The Office of the Australian Information Commissioner (OAIC) has published regulatory guidance for age-restricted social media platforms and age assurance providers on compliance with the privacy provisions for the Social Media Minimum Age (SMMA) scheme, due to take effect on 10 December.
Privacy Commissioner Carly Kind said that the guidance reflects the stringent legal obligations on entities to ensure that age assurance is applied proportionately and through privacy-respecting approaches.
“Today we’re putting age-restricted social media platforms on notice,” Ms Kind said. “The OAIC is here to guard and uplift the privacy protections of all Australians by ensuring that the age assurance methods used by age-restricted social media platforms and age assurance providers are lawful.”
The OAIC co-regulates SMMA alongside eSafety. Last month, eSafety published their regulatory guidance detailing what ‘reasonable steps’ age-restricted social media platforms must take to prevent age-restricted users from having accounts, including guiding principles for the implementation of age assurance to meet SMMA obligations.
The OAIC’s guidance published today provides information for age-restricted social media platforms and third-party age assurance providers on handling personal information for age assurance purposes in the SMMA context.
“The OAIC is committed to ensuring the successful rollout of the SMMA regime by robustly applying and regulating the privacy rules contained in the legislation, in order to reassure the Australian community that their privacy is protected,” said Privacy Commissioner Carly Kind.
“eSafety has provided the rules of the game with their ‘reasonable steps.’ Now the OAIC is setting out what is out-of-bounds when it comes to the handling of personal information for age assurance in the social media minimum age context.
“Together, eSafety and the OAIC’s regulatory guidance outlines the field of play for age-restricted social media platforms and third-party age assurance providers.
“SMMA is not a blank cheque to use personal or sensitive information in all circumstances; we’ll be actively monitoring platforms to ensure they stay within the bounds by deploying age assurance proportionately and lawfully.”
Key considerations detailed in the guidance call on entities to:
- note the additional privacy obligations in the SMMA scheme operate alongside the Privacy Act 1988 and the Australian Privacy Principles.
- choose age-assurance methods that are necessary and proportionate, and assess the privacy impacts associated with each method.
- minimise the inclusion of personal and sensitive information in age assurance processes.
- note pre-existing personal information later used for SMMA purposes does not need to be destroyed where the original purposes are ongoing.
- destroy personal information collected for SMMA purposes once purposes are met.
- make sure that any further use of personal information collected for SMMA purposes is strictly optional, has the user’s unambiguous consent and can be easily withdrawn.
- be transparent about the handling of personal information for SMMA purposes in privacy notices and at the moments it matters.
Together, these privacy safeguards impose stringent legal obligations on age-restricted social media platforms and age assurance providers. Failure to meet these obligations may constitute ‘an interference with the privacy of an individual’ and may trigger enforcement action.
Further OAIC resources will be released soon to help Australians understand what personal information may be handled through age assurance methods, as well as educational resources for children and families to help them navigate the changes and support conversations about children’s privacy online.
For more information and to view the guidance, visit: www.oaic.gov.au/privacy/privacy-legislation/related-legislation/social-media-minimum-age
Background
The OAIC co-regulates the Social Media Minimum Age Scheme with eSafety. Specifically, the OAIC oversees the compliance and enforcement of the privacy provisions set out in Section 63F of Part 4A of the Online Safety Act 2021, which operate in tandem with the Privacy Act 1988.
