The Office of the Australian Information Commissioner (OAIC) has published an exposure draft of the landmark Privacy (Children’s Online Privacy) Code 2026 (Code), which crystallises expectations around how personal information of children must be collected and handled under the Privacy Act 1988 (Cth) (Privacy Act).

The Code applies on a “per service” basis to providers of social media services, relevant electronic services or designated internet services (as defined in the Online Safety Act 2021 (Cth)), that are likely to be accessed by children (excluding health services). This is intended to capture a broad range of applications, including “family photo sharing applications” and “internet-connected baby monitors”.

The finished Code must be registered by 10 December 2026, however the OAIC is yet to confirm its commencement date.

Key features of the draft Code include:

  • Consent-based model – with some exceptions, consent will be required for the collection, use and disclosure of a child’s personal information;
  • Stricter limits on collection, use and disclosure – personal information may only be collected where strictly (rather than reasonably) necessary to provide the relevant service, and where it is consistent with the best interests of the child;
  • Enhanced consent requirements – for under-15s, consent must be given by a parent or guardian, and businesses must take reasonable steps to verify the parental responsibility of those individuals. Additionally, businesses must also seek to obtain “assent” (i.e. affirmation) from under-15s in specific circumstances (e.g. in respect of direct marketing or collection of sensitive information). Limited exceptions allow under‑15s to provide their own consent, including for legal or health‑related support. In all cases, an age‑appropriate notice explaining how their information will be used, the consequences of not consenting, and withdrawal rights;
  • Age assurance expectations – this builds on recent reforms under the Online Safety Amendment (Social Media Minimum Age) Act 2024 (Cth) by extending the requirement for platforms to take reasonable steps to ascertain the age of end-users, having regard to the risk profile of the relevant services (including volume and sensitivity of data processed). Further guidance on how businesses can manage concurrent (and often conflicting) privacy and online safety obligations is expected once the eSafety Commissioner has been consulted on the Code;
  • Mandatory privacy governance measures – businesses who provide services primarily accessed by children must maintain a separate, child‑friendly version of their APP 1 privacy policy, and must notify children if their parents or guardians are monitoring their use of the service or tracking their geolocation;
  • A right of destruction of personal information about children – this can be exercised by children themselves, or their responsible parent or guardian, to allow them to reduce their digital footprint before they move into adulthood; and
  • Mandatory privacy impact assessments (PIAs) – these will be required for high‑risk processing activities involving children, together with a requirement to maintain a PIA register.

Public consultation on the Code is open until 5 June 2026, and children, parents and carers, industry and civil society and other interested parties are invited to provide feedback on the draft Code.