Children’s privacy

The Children’s Online Privacy Code will be registered on 10 December 2026, marking a substantial regulatory shift for organisations that handle the personal information of children.

As a legislative instrument, the Children’s Online Privacy Code will affect how the Australian Privacy Principles (APPs) are applied and impose additional requirements for the collection, use or disclosure of children’s personal information.

The Exposure Draft of the Code and its Explanatory Statement were made available by the Office of the Australian Information Commissioner (OAIC) on 31 March 2026 and the window for public comment closes on 5 June 2026. The commencement date and transition period for the Code are yet to be confirmed.

Who will be affected?

The Code will apply to APP entities who provide online ‘social media services’, ‘relevant electronic services’ or ‘designated internet services’ (as defined by the Online Safety Act 2021) that are likely to be accessed by children or are primarily concerned with the activities of children.

‘Carriage service providers’ under the Telecommunications Act 1997 and entities providing health services are excluded.

Examples of online services to which the Code will apply have been provided by the OAIC and embedded as notes in the draft Code. There is potential for some categories to be interpreted broadly. For example:

• platforms that allow people to connect, interact and share content, including discussion forums;
• online services that facilitate communication, including applications for messaging, email, video calling and gaming;
• websites and applications that let users receive/access material online, including IoT devices (connected sensors, cameras, tools or wearables);
• online management systems for schools; and
• systems that monitor or track a child’s academic performance, physical development, geolocation or online activities.

Compliance requirements

In its current form, the Code will require affected APP entities to implement a wide range of changes to technical, operational, organisational and consent processes.

By default, an organisation’s systems will need to:

• only collect personal information about a child that is strictly necessary;
• not collect, use or disclose information unless it is in the best interests of the child; and
• allow the child to control any other information collected.

Consent may only be given by a child who is at least 15 years old. Parental consent is required for all younger children and “reasonable steps” must be taken to confirm that the person giving consent has parental responsibility.

Even where a parent provides consent, the child must still receive an age-appropriate notice stating:

• the information to which the notice relates;
• the purpose of the collection, use or disclosure of the information;
• the period for which the entity will rely on the consent;
• the consequences of consenting, and not consenting, to the collection, use or disclosure of the information;
• the child’s right to withdraw the consent at any time and the process for withdrawing consent;
• how the information will be used; and
• where the consent is for disclosure – the recipients of the information.

Consent must also be voluntary, informed, current, specific, unambiguous and accompanied by a clear, simple and accessible means for withdrawal of consent.

What next?

If you provide online services you will need to:

• determine the extent to which the Code applies to your business;
• assess the operational changes your business requires; and
• update policy documentation and prepare accessible materials before the Code comes into effect.

We note there is potential for the OAIC to further revise the draft Code before registering the final version.

Page Seager can assist with privacy compliance and advice.