What the proposed Children's Online Privacy Code means for your organisation

Child privacy laws in Australia are under review, with the Australian Information Commissioner (Commissioner) releasing the Exposure Draft of the Privacy (Children’s Online Privacy) Code 2026 (Children’s Online Privacy Code or Code) for public consultation. The Code, which was contemplated by the first tranche of reforms to the Privacy Act 1988 (Cth), is required under the Privacy Act to be in place by 10 December 2026.

The Code is intended to strengthen children’s privacy protections online, and represents a step-change in Australian privacy obligations. Entities bound by the Code will need to significantly uplift their privacy practices to comply.

In this update:

• Key takeaways
• Who will be bound by the Children's Online Privacy Code?
• Key obligations for APP entities bound by the Code
• The rights of children under the Code
• How to prepare for the Children's Online Privacy Code

Key takeaways

Australian Privacy Principle (APP) entities should assess whether the proposed Code will apply to all or part of their online services. The application of the Code is broad, covering a range of online services:

• designed for children (under the age of 18);
• that are not designed for children but are accessed and used by children; and
• that are not designed for, or accessed by, children but collect substantial amounts of personal information about children.

Entities bound by the Code should:

• create child-facing privacy policies and collection notices;
• review their current information collection, access and complaints handling processes and uplift these as necessary to align with the Code’s child-friendly requirements (including obligations in relation to consent and use of information in the best interests of children);
• ensure they have processes in place to undertake privacy impact assessments and create a privacy impact assessment register; and
• investigate options to implement age verification for services.

Who will be bound by the Children's Online Privacy Code?

The Children’s Online Privacy Code will apply to a service provided by an APP entity if it is a social media service, relevant electronic service (a communication service, such as a messaging app or email service) or designated internet service (a service that allows users to access material over the internet, such as a streaming platform) and:

• is likely to be accessed by children or primarily concern the activities of children; and
• is not a health service.

The services covered include services:

• that are made for children to use (eg games, educational apps, children’s versions of websites);
• that are not made for children, but are used by children (eg messaging or social media sites designed primarily for adults); and
• that are not made for or used by children, but involve the collection, use or sharing of a high volume of personal information about children (eg online school management systems, family photo sharing apps, early childhood development apps and internet-connected baby monitoring devices).

The Code applies at the service level and not at the entity level as a whole. Consequently, the services of an APP entity may be caught by the Code, even if the entity's primary business does not concern the provision of services to children ─ for example, a bank that provides a pocket money app for children.

Key obligations for APP entities bound by the Code

Age verification

The Code requires APP entities to take reasonable steps to ascertain the age of end users before collecting their personal information.

Entities will not be required to verify the age of end users in certain circumstances, including where the entity decides to apply the privacy protections afforded to children under the Code to all end users.

These age verification obligations are distinct from the social media age restriction laws.

Necessity limitation

An entity must only collect personal information about a child that is strictly necessary to provide the entity’s service. This obligation narrows the scope of information which an entity may collect and reflects a data minimisation and “privacy by default” approach.

Best interests of the child

Under the Code, an entity generally must not collect personal information or sensitive information about a child unless the collection of information is consistent with the best interests of the child.

Further, an entity must not use or disclose personal information about a child unless consent has been obtained and the use or disclosure of the information is consistent with the best interests of the child.

Consent and assent

The Code expressly states that consent may only be given by a child if the child is at least 15 years of age. If a child is under the age of 15, consent must be obtained from a person with parental responsibility for the child.

The Code also introduces a new assent process for children under the age of 15. In certain circumstances an entity must obtain the assent of a child to collect sensitive information and to use or disclose personal information for a secondary purpose (including direct marketing).

Transparency requirements

The Code requires entities to have a version of their privacy policy that is specifically directed at children. Additionally, collection notices must be age appropriate and presented in a way that can be understood by a child.

Requirements for conducting a privacy impact assessment

An entity must conduct a privacy impact assessment if:

• the entity proposes to provide a new service or a new activity that is likely to be accessed by children or will be primarily concerned with the activities of children; or
• the entity proposes to adopt a new or changed way of handling personal information in relation to an existing service or activity that is likely to have a significant impact on the privacy of children.

An entity must keep a register of all privacy impact assessments it conducts under the Code and publish the register online.

The rights of children under the Code

Right to request information about handling of personal information

Under the Code, if a child or person with parental responsibility for a child requests access to personal information about the child under APP 12.1, the child or person may also request information about the handling of the child’s personal information. In most cases, entities must respond to requests within 30 days.

Opting out of direct marketing

Without limiting existing obligations under APP 7, an entity must provide an age-appropriate and easy-to-find mechanism for a child to opt out of direct marketing communications.

Enquiries and complaints

An entity must provide children with clear, concise, transparent and age-appropriate information about the:

• kinds of personal information the entity may collect, use and disclose;
• kinds of enquiries and complaints individuals can make about the collection, use and disclosure of their personal information; and
• potential outcomes for those enquiries or complaints.

In addition, an entity’s enquiries and complaints process must be clear, accessible, and expressed in age-appropriate language.

Is your organisation ready for the Children's Online Privacy Code?

With the Code due to be in operation by December 2026, organisations should confirm as a priority whether the Code applies to their services — and if so, begin planning for compliance now.

If you have any questions about the Children’s Online Privacy Code or would like assistance planning for compliance, please contact our experienced privacy law team.