Australia's world-first ban on under-16 social media accounts has reached the moment every regulator eventually faces: the day the rules meet reality. On 31 March 2026, the eSafety Commissioner published her first compliance update on the Social Media Minimum Age obligation, which took effect on 10 December 2025 under the Online Safety Amendment (Social Media Minimum Age) Act 2024. The verdict was unflattering. eSafety identified "a number of poor practices that give rise to compliance concerns" and opened investigations into Facebook, Instagram, Snapchat, TikTok and YouTube for potential non-compliance. Commissioner Julie Inman Grant has signalled an enforcement stance, with civil penalties of up to A$49.5 million per body corporate and a decision on enforcement action expected by mid-2026.
The case for the ban, stated fairly
It would be dishonest to treat this law as a moral panic dressed up as policy. Parents are, in Future of Privacy Forum CEO Jules Polonetsky's words, "overwhelmed by digital challenges" with "nobody to guide them." Recommender systems are engineered to maximise engagement, and the evidence that compulsive use correlates with adolescent distress is real, even where causation is contested. Australia's Parliament passed the bill in November 2024 by lopsided margins — 102 to 13 in the House — precisely because the political consensus held that voluntary platform self-regulation had failed. The law's core design is defensible: it places the compliance burden on well-resourced platforms rather than on children or parents, and it demands "reasonable steps" rather than a guarantee of perfection. That is a more proportionate architecture than a blunt criminal prohibition.
Where the report actually lands
The trouble is what "reasonable steps" produced in practice. eSafety's four findings describe a system that platforms implemented grudgingly and minimally. Some platforms' messaging encouraged under-16s to attempt age assurance even after they had declared themselves underage. Several let minors repeatedly retry the same age-check method until they passed. Reporting pathways for flagging age-restricted accounts were neither accessible nor effective, especially for parents. And some platforms simply had not done enough to stop new under-16 accounts from being created. Platforms strengthened their measures "often following direct engagement from the regulator" — compliance was reactive, not proactive.
A pro-enforcement reading says: this is exactly why a regulator with teeth was necessary. The fairer reading is that the law incentivised theatre. When the statute rewards "reasonable steps" without defining a verifiable outcome, the rational corporate response is to deploy the cheapest defensible mechanism and let the regulator litigate the gap. The compliance report is less an indictment of bad actors than a description of a poorly specified obligation.
The accuracy and privacy bill comes due
The deeper concern is the technology the ban forces into the mainstream. eSafety's own analysis acknowledged that the facial age-estimation tools platforms leaned on carry "known limitations in accuracy near the 16-year threshold" — meaning the system is least reliable at exactly the age it is meant to police, and design choices "almost certainly contributed to the risk of misclassification." Every false positive is a 17-year-old wrongly locked out of lawful speech; every false negative is the law failing on its own terms.
And age assurance is not free. To check ages, platforms and third-party vendors must collect sensitive biometric or identity data on a national scale. The OAIC has had to impose obligations requiring platforms to "ringfence and destroy any personal information collected for the purpose of age assurance" — an admission that the safety regime creates a fresh privacy hazard the privacy regulator must then contain. Civil-society groups including the EFF have warned that age-verification mandates "may undermine people's anonymity online" and risk "data leakages of people's sensitive information." A child-protection law that normalises mass identity verification for everyone is not obviously a net gain for the vulnerable.
Did it protect anyone?
The most damning data point is not about compliance — it is about results. More than 5.1 million under-16 accounts were removed by early March 2026. Yet a parent survey cited in Tech Policy Press found nearly 70% still said their child had a Facebook, Instagram, Snapchat or TikTok account, and eSafety recorded no clear decline in cyberbullying or image-based-abuse complaints from under-16 users. Deleting accounts has not corresponded to measurable reductions in harm. Teenagers migrate to VPNs, to non-covered services, or to a sibling's login. The ban has generated an impressive headline number and a thin record of actual protection.
A proportionate path
None of this argues for doing nothing. It argues for targeting the harm rather than the head count. Australia took a quiet step in the right direction on 25 March 2026, when the Communications Minister registered a rule tying the definition of an age-restricted platform more closely to addictive and harmful design features. That is the better lever: regulate the engagement-maximising mechanics — autoplay, infinite scroll, manipulative notifications — and mandate strong default safety settings and genuine parental tools, rather than building a surveillance-grade age wall around the entire internet.
As Britain, the EU, and US states from California to Utah watch Australia for a template, the lesson from this first report is clear. Before mid-2026, eSafety will decide whether to fine five companies for failing to implement a mechanism that, on the regulator's own evidence, does not reliably work and has not demonstrably made children safer. Enforcement may be legally justified. But fining platforms for the gaps in a flawed design is not the same as protecting kids — and policymakers elsewhere should not confuse the two.