Carly Kind
Privacy Commissioner
Safer Internet Day is a global day of action bringing communities, schools, organisations and families from 180 countries together to raise awareness of online safety issues and work towards a safer internet. In line with the OAIC’s regulatory priorities to protect and uphold privacy and rights when dealing with high impact emerging technologies, we recognise the growing role of age assurance in promoting a safer internet.
Two months on from the start of the Social Media Minimum Age (SMMA) obligation, the OAIC has observed the growth of age assurance at scale in Australia. The OAIC’s world leading guidance on age assurance has supported the roll-out of age checks in social media environments where necessity and proportionality can be established and other privacy obligations are met.
As industry tackle the demands of the law, Australians have been quick to question the privacy risks that arise from this new and routine use of personal and sensitive information.
Key themes we are seeing through public enquiries to OAIC are adults objecting to age assurance on their own accounts, concerns with the collection of sensitive information including biometric templates – particularly from children, and the noteworthy rise in businesses taking this moment to implement age assurance when they are not subject to laws that require them to do so.
Age assurance can be an important safety tool to ensure Australians have age-appropriate experiences when interacting in digital spaces. But age checks are not a blank cheque to use personal or sensitive information in all circumstances. An individuals’ age is simply a number and not their identity - it should be used as a key to access rather than a coin to trade.
While the dominant media narrative highlights the accuracy of age assurance (with the under-blocking of under-16s or over blocking of over-16s) and teens circumventing SMMA age restrictions, the OAIC is currently focused on overcollection of personal information, data minimisation and transparency in line with Australian law. In other words, not how many people get past the nightclub bouncer, but whether the bouncer asks too many questions, holds on to your license for no reason, and importantly whether the bouncer is clearly identifiable, as a bouncer, to people at the entry door.
What’s next?
With age assurance technologies evolving and maturing, data minimisation practices continue to improve. It is foreseeable that technologies that appear acceptable today may no longer be acceptable tomorrow. This means the question of what personal information is necessary for age assurance is one that businesses should consider at regular intervals. This is particularly relevant given that age assurance is a not a set and forget practice.
More intrusive technologies (like those that collect identity information) are not always appropriate to assure age. In fact, the need of age assurance may be negated altogether when a business chooses to make their default offerings safer by other means. The OAIC encourages businesses to re-design their services to be safer by default, with age assurance only required for certain higher-risk aspects of the service.
The Children’s Online Privacy Code, to be registered by 10 December 2026, will provide a legislated means for businesses to make services safer by default by reducing privacy harms to children. The Code will seek to support a risk-based approach to assuring age and encourage businesses to implement privacy by design into their service offerings, features that ensure children can experience a safer and more private internet.
Public consultation on the draft Code will commence around March 2026.
eSafety has launched the new Mighty Heroes game to help children learn how to be safer online. eSafety has several resources to help make online safety visible in schools, workplaces, homes and communities, and to support individuals to take steps to protect themselves online.
