We use cookies to analyse traffic and to improve your browsing experience on our website. To find out more, read our privacy policy.

News Join our team Contact us
Privacy

Privacy guidance for organisations and government agencies

Published:  

Download the guidance

Updated: 17 March 2026

Age assurance is an umbrella term that describes a range of methods used to verify, estimate or infer an individual’s age or age range to determine their eligibility to access, for example, an online service or content.

This general guidance is for APP entities considering implementing age assurance systems that involve the collection, use or disclosure of personal information. The aim of this guidance is to assist APP entities to comply with their privacy obligations under the Australian Privacy Principles (APPs) and support entities and third-party vendors in understanding the privacy impacts associated with choosing and implementing different age assurance systems. It contains practical considerations, privacy tips and questions to ask when implementing or monitoring systems.

Entities implementing age assurance for the purposes of the Social Media Minimum Age (SMMA) obligation should read this guidance in conjunction with OAIC guidance on Part 4A of the Online Safety Act 2021 (Cth) which explains the privacy obligations that apply in that context.

The following key considerations are explored in detail in the guidance:

  • Establish whether age assurance is needed. Take a privacy by design approach and consider the privacy impacts associated with each age assurance method (e.g. inference, estimation and verification) and whether the circumstances surrounding the specific chosen method(s) justify the privacy risks. Undertake a Privacy Impact Assessment and implement recommendations to manage, minimise or eliminate privacy risk for each method. (APP 1, APP 2, APP 3, APP 6, APP 10)
  • Undertake due diligence to ensure the security of your entity’s age assurance ecosystem from age check to dispute resolution, especially where multiple providers are involved. Ensure vendors have appropriate governance processes in handling personal information and contractual arrangements ensure privacy compliance. (APP 1, APP 11)
  • When choosing or offering an age assurance method (or combination of methods) ensure it is reasonably necessary and proportionate to legitimate aim(s). Consider alternate methods and how you can use low-intrusion techniques within an age assurance method(s). Monitor whether the chosen method introduces bias or discrimination. (APP 1, APP 3, APP 6)
  • Escalate to more intrusive personal information handling only as necessary. Age checks should not seek to reveal the identity of the individual and should only validate age for the purpose of accessing a specific service. Low risk services should consider whether an age check is required or whether self-declaration can be relied upon. (APP 1, APP 3, APP 6)
  • Be transparent, at the moment it matters. Use APP 5 just-in-time notices to explain key information such as what is collected, why, by whom, how long it is retained, and the individual’s choices (including alternative methods and review processes). APP 1 privacy policies should be updated with clear and transparent information, with clear policies and procedures to facilitate this transparency. (APP 1, APP 5)
  • Define primary and secondary purposes precisely and in line with the specific function or activity for which you are collecting, using or disclosing the information. Descriptions should be clear, concise, up-to-date and visible to individuals when they would reasonably expect it. (APP 1, APP 5, APP 6)
  • Provide clear contact information and ensure meaningful support is available to individuals, including non-users. Ensure that escalation measures are in place to resolve privacy questions and that complaints processes are simple and accessible [MS5] in relation to the handling of personal information. (APP 1)
  • Minimise the inclusion of personal and sensitive information in age assurance processes. Only retain enough personal information in outputs to meet defined purposes, such as to explain the measures implemented for an individual and to facilitate reviews or complaints, then destroy or de-identify on schedule. (APP 3, APP 6)
  • Be thoughtful when designing consent requests for the collection of sensitive information (such as biometric templates) or for secondary use or disclosure. These should be written and designed so individuals of all abilities can understand what they are being asked to agree to and change their mind. (APP 3, APP 5)
  • Destroy or de-identify any inputs that have been collected immediately once the purposes of collection have been met. Personal information, including sensitive information, collected for age assurance purposes (e.g. biometric information, biometric templates, identity documents) must be destroyed once all purposes have been met. Avoid purpose ‘padding’ and ensure destruction includes caches and storage. As a matter of best practice, ringfence inputs by separating out personal information associated with age checks into a contained, secure environment. (APP 11).
Information:

We are currently in the process of publishing this guidance in HTML. In the meantime, please refer to the PDF version. If you need assistance because the document you need is not available in a format you can access, please contact us at website@oaic.gov.au.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia