The Incoming Children’s Online Privacy Code: What Online Service Providers Need to Know

Key takeaways

• The Code is not limited to social media giants. It will affect any organisation offering an online service that children may use, whether intentionally or incidentally.
• The trigger for application is the likelihood of child access to a service, not the size, sector or commercial purpose of the provider.
• While the Code is likely to be refined following consultation, the current direction reflects a settled policy position and it is unlikely to be materially scaled back.
• Organisations should review their online services now to determine whether they fall within scope and evaluate whether their existing privacy practices meet the heightened standards proposed by the Code.
  

Introduction

On 31 March 2026, the Office of the Australian Information Commissioner (OAIC) released an exposure draft of the Children’s Online Privacy Code (Code). The Code aims to set out new, higher standards for how online services must handle children’s personal information. Public consultation on the exposure draft will close on Friday, 5 June 2026.

Following the close of consultation, the OAIC will consider submissions and undertake a Regulatory Impact Analysis before registering the final Code by 10 December 2026.

The exposure draft builds on extensive prior consultation, including more than 65 individual stakeholder engagements, 61 written submissions, three industry roundtables and a one-day workshop with academic and civil society representatives. While stakeholder views were diverse, there was broad support for the Code and its objective of uplifting privacy protections for children and young people.

While the Code is likely to be refined in response to consultation, particularly in relation to scope and implementation, it is unlikely to be materially scaled back. The current direction reflects a settled policy position towards broader, more prescriptive regulation of children's data. Industry commentary suggests that the key changes will relate to clarification and operability rather than any narrowing of scope.

While public attention has largely focused on major social media platforms, the Code has a far broader reach. Many organisations that would not traditionally regard themselves as operating online children’s platforms, including those offering everyday online services not intended for children, may nonetheless fall within scope.

Which online service providers does the Code apply to?

The Code binds organisations regulated by the Privacy Act 1988 (Cth) (Privacy Act) that provide any of the following online services:

• Social media services: Platforms that let users interact socially by sharing, posting or engaging with content, including social networking sites and forums.
• Relevant electronic services: Services that let users communicate, such as messaging apps, email services, video‑calling tools and online games with chat functions.
• Designated internet services: Services that let users access material online, including but not limited to apps, websites, cloud-based services and streaming platforms.

Importantly, the Code does not apply to all activities of a bound entity. Under section 7 of the Code, it applies only to the extent that an entity's activities consist of the provision of a social media service, relevant electronic service or designated internet service that is:

• (a) likely to be accessed by children; or
• (b) primarily concerned with the activities of children. 

This means that where an entity offers multiple services, only the specific service meeting one of these criteria is captured. For example, as noted in the explanatory statement, a bank's pocket money app may fall within scope, while its business banking and home loan apps would not.

The "primarily concerned with the activities of children" limb extends the Code to services that are not directly accessed by children but are nonetheless focused on children's activities, recognising that such services may present comparable privacy risks. The explanatory statement identifies examples of these kinds of services, including applications that track early childhood development, family photo sharing applications, online school management systems that monitor student performance and internet-connected baby monitors.

The definition of "designated internet service" is broad enough to encompass most websites and online platforms. The OAIC has not defined a threshold for when a service is "likely to be accessed" by children, and this breadth has raised concerns among stakeholders. In practice, this means that many general-audience services - even those not designed with children in mind - may fall within scope. The determinative factor is not the size or prominence of the provider, but the likelihood that children will access the service.

Exemption for health services

Notably, the Code does not apply to an entity to the extent it is providing a health service. This exemption is built into the application provisions of the Code and means that online services which qualify as health services are excluded from its scope, even where those services may be accessed by children.

What the Code requires

The Code is scheduled to be registered by 10 December 2026. The Code will then operate as an APP Code under the Privacy Act. A breach will be treated as an interference with privacy, with the full range of regulatory powers and penalties available.

Key obligations include:

• only collect information that is strictly necessary;
• put the child’s best interests first;
• take reasonable steps to work out a user’s age;
• explain privacy policies in clear, child‑friendly language;
• strengthen consent processes (including parental consent);
• provide more rights for children to access, correct and delete their personal information;
• notify children when their location or activity is being tracked by a parent or another user; and
• limit direct marketing to children.

Who should be paying attention?

The Code is intended to apply across the entire digital ecosystem, not just major social media platforms like Facebook, Instagram and Tiktok.

• Gaming companies: Especially mobile and multiplayer platforms used by children and teenagers.
• Streaming and content platforms: Where children can view or interact with content.
• Educational technology providers: Learning platforms, apps and digital tools used in schools and tutoring environments, including student portals, learning management systems, communication platforms and school‑run applications.
• Businesses providing online services to schools or youth programs: Including services used in connection with extracurricular or youth-focused activities.
• General‑audience apps and websites: Services aimed at all users where children also regularly use or access the service, even if they are not the intended audience.
• Wellbeing platforms and connected-device providers: Non-clinical support services for young people that do not qualify as ‘health service’, and providers of internet-connected devices used by children, such as wearables and smart devices.

In each case, application of the Code will turn on the nature of the online service and the likelihood of child access, rather than the organisation’s size, sector or commercial purpose.

What organisations should do now

• identify which of their online services children use or are likely to use;
• review what personal information those services collect;
• check whether each item of information is strictly necessary;
• update privacy explanations and consent processes; and
• ensure children and parents can easily access, correct and delete their personal information.

How we can help 

Russell Kennedy’s expert Privacy team advises organisations across all sectors on meeting their obligations under the Privacy Act and preparing for emerging regulatory reforms, including the Code.

We can assist by:

• assessing whether your online services are likely to fall within the scope of the Code and identifying the practical implications for your business;
• reviewing and updating privacy policies, collection notices and consent processes to meet the Code’s heightened standards; and
• mapping the personal information your services collect and advising on data‑minimisation, age‑assurance and child‑friendly privacy explanations.

If you’d like to stay up to date with Russell Kennedy Alerts and Events, you can subscribe to our mailing list here.

The information contained in this Insight is intended as general commentary and should not be regarded as legal advice. Should you require specific advice on the topics or areas discussed please contact the Russell Kennedy team.