The Privacy Series

To help marketers prepare for the impact that the privacy reforms will have on the industry and our practices, we have created The Privacy Series. Each month we will deep dive into one of the key components set to reshape the Privacy Act to understand what they mean for marketers and their businesses.

The Children’s Online Privacy Code

Every child in Australia, that is anyone below the age of 18, has grown up in a world where social media not only exists in their lives, but dominates their waking hours. And yet this pervasiveness of social media is only one piece of a child’s online reality. Be it for learning, leisure or engaging with peers, there’s no escaping the prevalence of the online world for children. This online omnipresence, and the privacy risks it presents to children in particular, was highlighted in a speech by the former Attorney General Mark Dreyfus, who stated that by the time a child turns 13, it is estimated there will be 72 million pieces of data already collected about them. An alarming statistic that will continue to snowball into their adulthood. 

That’s why, as part of the recent tranche one reforms to the Privacy Act, the Government passed a mandate for a Children’s Online Privacy Code (Code). The Code, to be developed by the Office of the Australian Information Commissioner (OAIC), will specify how some online services accessed by children must comply with the existing Australian Privacy Principles (APPs) of the Privacy Act. It seeks to strengthen privacy protections for children when using online services. This is important because children are particularly vulnerable to the misuse of their data and may not fully understand the privacy implications of their online activity.

Privacy obligations and commonplace data practices that are frequently, if not inherently, used by marketing teams may be in the cross hairs of the Code. In this edition of the Privacy Series, we explore the Code in more detail and discuss implications it may have on marketing operations as they pertain to personal information handling practices.

How the Children's Online Privacy Code is being developed?

The Privacy and Other Legislation Amendment Act 2024 (Cth), which was approved by Government on 10 December 2024, contained a mandate for the OAIC to develop and register the Code by 10 December 2026. The OAIC has already set in motion activities to develop the Code. A new OAIC team, the Privacy Reform Implementation and Social Media Taskforce or PRISM Taskforce, being led by Dr Kate Bower, the OAIC’s Director of Privacy Reform Implementation, has responsibility for developing the Code.

In developing the Code, the OAIC has chosen a three-phase consultation strategy, in part, to ensure the Code is informed by a wide range of voices and equally, to prioritise the voice of children, putting them at the forefront of considerations. The first phase of consultation started in January 2025 and involved initial discussions with children, parents and organisations focused on children's welfare. Phase two, which kicked off in May 2025, is seeking engagement with civil society, academia, and industry stakeholders, to gather insights and perspectives. Then finally phase three, scheduled to begin in early 2026, will involve public consultation on the draft Code.

Phase two, the current phase, is an importance opportunity for Industry; it will ensure marketing voices are considered in the Code development. The consultation engagement involves the release of an issues paper, followed by roundtables with industry bodies to discuss and engage more directly on key questions. ADMA looks forward to engaging in these roundtables and advocating for Industry, to ensure our needs, as responsible marketers, are considered.

Who will be bound by the Children's Online Privacy Code?

The Code will apply to APP entities, being businesses or organisations covered by the Privacy Act, if: 

1. They are a provider of a social media service (online platform where people can connect, share content and interact with others, a relevant electronic service (online service that lets people communicate with each other such as messaging apps or online games),or a designated internet service (websites and online platforms where people store and share content like cloud storage services).
    

2. The service is likely to be accessed by children. The Code will not apply to a health service provider, as defined in the Privacy Act, but the OAIC has indicated exploring additional APP entities or a class of entities, such as EdTech and wearables, that may be specified in the Code.

Additionally, the Code will, where possible, align with similar codes in like-minded countries, such as the United Kingdom’s “Age Appropriate Design Code”.

Why do we need the Children's Online Privacy Code?

There are many reasons why children are more vulnerable online. Limitations in their basic and digital literacy, their cognitive abilities and their capacity for mature decision-making, coupled with a general lack of awareness of commercial practices and understanding of consent provisions, puts children at risk of privacy harms. This, coupled, with the change in the digital technology landscape and the increasing presence of children online, amplifies privacy risks.

On top of this, the existing privacy laws in Australia have not kept pace with the rapidly changing digital landscape. 

This is why we need the Code, why we should welcome the introduction of the Code, and why the Government has deemed it essential for the Code to be developed – to ensure the ongoing protection of children in Australia while engaging in online activity. For responsible marketers, while this may impact existing BAU marketing operations, the premise – to keep our children safe online – should be embraced as we strive for a more ethical and safer online community, particularly for our children.  

What impact will the Children's Online Privacy Code have on marketing?

As the Code is under development, its full scope and subsequent implications remain uncertain. However, what is known is that the Code will build on existing APPs only. While it may impose additional requirements on APP entities, these requirements cannot be inconsistent with existing APPs. No new principles or prohibitions will come into effect as a result of the Code. This means that existing APPs will be applied with additional requirements in the context of a child. 

For example, APP 1 of the Privacy Act requires APP entities to manage personal information in an open and transparent way, and to take reasonable steps to implement practices, procedures and systems that will ensure compliance. The Code may build upon existing APP 1 obligations by requiring a bound entity to implement, for example, internal training that specifically addresses the management of children’s personal information. 

Another example may be additional requirements related to APP 7 of the Privacy Act, which is concerned with the use or disclosure of personal information for direct marketing purposes. The Code may build on APP 7 by determining a child’s capacity to understand given their evolving competency and cognitive capabilities, issue guidance on how easy and straight forward it is to opt-out of direct marketing, and if consent can be deemed as fully informed. 

For APP entities not bound by the Code, any additional requirements imposed by the Code will have no impact on their personal information handling practices. For those entities that will be covered by the Code, change is on the horizon and you should start preparing. 

Get ahead and get proactive

This is an opportunity to get ahead of the pack and start preparing for what the Code may likely impose. Not only will you be prepared for when the Code comes into effect, your brand will be market leading as a champion of privacy and data protection and flourishing in consumer trust as a result. 

To put your best foot forward, we recommend the following steps. Proactively review and audit your current data practices through the lens of protecting children’s privacy.  Remediate any compliance gaps, review your personal information collection practices to ensure the information you collect continues to be reasonably necessary, and confirm you are complying with your transparency and consent obligations. If you provide services that are likely to be accessed by children, check that you are you meet your obligations in a child friendly way. For example, is your privacy policy ‘kid friendly’; can it be presented in a fun, easy to understand video that is both easy to digest and understandable? These are the types of changes that the Code will likely introduce to ensure that the online environment for children is built with the protection of privacy of the child front and centre.

Want to sharpen your privacy and compliance skills?

Check out our regulatory course offering with a range of options to suit your needs. From our online short courses to our more comprehensive Privacy and Compliance for Marketers course, ADMA has your regulatory upskilling needs sorted.