Insights

Exposure Draft of Children’s Online Privacy Code released: a major shift for online service providers

Date published 1 April 2026
Read time TBC
The OAIC’s exposure draft Children’s Online Privacy Code foreshadows more prescriptive, higher-standard obligations for online services handling children’s personal information, signalling a major shift in privacy compliance and potential future reforms to the Privacy Act.

Related sectors

Technology

Related services

Privacy and Data Technology and Digital

On 31 March 2026, the Office of the Australian Information Commissioner (OAIC) published the Exposure Draft of the Children's Online Privacy Code (Code). The OAIC is seeking feedback on the Exposure Draft until 5 June 2026.  There is an Explanatory Statement that accompanies the Code.

This Exposure Draft is a result of the first tranche of privacy reforms implemented in late 2024 that legislated for the OAIC to develop such a code. The OAIC commenced its public consultation on the code at the beginning of 2025.

The Code is due to be registered by 10 December 2026; however, it is not clear at this stage when the Code will be in force. As such, it is uncertain what kind of ‘transition period’ will apply to allow businesses to ensure compliance with the Code before it commences. The OAIC has invited submissions on this.

Purpose of the Code

The purpose of the Code is to set out how certain entities are to comply with their obligations under the Australian Privacy Principles (the APPs) in respect of children. Under the Exposure Draft, an entity that provides online services (in broad terms, social media, communications services, gaming services and services that allow materials to be accessed over the internet, such as apps and internet-connected devices) that are either:

  • likely to be accessed by children; or
  • primarily concerned with the activities of children,

will be covered by the Code. Health service providers as well as carriage service providers (for example telcos and internet service providers) are excluded from the Code.

The OAIC has not provided any guidance so far, either in the Code or the accompanying Explanatory Statement, as to when a service is “likely to be accessed by children” – for instance, whether a threshold test may be applied. This will obviously be a key issue for business. It will be interesting to see whether consultation on the Exposure Draft will result in any guidance on this issue.

Core provisions of the Code

The Code specifies with relative granularity how relevant entities are to collect, use and disclose the personal information of children. In many respects, the Code aligns with the United Kingdom's Age Appropriate Design Code (UK AADC).

In some parts, the Code imposes requirements that do not have an equivalent under the Privacy Act (for example, the requirement to ascertain the age of an end-user), and in other parts, provides more granular detail around how an entity can comply with their APP obligations in respect of children (such as maximum time periods to respond to privacy complaints).

The core themes that underpin the Code are:

  • ‘Strictly necessary’ by default: entities must only collect (and hold) personal information that is strictly necessary to provide services. This is intended to align with the ‘high privacy by default’ standard under the UK AADC – although the Code reads as a more stringent requirement.
  • Best interests of the child: children's personal information must be collected, used and disclosed consistent with the ‘best interests of the child’. This adopts the standard under the United Nations Convention on the Rights of the Child.
  • Requirement to ascertain age: entities must take reasonable steps to ascertain the age of end-users. What is reasonable will depend on the nature of the service and the risk of harm.
  • Age-appropriate documentation: entities must ensure that their privacy documentation is age appropriate. This extends to privacy policies, collection notices, privacy consents and so forth.
  • Consent: the age of consent is set at 15 years of age (and the rules regarding what constitutes consent are relatively prescriptive, as compared to the APPs). For children under the age of 15, parental consent must be obtained (and the entity must take reasonable steps to confirm a person has parental responsibility for their child). In certain circumstances, the assent of the child under 15 must be obtained before parental consent is sought. 15 years of age is a higher threshold than the UK AADC which sets the age of consent at 13. The requirement to seek the assent of a child under 15 in certain circumstances, before seeking parental consent, also has no equivalent in the UK AADC.
  • More prescriptive rules: more prescriptive rules apply in respect of opting out of direct marketing, the right to access personal information and the right to correct personal information. Additional rights extend to obtaining information about privacy handling practices and the right of erasure.
  • Privacy impact assessments (PIAs) and training: PIAs must be performed (and published) in respect of services or activities that are likely to be access by children or that primarily concern the activities of children. PIAs must also be performed for any new or changed ways of handling personal information that are likely to have a significant impact on children's privacy. Annual training on the handling of children's personal information must also be performed.
  • Annual review: privacy practices, procedures and systems must be reviewed at least annually, to ensure compliance with the APPs and the Code. This sets a higher standard than the UK AADC.

Significant step-change for privacy compliance

  • Prior to the Code coming into force: all online businesses will need to assess whether they fall within the scope of the Code, and the extent to which any of their services are covered by the Code.
  • If within the scope of the Code, privacy policies and practices will need to be reviewed to ensure that they are age-appropriate and give effect to the substantive requirements of the Code. Together with privacy training, these activities will need to reoccur on a periodic basis. For many businesses, this has the potential to require a radical rethinking of how they handle children's personal information, particularly in how they collect children’s personal information and if consent is obtained to do that, and potentially personal information more generally. Although some of the requirements of the Code are prescriptive, many of the requirements are principles-based and will require a specific assessment of how they should apply to the relevant business.
  • PIAs will need to be performed (and published) in respect of any new or changed services or activities that are likely to be accessed by children, are primarily concerned with the activities of children, or have a significant impact on the privacy of children.

Foreshadowing future changes to the Privacy Act

The Code also foreshadows potential future changes to the Privacy Act that would apply to all businesses (not limited to children's privacy). As we have previously written about (here and here), the government has partly implemented the recommendations made in its Privacy Act Review, however, many of the recommendations have not yet been implemented (for example, in respect of consent, PIAs, right of deletion). Some of these relate to matters that are addressed in the Code, and it is conceivable that, if implemented more broadly, the government will adopt a similar position to that expressed in the Code.

Subject matter experts

Upholding standards, pushing boundaries.

Latest Insights

Innovative thinking

A rigorous process of pushing boundaries and uncovering insights.