By the time a child turns 13, there will be approximately 72 million data points gathered about them.[1] The change in digital technology, in addition to the increased presence of children online, brings increased privacy risks. In response to the online shift, the Children’s Online Privacy Code (the Code) is being developed by the Office of the Australian Information Commissioner (OAIC). Rather than restricting their digital usage, the Code aims to put children at the centre of online privacy protections and will specify how online services accessed by children must comply with the Australian Privacy Principles (APPs) from the Privacy Act and may impose additional requirements.
Scope of the Code
The Code will apply to organisations bound by the Privacy Act if they provide a social media service, a relevant electronic service or designated internet service that is not a health service, and the service is likely to be accessed by a child. These categories cover a wide range of online services, such as social networks public media-sharing sites, messaging apps, video calling platforms and online games where players can chat, streaming platforms, consumer Internet of Things (IoT) devices like smart watches, websites that let users receive or access content, and cloud storage services.
Consultation:
The Code needs to be in place by December 2026. To inform the Code, the OAIC has undertaken two consultations to date, with one more scheduled in early 2026.
Phase 1 saw the OAIC consult with children, parents, and organisations focused on children’s welfare.[2] Many children expressed a desire for clearer, more accessible privacy policies, as well as greater control over their personal information, particularly in relation to areas such as targeted advertising and geolocation data. Data also revealed that current consent mechanisms are often perceived as insufficient, with many children feeling that they are not empowered to make informed decisions about their personal information. These findings underline the importance of the Code in ensuring that children can effectively protect their privacy while using online services.
Phase 2 involved consulting with civil society, academia, and industry stakeholders on specific questions raised in the Issues paper.
Phase 3 scheduled to commence in early 2026, will involve public consultation on the draft Code.
Of particular interest to marketers is impacts that the Code may introduce to direct marketing obligations, but equally marketers must consider how they provide notification in a way that is meaningful and can be understood by children, and how to obtain consent that is genuine, informed, voluntary and given by someone who has capacity to meaningfully understand the consent provisions.
ADMA submission on APP 7 with obligations around direct marketing
Direct marketing involves using or disclosing personal information to communicate directly with an individual to promote goods and services.
APP 7 prohibits regulated organisations from using or disclosing personal information it holds about individuals for direct marketing purposes, unless a valid APP 7 applies. One valid exemption is where personal information has been collected directly from an individual and the individual would reasonably expect their information to be used for direct marketing. For example, they have consented to the use or disclosure of their personal information for that purpose, and the information is not considered sensitive information under the Privacy Act.
In our submission response to the OAIC, ADMA noted that due to existing legislative complexity inherent in digital marketing practices, coupled with uncertainty on further Privacy Act reforms, we had reservations on introducing additional, or changed, obligations on marketing practices directed at children. Additional obligations, if introduced by the Code, risk becoming a potential overreach when used to regulate all forms of direct marketing that may or may not be to a child audience. In our submission, we re-enforced our advocacy for harmonised and proportionate regulation of digital marketing practices,[3] and further recommended that the concept of ‘likely to be accessed by children’ should reference the part of the service which clearly is appealing to children, directed at or focused for children.
ADMA maintains that by introducing proportionate reforms to the Privacy Act, the OAIC can achieve its objective of protecting children when engaging online, without needing to further amend APP 7 obligations with respect to marketing practices directed at children.
Considerations for marketers
While we await to see what is included in the draft Code, regulated organisations should take stock of service offerings likely to be accessed by children.
For digital marketers, some of the more important considerations include:
- Can your organisation create a ‘reasonable expectation’ that you may use or disclose children’s personal information for direct marketing purposes? And if so, how?
- How can you ensure mechanisms are in place for children to opt-out of receiving direct marketing communications, in a simple and accessible way?
- How will you ensure your privacy policy is meaningfully understood by children of different ages, abilities and backgrounds? How can you meet this obligation when services are used by both adults and children, particularly when children are not the intended primary users?
- What methods can you use to effectively notify or ensure children are aware of data collection practices in a manner that is age-appropriate and can be easily understood by children?
- How will you ensure that notifications are accessible to children with diverse needs, including those from culturally and linguistically diverse backgrounds, or living with disability?
- What mechanisms are needed to ensure children can easily access or seek correction of their own personal information?
- In what circumstances should a parent or guardian be able to make an access to data or correction of data request on their child’s behalf?
ADMA will continue to monitor developments in this space and will keep you informed as changes come to light.
Want to sharpen your privacy and compliance skills?
Check out our regulatory course offering with a range of options to suit your needs. From our online short courses to our more comprehensive Privacy and Compliance for Marketers course, ADMA has your regulatory upskilling needs sorted.
[1] https://www.oaic.gov.au/news/blog/sunshine-and-double-rainbows-building-a-better-online-environment-for-children-and-young-people
[2] https://au.reset.tech/news/children-s-online-privacy-code/
[3] https://www.oaic.gov.au/__data/assets/pdf_file/0029/255935/Association-for-Data-driven-Marketing-and-Advertising.PDF
.webp?width=352&name=The%20Weakest%20link%20-%20The%20Board%20(1440x306).webp)
