Children’s Privacy in Australia: Risks, Laws, and Best Practices

We know changes are coming to children’s privacy in Australia. But we don’t know exactly what Australian privacy law as it relates to children will look like by the end of 2026. So, how do you prepare? Start here. 

Why Is Children’s Privacy So Important? 

The internet is a surprisingly dangerous place. There’s harmful content, malicious actors, and artificial intelligence products that children can’t comprehend. The horrific potential harms aside, there are swathes of companies that are looking to collect personal information about children, and those insights will follow them into their young adulthood as advertisers work to have those in their early 20s purchase products using data collected when they were potentially more naive about the internet. 

From your organisation’s perspective, the allure of getting that data may be strong. But there are arguably stronger reasons to respect and protect children’s privacy, including: 

1. Increased trust and a better reputation. Brand loyalty and goodwill goes a long way. If parents trust your company, they’re more likely to be loyal and to recommend your products/services. 
2. Future-proof practices. You can reduce your risk of legal compliance issues and fines down the line while also reducing the cost of compliance by avoiding expensive ‘bolt-on’ solutions.
3. Reduced risk of data breaches. Children’s data is increasingly being targeted in the US due to the potential for identity theft and extortion. It’s likely that trend will (or already is) extending beyond the US borders.  

Current Regulation: Children’s Privacy in Australia

As it currently stands, Australia’s Privacy Act 1988 protects all individuals regardless of age. However, children’s privacy—specifically the information that websites and apps collect about child users— hasn’t historically received special protection. 

Here’s what Dr Jodie Siganto, Director at Privacy 108, said about children’s privacy in June of 2024: 

“Children’s privacy, in terms of the information that websites and apps collect about child users, is not specifically protected in Australia. The existing law (Privacy Act 1988) protects individuals regardless of their age – but does not offer special protection to children. This approach is out of line with international trends – and this may be about to change.” 

That position did change in late in November 2024, when the Australian government enacted the first tranche of privacy reforms. Those reforms included a requirement for the OAIC to develop an Children’s Online Privacy Code within 24 months (so, by the end of 2026). 

In other words, significant reforms are imminent. But in the meantime, the status quo will remain in place. 

How To Prepare For Looming Changes to Privacy Laws Relating To Children

While we expect drafts and consultation periods ‘soon’ (likely at some point in 2025), there are some steps you can take in the near term to prepare for the changes. 

Step 1: Self-Identify whether the Online Children’s Code will likely apply to you. 

The Children’s Online Privacy Code will apply to online services “likely to be accessed by children.” There’s a good chance that your organisation falls into this category if you’ve read this far. 

Step 2: Review your current practices to see if you are currently compliant. 

• How do you identify whether children are 15 years or older? 
• Do you seek consent from a child’s parent or guardian before collecting personal information from them? 
• Are your privacy notices clear? 

If your organisation currently has poor privacy practices around consent, you will need to make significant improvements to comply with the future laws and potentially to comply with current laws. It would be a good idea to reach out to a privacy consultancy at this point to move towards compliance today and future-readiness for tomorrow. 

Step 3: Look to the UK’s Age Appropriate Design Code to predict what’s likely coming. 

The OAIC has indicated that, where possible, the new code will align with the UK’s Age Appropriate Design Code.” The fact that we know what the OAIC is using as a standard to draft the code offers a valuable benchmark for Australia. 

The UK’s online children’s code outlines 15 standards for managing children’s privacy, which can be summarised as follows:

• Best Interests of the Child
  Design products and services to safeguard and promote children’s welfare above any commercial considerations.
• Data Protection Impact Assessments (DPIAs)
  Complete DPIAs focused specifically on children’s data protection risks, and use the findings to inform product features and compliance strategies.
• Age-Appropriate Application
  Assess the age range of likely users and tailor protective measures, applying heightened protections for younger users.
• Transparency
  Offer clear, child-friendly explanations of how and why personal data is collected and used. Avoid confusing or legalistic language.
• Detrimental Use of Data
  Avoid using children’s personal data in ways that could harm their well-being or exploit their vulnerabilities.
• Policies and Community Standards
  Uphold published policies and standards—such as community guidelines—that build trust among children and parents.
• Default Settings
  Enable the most privacy-friendly settings by default while allowing children and parents the freedom to adjust settings later if needed.
• Data Minimisation
  Collect only what is necessary, limiting both the volume of personal data gathered and the duration it is retained.
• Data Sharing
  Do not share children’s personal data unless a compelling reason exists, and weigh any potential risks to the child.
• Geolocation
  Keep geolocation services switched off by default. Provide prominent notices when tracking location, allowing control over whether location data remains visible or stored.
• Parental Controls
  Clearly communicate the availability and nature of parental monitoring features, explaining how these tools track a child’s online interactions.
• Profiling
  Avoid or limit profiling of children if it might expose them to harmful content or reinforce negative patterns, and use safeguards to protect vulnerable users.
• Nudge Techniques
  Refrain from using interface designs that pressure children into making poor privacy decisions, such as disclosing unnecessary data.
• Connected Toys and Devices
  Embed privacy controls into connected toys and devices to protect children’s data in real time, and communicate clearly about any data collection activities.
• Online Tools
  Provide accessible, user-friendly tools to help children and parents exercise their privacy rights, including options to report concerns or request changes in data use.

Given that significant reforms are on the horizon, organisations developing products and services for children should familiarise themselves with these standards. Early alignment with UK guidelines may help reduce the costs of retrofitting privacy measures later, leading to better outcomes for both the organisation and its young users.

Step 4: Consider The Social Media Ban

Does your organisation offer accounts for users? If so, do you offer child users the option of logging in via social media profiles? It might be time to remove that login option. 

Best Practices for Safeguarding Children’s Online Privacy

The following recommendations draw on OAIC guidelines and emerging international standards.

Act in the best interest of the child

The simplest step you can take to safeguard children’s privacy online is to make acting in their best interest a priority. This is, however, easier said than done. 

What this typically entails is conducting youth-specific privacy impact assessments (PIAs) for projects where data may be collected from or about children. To be specific to children, these PIAs should be adapted to the perspectives and experiences of young people. 

In addition to this, dark patterns should be eliminated and the most privacy-centric option should be selected or presented as the default. In other words, if you’re creating a product or service likely to be used by children, their privacy should be protected if they do nothing. This means tracking and profiling should be turned off as the default. More than this, collection should only occur where absolutely necessary. Finally, data should be deleted as soon as possible, unless you’re required to keep it for compliance purposes. 

Obtain Parental Consent
This is especially true if you’re collecting sensitive information or data from children under 15 under the current laws. 

Implement Privacy-by-Design
Integrating data protection measures into the architecture of digital services from the outset is usually the most cost-effective option and it provides the best opportunity to generate win-win scenarios for businesses and end users.

Enhance Transparency
Develop clear, accessible privacy policies that explain how children’s data is collected and used. Remember that if your product/service is targeted at children, the language and design choices you make should be tailored to children of that age and stage. 

For Educators

Educators can protect children’s digital privacy while empowering them through education:

• Integrate Digital Literacy into the Curriculum
  Teach students about online safety and the importance of protecting personal information.
• Foster Open Dialogue
  Create an environment where students feel comfortable discussing their online experiences and any privacy concerns.
• Collaborate with Parents
  Work closely with parents to reinforce safe online practices both at school and at home.

Prepare For Changes to Children’s Privacy with Privacy 108

Stay up-to-date via our twice-monthly newsletters. One contains summaries of privacy news around the world, and the other shares our insights from that month alongside our commentary on major privacy themes or happenings. 

Or, if you’re ready to start preparing for Australia’s changing privacy regulations, reach out. Our privacy team regularly works with companies to improve their privacy posture and streamline business use of data. We’re happy to chat with you, cost- and obligation-free, about your data, security, and privacy challenges. You can contact us here. 

Oops! We could not locate your form.