Reform at a glance

On 31 March 2026, the Office of the Australian Information Commissioner (OAIC) released the exposure draft of the Children's Online Privacy Code (Code), along with the Exposure Draft Explanatory Statement for the Privacy (Children's Online Privacy) Code 2026 (Draft Code Explanatory Statement), seeking public input.

The draft Code forms part of the Australian Government's broader privacy overhaul under the Privacy and Other Legislation Amendment Act 2024 (Cth) (Amendment Act). An overview of other key changes to the Privacy Act 1988 (Cth) (Privacy Act) is set out in our article, Privacy Milestone: First Tranche of Privacy Reforms Passed. Below, we take a closer look at the proposed Code and what it means for Australian Privacy Principle entities (APP entities).

The Amendment Act requires the OAIC to develop the Code to address online privacy for children by 10 December 2026. The Code must address how the Australian Privacy Principles (APPs) apply in relation to the online privacy of children. Since the Amendment Act received Royal Assent in 2024, the OAIC has undertaken two rounds of public consultation. Key stakeholder feedback informs the current draft Code.

What this means for your business

The Code will apply automatically to APP entities that provide a 'social media service', 'relevant electronic service', or a 'designated internet service' (as these terms are defined in the Online Safety Act 2021 (Cth)) which is likely to be accessed by children and the entity is not providing a health service (pursuant to section 26GC(5), Privacy Act).

The Code also includes additional APP entities that it will apply to, if:

• the entity is a provider of a social media service, relevant electronic service or designated internet service (all within the meaning of the Online Safety Act 2021 (Cth));
• the service is primarily concerned with the activities of children; and
• the entity is not providing a health service.

We will refer to APP entities to which the Code applies as Code Entities in this article.

The OAIC has provided examples of services 'primarily concerned with the activities of children', including applications that track early childhood development, family photo sharing applications, online school management systems that monitor student performance and internet-connected baby monitors. This represents a notable extension of scope to the entities specified under the Privacy Act (s 26GC) which refers only to the services 'likely to be accessed by children'. The Draft Code Explanatory Statement clarifies this extension was driven by stakeholder consultation and strong public interest.

APP entities providing online health services are excluded from the Code (Code, section 5(c)), as are carriage service providers within the meaning of the Telecommunications Act 1997 (Cth) (Code, section 6), such as internet service providers.

As discussed in our article eSafety Commissioner issues notices to 4 AI companies, some artificial intelligence (AI) companies are being regulated by the Commonwealth eSafety Commissioner as entities subject to the Online Safety Act 2021 (Cth)). AI companies that deliver Code Services should also be mindful of the Code.

How will the Code apply?

The Code has activity-based application. This means the Code will only apply to services of a Code Entity that fall within the scope of the Code, rather than all the services of a Code Entity as a whole. The draft Code provides the following example: a pocket money app offered by a bank would be covered by the Code because it is likely to be accessed by children, whereas the bank's home loan app would not.

Key obligations under the draft Code

The draft Code sets out a number of key obligations for Code Entities. At a high level, these include:

1. Ascertaining Age (Code, section 8): Code Entities will be required to take reasonable steps to ascertain the age of end-users. What is reasonable will depend on the circumstances but may include age verification and parental attestation. This is not a retrospective requirement, but Code Entities will need to ascertain the age of existing end-users before collecting further information post-commencement. Code Entities must also destroy any information obtained solely for the purpose of age ascertainment, a more stringent requirement than APP 11.2, which permits either destruction or de-identification.
2. 'Strictly necessary' collection by default (Code, section 9): Code Entities must implement technical and organisational measures that ensure that, the entity only collects, uses or discloses personal information by default about a child that is strictly necessary to provide the entity's service. This is a higher standard than APP 3, which permits collection that is 'reasonably necessary' for an entity's functions and activities. Code Entities may still collect personal information about a child that is 'reasonably necessary' for its functions and activities, but these settings must be able to be easily switched 'on' or 'off' by the child and 'subject to appropriate transparency and choice'.
3. Collection, use, and disclosure must be reasonably consistent with the best interests of the child (Code, sections 10 and 11): The Code requires that the collection of a child's personal information must be consistent with the best interests of the child, in addition to its being reasonably necessary for a function or activity under APP 3. Further, Code Entities must not use or disclose personal information about a child unless consent has been obtained and the use or disclosure is consistent with the best interests of the child. This means Code Entities would not be able to rely on the exception under APP 6.1 that an individual would reasonably expect the secondary use or disclosure.

   When considering the best interests of the child, Code Entities may have regard to the risk of child exploitation, the likely mental and physical impacts on the child, the likely impact on the cognitive development of the child, and the extent to which the activity may limit the child's ability to express their views, or freedom of association.

4. Additional consent obligations (Code, division 2): The Code also specifies an age of consent, and emphasises that consent must be 'voluntary, informed, current, specific and unambiguous' (mirroring requirements under the Social Media Minimum Age scheme in Part 4A of the Online Safety Act 2021 (Cth)). In particular:
   1. Minimum age of consent (Code, section 13): Consent can only be given by a child if they are at least 15 years of age. For children under the age of 15, consent must be given by a person with parental responsibility for the child (e.g. parent, legal guardian). However, if a child under the age of 15 is 'seeking legal or health-related information or support in connection with a person with parental responsibility for the child', parental consent is not required (Code, section 13).
   2. Assent of a child under 15 years (Code, section 20): In some cases, even if parental consent is provided, the Code Entity may still be required to obtain the 'assent' of the child by providing age-appropriate notifications of relevant information (section 20). Assent is required to enable a Code Entity to collect sensitive information about a child under 15 years, or to use or disclose the child's personal information for a secondary purpose or direct marketing.
   3. Consent must be voluntary, current, informed, and specific (Code, sections 14 to 19): The Code requires consent to be voluntary, current, informed, and specific. Persistent prompts, 'nudge techniques', and bundled consents are not permitted (Draft Code Explanatory Statement, section 14). Code Entities must also provide privacy notices in simple, age-appropriate formats, including in relation to cross-border disclosures (Code, section 26). Notably, consent will no longer be current after 12 months from the day it is given (Code, section 15), meaning Code Entities will need to obtain fresh consent to continue handling a child's personal information.
5. Privacy Policy requirements (Code, section 23): Code Entities whose services are likely to be accessed by children must have a privacy policy 'directed specifically at children', which may include non-text material such as icons or animations. This can be met either by developing a separate child-specific privacy policy, or by having a single policy written in clear, simple language that can be understood by both children and adults. This requirement does not extend to Code Entities whose services are primarily concerned with the activities of children but are not likely to be accessed by children directly.
6. Notification of collection (Code, section 24): The Code provides additional obligations to APP 5 for Code Entities whose services are likely to be accessed by children. These Code Entities will be required to provide notifications which are clear, easily accessible, transparent, and age-appropriate to facilitate the meaningful involvement of children in privacy decisions.
7. Review of privacy practices (Code, section 25): A Code entity, in complying with APP 1.2, will have an explicit obligation to review and update its privacy practices and procedures at least annually and keep records of the reviews and updates undertaken.
8. Access to information (Code, sections 27, 28 and 30): A child, or a person with parental responsibility for a child, has the right to request access to personal information (as under APP 12.1), and the Code requires that information be provided in an age-appropriate manner. The Code also provides a right to request information about the entity's handling of the child's personal information, such as the existence of automated decision-making. Code Entities (other than agencies) must respond within 30 days where reasonable, and no later than 60 days for more complex requests.
9. Destruction of personal information (Code, section 32): The Code requires Code Entities to destroy personal information about a child upon request from the child or a person with parental responsibility. This is stronger than APP 11.2, which allows either destruction or de-identification. Code Entities must respond within 30 days, or 60 days for more complex requests. Exceptions apply where retention is required under another Australian law or where destruction would be unlawful.
10. Mandatory privacy impact assessments (PIAs) (Code, sections 38 and 39): Code Entities must conduct and record PIAs when considering any new service likely to constitute a Code Service, or when introducing changes to how personal information is handled that are likely to have a 'significant impact' on children's privacy. Section 38 sets out the factors that must be considered. Code Entities should begin developing PIA procedures if these are not already part of their data management practices.
11. Privacy education and training (Code, section 40): Code Entities must ensure that all personnel who have 'regular or frequent access' to children's personal information participate in training on the protection of that information. Training must be provided as soon as practicable after commencement of employment or engagement, and at least annually thereafter. Record-keeping requirements also apply.

Penalties for non-compliance

Once the Code is registered, a breach will be an ‘interference’ with an individual's privacy under the Privacy Act which can attract a civil penalty of 10,000 penalty units (currently a value of $3.3mil). If the interference amounts to a 'serious interference', the maximum penalty for bodies corporate is the greater of:

1. $50,000,000;
2. 3x the value of the benefit attributed to the contravening conduct; or
3. 30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

The OAIC also has powers under Part 5 of the Privacy Act to undertake investigations for breaches of the Code.

The Amendment Act also introduced a statutory tort for serious invasions of privacy (Privacy Act, schedule 2), which creates a cause of action for individuals subject to a serious invasion of privacy arising from intentional or reckless conduct. We discuss this tort in more detail in our article statutory tort for serious invasions of privacy comes into force. Code Entities that misuse personal information relating to a child, including in breach of Code requirements, may face court proceedings.

Key dates and status

The draft Code is currently under consultation until 5 June 2026. Following this consultation period, the OAIC must register the Code by 10 December 2026. The commencement date of the Code has yet to be determined. We note the Code is subject to change following this consultation period. We expect further guidance to come from the OAIC on or from 10 December 2026.

Our perspective

The draft Code provides more specific and, in some cases, stricter guidance for how existing privacy obligations apply in the digital era to online services likely accessed by children, or which primarily concern the activities of children. The Code recognises the vulnerability of children as service users and echoes the Australian Government's commitment to modernise the Privacy Act to facilitate innovation while fostering public trust in digital services. The reforms present Code Entities with an opportunity to review legacy systems and consider whether current privacy practices remain fit for purpose and appropriate. Early engagement and preparation will be critical to managing scope, cost and compliance risk ahead of registration of the Code.

What you should do now

Code Entities can begin preparing for the Code by:

1. developing age-appropriate consent forms and privacy policies;
2. reviewing collection practices including whether default privacy settings collect personal information about children which is 'strictly necessary' to provide services, and whether collection is in the best interests of the child;
3. updating PIAs to ensure consideration of factors set out in the Code;
4. considering current response times to requests for access to and destruction of personal information against the proposed timeframes; and
5. uplifting privacy training and relevant record-keeping practices to meet Code requirements.