Australia’s Children’s Online Privacy Code: What the Exposure Draft Means for Industry 

The Office of the Australian Information Commissioner (OAIC) has released the long-awaited exposure draft of the Children’s Online Privacy Code (COPC), marking a significant milestone in Australia’s evolving privacy framework. The draft Code introduces a new regulatory regime that will reshape how organisations design and deliver digital services accessed by children. 

This post outlines (1) the background and policy trajectory leading to the draft, (2) the key proposed reforms, and (3) practical next steps for organisations preparing for compliance. 

1. Background 

The COPC is the product of several intersecting regulatory developments. 

The Privacy and Other Legislation Amendment Act 2024 (Cth) introduced a requirement for the OAIC to develop and register a binding Children’s Online Privacy Code by December 2026. This mandate reflects increasing concerns about the handling of children’s personal information in digital environments. Children are disproportionately exposed to privacy risks online including profiling and targeting, with estimates suggesting that tens of millions of data points may be collected about an individual by early adolescence. It was considered that a new Code would be able to clarify the principles-based requirements of the Act in more prescriptive terms, particularly insofar as how online services should be designed to protect children’s privacy and the best interests of the child. 

The Code sits alongside other online safety initiatives in Australia, including: 

• The Online Safety Act 2021 (Cth) and associated codes and standards, and 

• The Social Media Minimum Age (SMMA) framework, introduced in 2025 (which Privacy 108 covered in more detail here). 

The draft COPC offers some regulatory alignment between Australia’s privacy and online safety regimes, by addressing age assurance matters and by adopting key definitions in the Online Safety Act (Cth). 

Importantly, the development process for the Code has been consultative. The OAIC has engaged with children, parents, industry, and experts in shaping the draft, and the current exposure draft is subject to public consultation until 5 June 2026. 

2. Summary of Proposed Updates 

The exposure draft introduces a wide-ranging set of obligations that significantly raise the bar for handling children’s personal information. 

Broad Scope of Application 

The exposure draft Code will apply to both of the following types of services: 

• Services that are ‘likely to be accessed by children’,¹ and 

• Services that are ‘primarily concerned with the activities of children’.² 

In both cases, the entity must also be a provider of any the following, as defined under the Online Safety Act 2021 (Cth): 

• Social media services – including social networks, public media-sharing sites and discussion forums 

• Relevant electronic services – generally consisting of online services that facilitate communication between users (e.g. messaging apps, email, video calling platforms, online games with chat), or 

• Designated internet services – defined broadly to include online services that allow users to access or receive material over the internet (e.g. cloud storage, websites that let users receive/access content, streaming platforms, consumer IoT devices). 

Entities that provide health services will be exempt from the COPC. 

This means that the draft Code will affect far more than the traditional “big tech” or social media platforms, potentially extending to sectors such as education, gaming, retail, and even connected devices. 

Age Assurance 

Covered entities must take reasonable steps in the circumstances to ascertain end-users’ age. In determining what steps are reasonable, entities must consider the risk of harm that may arise from handling the individual’s personal information through their services. 

Entities do not need to perform age assurance if they apply the protections in the Code to all users of the service, regardless of age. 

Entities must also destroy any sensitive information collected as soon as practicable after ascertaining the user’s age, unless the retention of that information is legally required. 

The draft Code therefore takes a risk-based approach which encapsulates a range of possible age assurance techniques. These different age assurance techniques offer varying degrees of certainty but also carry different privacy risks, and include user self-declarations, parental attestations, AI-enabled age estimation, and age verification. 

A “Best Interests of the Child” Standard 

Perhaps the most significant reform in the draft Code is the introduction of a requirement for the collection, use and disclosure of children’s personal information to be consistent with the best interests of the child. 

The concept of the best interests of the child is drawn from the United Nations Convention on the Rights of the Child and has been adopted as a key tenet of other children’s privacy codes, such as the UK’s Age Appropriate Design Code. 

The proposed requirement will represent a significant uplift over the standard currently provided by APP 3 (Collection Limitation) and APP 6 (Use and Disclosure). It is hoped that the new ‘best interests’ test will ensure that children’s wellbeing is placed at the centre of decision-making across the information lifecycle and that online services have a duty to address risks of harm, exploitation, as well as potential impacts on their autonomy and other child rights. 

Privacy by Design and PIAs 

The draft Code mandates a privacy-by-design approach, requiring organisations to conduct privacy impact assessments (PIAs) before providing a new service to children or before adopting any new or changed ways of handling personal information that will have a significant impact on children. When undertaking their PIAs, entities will be required to perform and record an assessment of whether the handling of children’s personal information is consistent with the best interests of the child. Entities must also maintain a register of PIAs that they have conducted, which must be published online. 

In addition, entities will be required to: 

• Annually review and update their practices, procedures and systems to ensure that they comply with the APPs and the COPC. Entities must keep records of these reviews and provide these records to the OAIC, on request; and 

• Provide education and training about the handling of children’s personal information for staff. 

These obligations will require entities to embed the consideration of children’s privacy early in the design of their online services. Within PIAs, entities will also be required to perform rigorous assessments of how their data handling will align with children’s best interests and publish their reasoning. 

We have covered Privacy by Design in previous posts including: 

• Privacy by design: How to bake privacy in early 

• 5 Steps for successfully implementing privacy by design 

• Privacy-by-design: A future focused privacy approach for your organsiation 

• ISO 31700: New standard for privacy by design 

• Worried about data breaches: How privacy by design can help 

Enhanced Consent Framework 

The draft Code will significantly strengthen consent requirements, proposing a new definition that aligns with overseas privacy legislation like the GDPR, and as proposed in the Tranche 2 Privacy Act Review reforms. 

The strengthened consent requirements include: 

• That consent must be voluntary, informed, current, specific and unambiguous 

• That consent must be easy to withdraw 

• A regime for determining when parental consent should be sought, and when children may consent on their own behalf 

• A novel “dual consent” model that applies in certain cases (e.g. direct marketing, sensitive data), requiring both child assent and parental consent 

Restrictions on Direct Marketing 

The draft Code introduces limits on the use or disclosure of children’s data for direct marketing. 

Direct marketing is only permitted where: 

• The existing requirements of APP 7 are met 

• The activity is consistent with the child’s best interests, and 

• Consent is obtained. 

New Rights for Children 

The draft Code enhances children’s agency over their data, including: 

• A right to request destruction of personal information 

• Expanded access and correction rights, including a right to request information about the entity’s handling of the child’s personal information (including details of the categories of personal information held, its source, the purposes for handling, the recipients of the child’s data, among other matters. 

• Greater transparency regarding automated decision-making 

Transparency and Child-Friendly Communication 

Organisations must ensure that privacy policies and collection notices are: 

• Clear, concise and age-appropriate, and 

• Supported by non-textual formats, where appropriate. 

The Code also introduces notification requirements in relation to specific monitoring practices: 

• Children must receive notifications when other users of the service are able to monitor the child’s geolocation data (including the child’s parents) 

These provisions aim to balance parental oversight with children’s autonomy and awareness. 

Enforcement and Penalties 

Once registered, the Code will be binding, and non-compliance will constitute an interference with privacy under the Privacy Act, exposing organisations to the OAIC’s regulatory powers including possible civil penalties. 

3. Recommendations: What Should Organisations Do Next? 

Although the Code is still in draft form, organisations likely to be affected should start preparing. Waiting for finalisation in late-2026 may leave insufficient time to implement the structural changes required. 

Here is our list of steps affected organisations should think about:

I. Undertake a COPC Readiness Assessment 

A good starting point is to identify how the Code may impact your organisation. This would include consideration of: 

• Which services fall within scope of the COPC 

• Whether your services are ‘likely to be accessed by children’ or are ‘primarily concerned with the activities of children’ (directly or indirectly), and 

• The potential risk associated with your existing personal information collection and handling practices 

II. Map Data Flows and Conduct Gap Analysis 

A key starting point is understanding how your organisation collects, uses and discloses children’s personal information. If you have not already done this, start now on mapping data flows relevant to children’s personal information. Your focus should be on high-risk processing activities as an initial priority. 

That data flow map can then be used to identify gaps against proposed requirements (e.g. consent, minimisation, retention), which will form the foundation for compliance planning. 

III. Embed “Best Interests” Assessments and PIA processes 

You should develop internal processes and frameworks to assess whether your data practices align with the best interests of the child. This may be part of your existing privacy impact assessment processes. As part of the COPC’s mandatory PIA requirements, you will be required to record an assessment of whether the handling of children’s personal information is consistent with the best interests of the child, as well as publish this PIA on a PIA register and provide the assessment to the OAIC, on request. 

IV. Redesign Consent Mechanisms 

You should review your existing consent and age assurance processes to determine whether they likely to meet the new standard. Organisations should: 

• Review age assurance and parental consent processes 

• Design child-friendly consent interfaces, and 

• Plan for the new dual consent scenarios. 

V. Review Product and UX Design 

Privacy-by-design obligations will require collaboration across legal, product, and engineering teams. If you don’t already have privacy by design built into your processes, particularly your product and solution design and development, then this is a good time to start. 

VI. Reassess Marketing and Data Monetisation Practices 

Given the restrictions on direct marketing and third-party data use, organisations should: 

• Audit advertising models involving children’s data 

• Consider alternative approaches (e.g. contextual advertising), and 

• Engage with AdTech partners early. 

Final Thoughts 

The Children’s Online Privacy Code represents a significant shift in Australian privacy regulation. It moves beyond traditional compliance toward a proactive, rights-based framework centred on children’s wellbeing. 

Those that begin preparing now will be best positioned not only to comply, but to build trust with the next generation of digital users. 

Privacy 108 will be submitting a more detailed response to the proposed draft. Stay tuned for further updates on this important area. 

References 

https://www.oaic.gov.au/privacy/privacy-for-kids/privacy-for-kids-childrens-online-privacy-code