Australia is tightening the rules on children's privacy - here's how it will work

Australia's privacy laws have been woefully out of date for a long time - not fit to address the realities of the digital world.

As part of the long overdue update, the Privacy and Other Legislation Amendment Act in 2024 directed the Office of the Australian Information Commissioner (OAIC) to develop a code to better protect the privacy of young Australians in the digital world.

This is urgently needed. By the time a child turns 13, around 72 million pieces of data will have been collected about them.

This week, the OAIC published a draft of the Children's Online Privacy Code, which is now open for public comment.

What's in the code?

The code's scope is much wider than just social media. It encompasses most online services, spaces and platforms that children use. Importantly, it also includes services that may contain children's personal data but are used by adults.

Everything from educational platforms to infant tracking apps will be subject to the code. The best interests of the child are embedded in it, and services will be expected to interpret and implement it.

Data minimisation

This specifies children's personal data can only be collected by online services where there's a clear and direct purpose for that collection, and that data should only be kept while it's necessary to perform that purpose.

Any further data collection requires explicit consent requested in a way that's age-appropriate for the child.

This ensures platforms only request what's actually mission critical. The onus is on services to delete that personal data as soon as it's not needed, to help prevent children's data being caught up in data breaches.

The right to delete

Where platforms and services hold children's personal data, children will now have a clear and explicit right to request that data is deleted.

The "right to be forgotten" has been on privacy advocates' wishlist for decades. It recognises individuals own their own data and should maintain control over it where possible.

Geolocation transparency

When children consent to having their geographic location tracked by digital devices and services, or their parents consent to this on their behalf for those under 15, children regardless of age will be notified when tracking services are sharing that information.

Geolocation data can be particularly tricky, even within families. While some might find location tracking helpful, others view it as intrusive surveillance.

Ensuring it's at least transparent to children will help ensure they're active and aware participants in these services.

Age-appropriate explanations

Saying you've read an app's terms of service or privacy policies is one of the most common white lies told.

That's mostly because these are long, impenetrable, almost unreadable documents. When children are asked to consent to share their data, the code specifies the explanation for this request must be understandable and age-appropriate. If the request is aimed at a child who might be ten, the explanation needs to be clear to the average ten-year-old.

This is vital. Not only does it allow children to make better choices, it also increases their digital literacy as they make meaningful choices about their own data.

As part of this, deceptive design elements that might trick children into sharing personal data are explicitly not allowed.

We can expect pushback from big tech

There will undoubtedly be considerable pushback from big technology platforms about the scope of the code. It seeks to disrupt business as usual, and requires that children's data is only collected for specific purposes, with explicit consent, and retained for as little time as possible.

That's the opposite of the "grab and keep as much data for as long as possible" logic that drives most tech companies and platforms today. Big data is still imagined to be the big oil of the digital world. Private, personal data is among its most valued forms. Artificial intelligence companies are even more thirsty for that personal data to train their systems.

We'll need more digital literacy

For children under 15, the code relies on parental consent. That consent is visible to children, which is important in keeping them informed. However, there's work to do to equip every parent with the tech literacy they need to make informed choices with their children.

In some cases, children don't easily have a parent or carer to turn to. For children in the most at-risk and challenging situations, there may be difficulties in ensuring that the consent process really can work in children's best interest.

In our Manifesto for a Better Children's Internet, colleagues and I from the ARC Centre of Excellence for the Digital Child offer a roadmap for an internet better aligned with children's needs and experiences.

Crucially, we argue there should be more focus on protecting children within the digital environment, rather than from it.

Maximising children's opportunities in the digital world means trying to make as many digital spaces available to them, while ensuring those spaces are designed to be as safe and age appropriate as possible.

The Children's Online Privacy Code is set to make an important contribution in achieving that aim. It recognises children's right to participation as much as their right to protection.

What happens next?

The OAIC has launched a Privacy for Kids website, which offers age-appropriate explanations of the code for children and adults.

It provides a variety of tools and age-appropriate resources to allow children and adults to offer their thoughts on the draft code. That consultation is open until June 5 this year.

After responding to the public consultation, the final version of the code must go live by December 10 2026.

TheConversation.com

Author: Tama Leaver- Professor of Internet Studies, Curtin University

https://theconversation.com/australia-is-tightening-the-rules-on-childrens-privacy-heres-how-it-will-work-279661