Changeflow GovPing Data Privacy & Cybersecurity Draft Children's Online Privacy Code for Online...
Priority review Consultation Added Draft

Draft Children's Online Privacy Code for Online Services

Favicon for iapp.org IAPP Privacy News
Published April 2nd, 2026
Detected April 3rd, 2026
Email

Summary

Australia's OAIC released an exposure draft of the Children's Online Privacy Code, proposing new obligations for online services to protect children's data. The code requires consent before targeted advertising using children's data, grants children rights to request data deletion, and mandates notifications when parents consent on behalf of children or when geolocation is being tracked. Public consultation runs for 60 days, with the code set to become law in December 2026.

View original document View source feed page

What changed

The OAIC published an exposure draft Children's Online Privacy Code that establishes comprehensive protections for children using online services including apps, games, streaming services and educational tools. The draft requires organizations to place children's best interests at the center of data practices, obtain consent before using children's personal information for targeted advertising, and notify children when parents have provided consent on their behalf or when geolocation tracking is active. The code builds on the social media minimum age requirement that took effect in December 2025.

Compliance officers at companies offering online services accessible to children must review current data collection practices and prepare for the December 2026 implementation deadline. Organizations should submit comments during the 60-day consultation period and assess targeted advertising workflows, geolocation tracking features, and parental consent mechanisms. The draft represents globally leading protections that may influence similar standards internationally.

What to do next

  1. Review current data collection and advertising practices targeting children and prepare consent mechanisms
  2. Submit comments to OAIC during the 60-day consultation period
  3. Assess geolocation tracking features and implement required notifications

Source document (simplified)

OPINION Published

2 April 2026

Subscribe to IAPP Newsletters

Contributors:

Adam Ford

Managing Director, Australia New Zealand

IAPP

Editor's note

The IAPP is policy neutral. We publish contributed opinion pieces to enable our members to hear a broad spectrum of views in our domains.

As we move deeper into 2026, momentum across privacy, artificial intelligence governance and digital responsibility continues to build in meaningful ways throughout the region. Australia saw a particularly significant development this past week with the Office of the Australian Information Commissioner's release of the exposure draft of the Children's Online Privacy Code.

The draft code proposes a suite of new obligations designed explicitly to ensure that the best interests of children are placed at the center of data collection and handling practices. It would require agencies and organizations to consider children's interests before collecting, using or disclosing their personal information.

Notably, it introduces strengthened safeguards around targeted advertising, mandating that organizations obtain consent prior to using children's personal information for that purpose, while also empowering children with the right to request deletion of their data.

The draft code also introduces novel, globally leading protections, including requirements for online services to notify a child when a parent has provided consent on their behalf, and when parents or other users are tracking their geolocation on a platform.

In scope, the draft code is expansive, applying to online services where children face the highest privacy risks such as apps, games, streaming services and educational tools. Alongside the social media minimum age obligation that took effect in December 2025, the draft code represents an important uplift in Australia's online child safety posture.

Public consultation is now open for 60 days, welcoming contributions from children, parents, industry and civil society before the draft is finalized ahead of becoming law in December 2026.

While policymakers in Australia were marking this milestone, thousands of privacy, cybersecurity and AI governance professionals convened in Washington, D.C., for the IAPP Global Summit 2026, the world's largest annual gathering of digital responsibility leaders. The Summit featured more than 70 breakout sessions and hundreds of speakers, with the agenda dominated by themes of AI governance, the expanding U.S. state privacy law patchwork and the increasing urgency of global privacy enforcement.

Several keynote moments stood out. Prince Harry, Duke of Sussex, delivered a headline address exploring the tension between digital technology, media intrusion and personal agency, drawing from his own public experiences to highlight the societal consequences of weakened privacy norms. His message underscored that control over one's information is rapidly becoming a collective, not just individual, challenge.

Renowned author Salman Rushdie also offered a deeply human perspective on privacy, reflecting on how his near-fatal 2022 attack forced him to "surrender" his privacy in order to survive, and emphasized global disparities in access to both physical and digital privacy.

On the regulatory front, U.S. Federal Trade Commissioner Mark Meador outlined U.S. enforcement priorities for 2026, including children's safety online, the risks of the attention economy, deepfakes and the growing psychological reliance on AI systems, all of which mirror areas of increasing scrutiny in our own region. The Summit's strong focus on AI governance further reinforced the need for organizations to embed safety by design, deploy AI systems responsibly and anticipate rapidly evolving global frameworks.

With Australia undertaking major reform and global discussions accelerating, it is clear that 2026 is shaping up to be a defining year for privacy and digital responsibility. As a community, our opportunity and responsibility is to help guide organizations through these shifts with clarity, confidence and purpose.

This article originally appeared in the Asia-Pacific Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here .

This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.

Submit for CPEs

Contributors:

Adam Ford

Managing Director, Australia New Zealand

IAPP

Tags:

Children’s privacy and safety Privacy AI governance

Related Stories

### IAPP Global Summit 2026: FTC Commissioner Meador stresses agency preference for 'case-by-case' enforcement 31 March 2026

### IAPP Global Summit 2026: Salman Rushdie reflects on notion of privacy after attempt on his life 31 March 2026

### Children's social media bans: Australia reviews, UK consults 2 March 2026

### Australia's social media ban remains a global model despite perceived lapses in early enforcement 5 Feb. 2026

Named provisions

Consent Requirements Targeted Advertising Safeguards Data Deletion Rights Geolocation Notifications Parental Consent Notifications

Related changes

Favicon for iapp.org Mass Disclosure of Personal Data and Privacy Lessons from Slovakia and the EU
Routine Apr 03, 2026 IAPP Privacy News Data Privacy & Cybersecurity
Favicon for iapp.org California Higher CCPA Fines Age Assurance Enforcement Ramp-up
Priority review Apr 03, 2026 IAPP Privacy News Data Privacy & Cybersecurity
Favicon for iapp.org Brazil-EU Data Transfer Adequacy Decision
Priority review Mar 28, 2026 IAPP Privacy News Data Privacy & Cybersecurity
Favicon for www.dccourts.gov Moore v. District of Columbia - Data Breach Appeal Jurisdiction
Routine Apr 02, 2026 DC Court of Appeals Courts & Legal
Favicon for changeflow.com Gift preference prediction using social media data
Routine Apr 02, 2026 ChangeBridge: Patent Apps - Business Methods (G06Q) Banking & Finance
Favicon for changeflow.com Federated Fraud Detection with Homomorphic Encryption
Routine Apr 02, 2026 ChangeBridge: Patent Apps - Networking (H04L) Telecom & Technology

Source

Favicon for iapp.org
IAPP Privacy News iapp.org/news
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
OAIC
Published
April 2nd, 2026
Comment period closes
June 1st, 2026 (59 days)
Compliance deadline
December 1st, 2026 (242 days)
Instrument
Consultation
Legal weight
Binding
Stage
Draft
Change scope
Substantive

Who this affects

Applies to
Technology companies Retailers Consumers
Industry sector
4541 E-Commerce 5112 Software & Technology 4411 Retail Trade
Activity scope
Data Collection from Children Targeted Advertising Geolocation Tracking
Threshold
Online services where children face privacy risks including apps, games, streaming services and educational tools
Geographic scope
Australia AU

Taxonomy

Primary area
Data Privacy
Operational domain
Compliance
Compliance frameworks
GDPR CCPA/CPRA
Topics
Consumer Protection Artificial Intelligence

Browse Categories

Agriculture & Food Safety 63 AI Regulation 3 Banking & Finance 266 Consumer & Competition 1 Consumer Protection 43 Courts & Legal 358 Data Privacy & Cybersecurity 74 Defense & National Security 52 Education 20 Energy 101 Environment 85 Government & Legislation 274 Healthcare 135 Housing 16 Immigration 9 Insurance 58 Labor & Employment 113 Legal & Courts 1 medical-board 1 Pharma & Drug Safety 103 Securities & Markets 104 Tax 65 Tax & Revenue 1 Telecom & Technology 47 Trade & Sanctions 124 Transportation 57

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when IAPP Privacy News publishes new changes.

Optional. Personalizes your daily digest.

Free. Unsubscribe anytime.