By Gabriella Assis

Introduction

Australia is entering a new era of child-centred privacy regulation, with the draft Children’s Online Privacy Code (the Code) marking a major shift in how children’s data must be handled.

The Office of the Australian Information Commissioner (OAIC) notes that by age 13, an estimated 72 million data points may have been collected about a child. The Code responds to the growing risks associated with large scale data collection, including discrimination, algorithmic bias, identity theft, targeted advertising and other forms of misuse.

This volume of data leaves children and young people exposed to a range of data practices including profiling, direct marketing and targeted advertising, as well as ingestion of personal information into AI. Data breaches, unlawful disclosure and broader security failures, identity theft, discrimination, and algorithm bias all can lead to serious financial, reputational and developmental harms. These risks highlight the need for stronger, enforceable safeguards.

The Children’s Online Privacy Code is a legislative instrument made under the Privacy Act 1988 and was introduced by the Privacy and Other Legislation Amendment Act 2024 (POLA Act). The Code places clear responsibility on organisations to embed safety, transparency and privacy protective design into their digital services.

This Insights post outlines what the Code is, why it matters, how it was developed, how stakeholders can influence its final form, how IIS can support organisations preparing submissions, and what happens next.

1. Understanding the Children’s Online Privacy Code

Why this matters

The Code is a major uplift to Australia’s privacy framework, designed to protect children in a digital ecosystem where data collection is pervasive and often invisible. The Code will become a legally enforceable instrument once it is registered on 10 December 2026.

Why the Code is needed: Evidence from the EdTech ecosystem

Recent independent research into school‑endorsed educational apps in Australia shows a clear gap between what privacy policies promise and what apps actually do – the very risks the Children’s Online Privacy Code is designed to address. Analysis of almost 200 apps approved for use in schools found that many shared children’s personal information with third parties as soon as the app was opened, often before any user interaction, contradicting their own privacy policies and exposing gaps in oversight by education systems, app developers, and regulators.

The research also found that most apps included advertising or tracking tools that were not necessary for their educational purpose, while only a small number of privacy policies accurately reflected these practices. Most policies were written in language too complex for parents and children to reasonably understand, and child-focused branding often created an illusion of safety not supported by how the apps operated.

Together, these findings highlight that current consent and disclosure mechanisms reinforce the need for enforceable, design focused obligations that place responsibility on organisations rather than children, parents, or schools to act in the best interests of the child.

Scope and application

The Code applies to businesses or organisations covered by the Privacy Act 1988 if:

• They are a provider of a social media service, a relevant electronic service or designated internet service,

• The service is likely to be accessed by children or primarily concern the activities of children, and

• If the organisation is not providing a health service.

For the purposes of the Code, a social media service, a relevant electronic service, and a designated internet service are understood by the OAIC as follows:

• Social media services: platforms where people can connect, share content and interact with others (e.g. social networks, public media-sharing sites, discussion forums and review platforms).

• Relevant electronic services: online services that let people communicate with each other (e.g.  messaging apps, email services, video calling platforms and online games where players can chat).

• Designated internet services: online services that allows users to access or receive material over the internet (e.g. cloud storage, websites that let users receive/access content, streaming platforms, consumer IoT devices).

Importantly, the Code applies at the service level, not the organisational level. This means only the child-facing or child-relevant components of a business fall within scope. This means that if an organisation operates one part of its website that is likely to be accessed by children, that specific service will be covered by the Code. Other services that are not accessed by children – or that do not involve children at all – remain outside the Code’s scope. In practice, the organisation would need to, for example, publish a dedicated privacy policy on its website that clearly identifies the in-scope services and explains its privacy practices in language that is easy for children to understand.

How the Code will work in practice

The Children’s Online Privacy Code introduces obligations that materially change how organisations must handle children’s personal information. This includes:

• ‘Best interests of the child’ as the governing principle for collection, use, and disclosure of personal information.

• Stronger consent mechanisms, including notifying a child when a parent consents.

• Ensure personal information about a child is destroyed upon request, unless an applicable exception applies.

• Limits on direct marketing, only permissible with consent and when in the child’s best interests.

• Age-appropriate transparency, requiring clear, accessible, developmentally appropriate notices.

These obligations shift responsibility from children and parents to the organisations designing and operating digital services.

The Code’s primary requirement

The Code’s primary requirement is for organisations to only collect, use or disclose personal information in ways that are consistent with the ‘best interests of the child’.

To understand what actions are in the ‘best interests of the child’, the Code indicates that organisations should consider factors such as:

• The nature and extent of child exploitation risks, noting that child exploitation includes any situation where a child is abused, harmed or used by another person for economic, sexual or personal gain.

• The likely mental or physical impacts on the child.

• The likely impact on the physical, psychological, emotional, social and cognitive development of the child.

• The extent to which the child’s ability to develop and express their views and identities may be affected.

• The extent to which the child’s freedom of association, play, leisure or participation in social, cultural or educational activities may be affected.

• Whether particular groups of children may experience disproportionate or adverse impacts, including children with disabilities, Aboriginal and Torres Strait Islander children, children from culturally and linguistically diverse backgrounds.

• The evolving capacities of children, including differences in age, maturity and developmental stage across childhood.

2. How the OAIC developed the Code

A research-driven, consultative approach

The OAIC’s development of the Code has involved research, evidence, and consultation. The OAIC has reported that it conducted more than 65 engagements with stakeholders across government, industry, academia, civil society, and international regulators.

Three phase consultation process

Phase 1 (Jan-Aug 2025) – The OAIC held the initial consultation with children, parents, and organisations focused on children’s welfare.

Phase 2 (Apr-Aug 2025) – The OAIC engaged with civil society, academia, and industry to test early concepts and gather insights and perspectives.

Phase 3 (current) – Mandatory 60-day public consultation (31 March – 5 June 2026): The OAIC is seeking industry, civil society, academia and any other interested parties to submit a written response to the Children’s Online Privacy Code.

International alignment

The OAIC has aligned the Code with global frameworks such as theAge Appropriate Design Codedeveloped by the UK Information Commissioner’s Office, while integrating novel protections to ensure Australian children benefit from leading privacy approaches.

3. A call to action for stakeholders: How to participate in the public consultation

Why your input matters

The OAIC has emphasised that it is approaching this consultation with an open mind and is actively seeking feedback to refine the Code and ensure it is implementable.

How to get involved

Stakeholders can:

• Review the Exposure Draft of the Children’s Online Privacy Code and the Explanatory Statement to understand the proposed requirements and how the Code is intended to operate in practice.

• Explore the OAIC’s Privacy for Kids Hub, which provides child-friendly resources and background materials that informed the development of the Code.

• Submit written feedback to copc@oaic.gov.au by 5 June 2026.

Where feedback is most valuable

This is where organisations can meaningfully influence the final Code.

1. Scope clarity

As the Code applies at the service level, organisations with mixed service lines (e.g., banks, telcos, EdTech providers) should provide feedback if the application of the Code to some but not all of their services is unclear.

2. Operationalising the Code

Stakeholders can provide input on (or pose questions about):

• Approaches to interpreting and operationalising the ‘best interests of the child’ principle, recognising that its application may involve balancing competing interests or rights.

• How to balance commercial and child-centred interests.

• What evidence organisations must demonstrate to comply with the Code.

• How to implement any other requirements of the Code.

How IIS can support your submission

If your organisation wishes to have its say, now is the time to engage. IIS can support you in preparing a clear, well-structured submission that reflects your operational context and highlights any practical considerations the OAIC should take into account. Our team can help you interpret the Exposure Draft of the Children’s Online Privacy Code, assess the implications for your services, and articulate your feedback in a way that constructively contributes to the consultation process.

4. What happens after the consultation

Regulatory pathway

After the consultation closes, the OAIC will:

• Review all submissions.

• Engage in a Regulatory Impact Analysis (RIA) to conduct a cost-benefit analysis of the implementation of the Code. For the Children’s Online Privacy Code, the RIA focuses on balancing stronger privacy protections for children against the regulatory and economic impacts on online services.

• Where appropriate and required, the OAIC will continue to consult with relevant stakeholders to ensure different voices are heard and represented throughout the process in developing the final Code.

• Register the final Code by 10 December 2026 as required by the POLA Act. Once registered, the Code becomes legally enforceable.

Conclusion

The Children’s Online Privacy Code represents a significant development in the national privacy landscape. It elevates children’s rights, places responsibilities on organisations to design safer digital environments, and aligns Australia with global best practice.

The current consultation period is a critical opportunity for interested stakeholders to help shape the final Code, ensuring it is practical and capable of meaningfully protecting children in an increasingly complex digital ecosystem.