Online Children’s Privacy Code Consultation – Information Sheet

Australia’s proposed Children’s Online Privacy Code is set to reshape how organisations handle children’s data, raising the bar well beyond current privacy obligations. With consultation now open, marketers have a limited window to understand the impact and influence what comes next. 

What Marketers Need to Know  

• The Office of the Australian Information Commissioner (OAIC) is consulting on the Children’s Online Privacy Code; a significant new framework aimed at strengthening how children’s personal information is handled online.
• This code extends well beyond the existing requirements set out in the APPs and will directly impact organisations whose services are either likely to be accessed by children or primarily concerned with the activities of children.
• This is a critical opportunity to influence how the Code is finalised and to ensure that any practical implementation issues are addressed.

 Background to the Code  

 Children are increasingly engaging with apps, games, websites, AI tools, and digital services. The Code is designed to ensure they can do so safely, transparently, and without exploitation of their personal data. It aligns with global developments, such as the UK’s Age-Appropriate Design Code, while introducing protections tailored to the Australian context.  

 Who it applies to

The Code applies broadly to:

• Services likely to be accessed by children
• Platforms that collect or process children’s personal information, even if not exclusively child-focused
• This includes apps, games, websites, streaming services, financial services, and AI-powered tools
  
  

 Key obligations

Organisations will need to meet several new requirements:

1. Age assurance

Organisations are expected to take reasonable steps to determine the age of end-users before collecting personal information about them, to determine whether they need to comply with the Code. If they are required to comply with the Code, a number of obligations arise.

2. Best interests of the child

Data practices (collection, use and disclosure of PI about a child) must be consistent with the best interests of the child, reflecting international human rights principles.

3. Only ‘strictly necessary’ PI can be collected, used or disclosed

Organisations must implement technical and organisational measures that ensure that they only collect, use or disclose PI about a child that is strictly necessary to provide the entity’s service.

4. Stronger consent requirements

• Where consent is required, if the child is under 15 years of age, the entity proposing to collect, use or disclose of PI about the child must obtain consent from a person with parental responsibility, and must also take reasonable steps to confirm that the person who gives consent is the person with parental responsibility.
• In addition to parental consent, for children under 15, organisations must also seek the assent of the child in certain circumstances (collection of sensitive information, use or disclosure of PI for a secondary purpose and use or disclosure of PI for direct marketing) and the assent cannot be relied upon for more than 12 months.
• The organisation also has to provide an age-appropriate collection notice to the child.
• Consent must be informed, clear, and voluntary

5. Restrictions on marketing

• Ban ‘default-on’ targeted advertising and limit direct marketing to children
• Explicit consent is required before engaging in these activities
• The exception in APP 7.3 does not apply.

6. Right to deletion

Children will have the ability to request deletion of their personal data, supporting greater control as they grow older

7. Transparency requirements

Privacy information must be:

• Clear
• Accessible
• Written in age-appropriate language
  
  

 Consultation now open  

The Code is currently in its final consultation phase, with submissions open until: 5 June 2026

This is a critical opportunity to influence how the Code is finalised, particularly around:

• Practical implementation challenges
• Compliance expectations
• Industry-specific impacts

To date, there has been strong engagement across industry, government, and community stakeholders, with broad support for improved protections alongside calls for clear, workable guidance.

What happens next

• Feedback will be reviewed after consultation closes
• A regulatory impact analysis will assess costs and benefits
• The final Code is expected to be registered by December 2026 and become enforceable under the Privacy Act

Have your say

We are actively engaging on this issue and want to ensure our members’ perspectives are represented.

If you have a particular viewpoint, concern, or practical insight, we encourage you to get in touch.

Your input will help shape:

• Our advocacy and submissions
• Industry engagement with regulators
• Practical guidance for members

Sarah Waladan, Head of Regulatory and Advocacy, ADMA

Sage Kelly, Regulatory and Policy Manager, ADMA