Australia's Children's Online Privacy Code Is in Public Consultation Until June 5. Most Marketing Teams Have Not Read the Draft.

The Office of the Australian Information Commissioner published an exposure draft of the Children's Online Privacy Code on March 31, 2026. Public consultation closes June 5. The Code is on track to be registered by December 10, 2026.

The scope is wider than most marketers expect. The draft pulls in apps, games and websites used by children and teenagers, not just social media platforms. If your product, brand or campaign reaches under-18s in Australia, your data collection practices are inside the Code's perimeter.

The thresholds matter. Services likely to be accessed by children, whether intended for them or not, fall under the regime. That is the language the UK Children's Code uses and the OAIC has signalled it is the language the Australian Code will adopt. The retail brand running an Instagram giveaway is captured. The gaming app with adult-targeted ads is captured. The educational website with embedded analytics is captured.

Penalties for breaches of core privacy obligations now sit at up to AUD 66,000 per contravention. The OAIC's first sector-specific compliance sweep, focused on rental, pharmacy, licensed venues and pawnbrokers, is already underway. Children's privacy is the next planned enforcement focus.

The marketing teams most at risk are not the ones that target children intentionally. They are the ones that target broadly and incidentally pull in under-18s. Apparel brands. QSR chains. Fitness apps. Gaming platforms. Streaming services. Education and tutoring. Healthcare. The data minimisation, consent and disclosure requirements in the Code apply whether your campaign targets a teenager directly or just happens to reach them.

The second risk is the AI overlay. Personalised ad targeting based on behavioural profiles is exactly the category of processing the Code is built to restrict for children. If your media strategy relies on data signals that cannot be cleanly age-gated, you have a compliance problem that does not get solved by adding a disclosure paragraph to the privacy policy.

For Australian advertisers and brands, the consultation window is the moment to read the draft, model the implications and feed back. Once the Code is registered in December, the comment period is over and the audit period begins.

Read the exposure draft this week. Have your legal or privacy lead summarise the obligations that hit your brand. The OAIC site has the full draft and the consultation form.

Map your data collection points against the draft requirements. Sign-up forms, loyalty programs, lead-gen campaigns, app installs and analytics tags all need to be checked for age-gating gaps.

Submit a consultation response. The window closes June 5. This is the moment to flag implementation pain points before the Code is registered.

Audit your media buying. If your audience targeting includes age brackets that overlap with under-18s, document the data sources and consent paths. The OAIC will want to see the audit trail.

Brief your agencies and ad ops teams. The penalties apply to the brand, not the agency. If your agency is running campaigns that pull data on minors without proper consent, the regulator does not care who built the targeting setup.

The Code is not optional and it is not far away. The brands that read the draft this week will be the ones that ship into December without panic.