A Second Layer on Top of the Ban
On 31 March 2026, the Office of the Australian Information Commissioner (OAIC) released the exposure draft of the Privacy (Children's Online Privacy) Code 2026. Public consultation closes 5 June 2026, and the OAIC must register the Code by 10 December 2026 — the same date on which Australia's Online Safety Amendment (Social Media Minimum Age) Act 2024 finishes its first full year of enforcement against under-16 social media accounts.
The Code does not amend the under-16 ban. It layers on top of it. Where the eSafety Commissioner's regime applies to a defined list of ten age-restricted social media platforms — Facebook, Instagram, TikTok, Snapchat, YouTube, Reddit, X, Threads, Twitch and Kick — the new Code reaches every social media service, relevant electronic service or designated internet service that is "likely to be accessed by children," together with anything "primarily concerned with the activities of children." A toddler photo-sharing app, a school management portal, a kids' coding game, a music-streaming service whose recommender pulls in a school cohort — all are pulled into scope.
The Strongest Case For It
The case in the Code's favour is real and should not be dismissed. Australia's privacy regulator has spent years documenting how mainstream services collect intimate behavioural data from children — geolocation, viewing history, classroom-grade inferences — and feed it into the same advertising and recommender machinery built for adults. The Privacy Act 1988 never gave the OAIC tools tailored to that problem.
The draft Code introduces five concrete protections a parent will recognise: a duty to act in the "best interests of the child," consent before children's data is used for targeted advertising, a right for children to demand destruction of their data, parental notification when an adult is consenting on behalf of an under-15, and a requirement that geolocation tracking be visibly disclosed. These mirror obligations the United Kingdom's Age Appropriate Design Code has already pushed major platforms to ship globally; on its own terms, the Code is a sensible upgrade to a 1988 statute that pre-dates the smartphone.
Where It Risks Going Wrong
The harder question is age assurance. The Code requires entities to "take steps as are reasonable in the circumstances to ascertain the age of end-users" before collecting their personal information, with stronger certainty demanded of higher-risk services and softer assurances accepted from lower-risk ones. There is an escape hatch — apply child-specific protections to every user regardless of age, and the duty falls away — but few commercial services will accept that trade for their adult base.
For the many platforms outside eSafety's list of ten, this means a new and untested duty. The Age Assurance Technology Trial commissioned by the Department of Infrastructure and conducted by the Age Check Certification Scheme reported in August 2025 that "no substantial technological barriers" exist to age assurance, tested across 48 vendors and more than 60 technologies. Less prominently, the same 1,150-page report warned of "concerning evidence" that vendors were already over-collecting personal data in anticipation of regulator demands. That is the proportionality problem in miniature: a child-protection rule that quietly enlarges the surface area for adult-identity collection.
The Twin Test: Privacy and Speech
A pro-innovation reading of the Code rests on two anchors. First, risk-proportionate must mean what it says. A forum that sells used bicycles should not face the same assurance burden as a livestreaming platform recommending content to teenagers, and a homework-help site with a few hundred Australian users should not be pushed to license biometric estimation just to keep operating. Second, the parental-responsibility verification step for under-15s should not be allowed to become a de-facto government-ID gate. The Electronic Frontier Foundation, writing in May 2026 about a parallel California social-media ban, warned that age-verification regimes "create new dangers to free expression and privacy" — a point Australian civil-society groups, including Digital Rights Watch, have echoed in the OAIC's own consultation tracks.
There is also a speech tail. The under-16 ban already pulls a sizeable cohort of Australian teenagers off mainstream social media. The Code will compound that by pushing identity-verification logic into services never on eSafety's list — homework forums, fan-fiction archives, indie chat servers — many of which cannot afford a commercial assurance vendor and may simply geofence Australia out. That is a real cost the consultation process should weigh against the genuine benefits.
What to Watch Before 10 December
Three issues will decide whether the Code ages well. First, whether the explanatory statement is sharpened to give small and medium services a workable "lower-risk" pathway short of full ID checks. Second, whether the parental-responsibility verification for under-15s is read down to credentials a parent already holds — a co-signed school enrolment, a linked family-payment account — rather than re-identification of adults. Third, whether the OAIC commits to publishing the privacy impact assessments of the major assurance vendors before the Code is registered, not after.
Australia is now running the world's most ambitious experiment in children's online privacy. The instruments are powerful; the risk is the same as for every powerful instrument — that proportionality is asserted but never enforced.