heesh, Partner

 

 

 

 

 

¹Under the exposure draft, the Code is made under subsection 26GC(1) of the Privacy Act 1988 (Cth).
²Collection, use and disclosure of personal information must be consistent with the best interests of the child See the exposure draft under sections 10 and 11 of the Code.
³Implement measures to only collect, use or disclose personal information that is strictly necessary to provide the service. See the exposure draft under section 9 of the Code.
⁴Consents cannot be ‘bundled’ and are valid for a maximum of 12 months. Children under 15 require parent/guardian consent and assent from the child under certain circumstances. Under the exposure draft, section 20 of the Code provides for assent of a child under 15 years old. In particular under section 20(1), if “(a) a child under 15 years of age is an end-user of the entity’s service; and (b) the child enables the entity to: (i) collect sensitive information about the child; (ii) use or disclose personal information about the child for a purpose other than the purpose for which it was collected; or use or disclose personal information about the child for the purpose of direct marketing.”, section 20(2) requires the entity to seek the specific assent of the child “(a) to that collection, use or disclosure; and (b) for the entity to contact a person with parental responsibility for the child for the purposes of obtaining consent to that collection, use or disclosure”.
⁵Organisations may need to take reasonable steps to determine a user’s age before collecting data. See the exposure draft under section 8 of the Code.
⁶Personal information must be destroyed permanently on request of the child or a person with parental responsibility (with limited exceptions). It is not sufficient to de-identify personal information. See the exposure draft under section 32 of the Code.
⁷Ongoing notification to the child of parental control or monitoring or geolocation monitoring. See the exposure draft under section 19 of the Code.
⁸Information provided to a child must be clear, concise, age appropriate and no misleading in general. See the exposure draft under section 26 of the Code. This also applies when seeking consent to disclose information overseas. See the exposure draft under section 26 of the Code.
⁹See the exposure draft under division 8 of the Code.
¹⁰See the exposure draft under section 25 of the Code.