The Office of the Australian Information Commissioner (OAIC) has published new guidance on age assurance technologies to assist entities to ensure Australians’ privacy is protected when they encounter age checks online.
Three months on from the commencement of the Social Media Minimum Age (SMMA) scheme, the OAIC has observed significant growth in age checks taking place in Australia to allow people access to other online services.
With the introduction of new age assurance obligations on 9 March 2026 under eSafety-registered Age-Restricted Material Codes, the publication of this new guidance supports entities to work through the privacy issues associated with choosing and implementing age assurance methods, outside of the SMMA scheme.
Privacy Commissioner Carly Kind said that the guidance clarifies the OAIC’s expectations, emphasising necessity and proportionality, transparency, effective complaints mechanisms, and strong vendor controls.
“Age assurance solutions are in many cases fragmented across multiple providers. Entities need to stop and think about the goals of performing an age check, whether it is even necessary in the first place, and ensure strong governance across the ecosystem” Ms Kind said. “Age assurance is not a blank cheque to use personal or sensitive information in all circumstances and must not erode Australians’ privacy rights.”
“Offering individuals transparent, data-minimising options to validate their age is important if entities want to use these technologies as a gateway to age-appropriate experiences online”.
“Complaints about digital platforms are on the rise and it is imperative entities provide simple and accessible pathways for resolving a complaint.”
“The OAIC continues to advocate for a more privacy-respecting digital world for children and will be further supporting this goal with the registration of the Children’s Online Privacy Code in December 2026.”
The guidance calls on entities to:
- establish whether age checks are needed and take a privacy by design approach.
- undertake due diligence to ensure the security of the entity’s age assurance ecosystem.
- assess risk and choose age-assurance methods that are proportionate and data minimising
- ensure clear consent requests are used for the collection of sensitive information (such as biometric templates) or for secondary use or disclosure.
- be transparent in privacy notices and ensure meaningful support is available to individuals at the moments it matters, through simple and easy to access complaints processes.
Failure to meet these obligations may constitute ‘an interference with the privacy of an individual’ and may trigger compliance or enforcement action.
For more information and to view the guidance.
