Australia's Children's Online Privacy Code finished public consultation on 5 June 2026 and must be registered by 10 December 2026. It applies to any service likely to be accessed by children and limits marketing to kids to consented, best-interests, directly-collected data.
Likely to be accessed by children is the phrase that should make you check your own service, not assume it does not apply.
Australia's first dedicated privacy code for children just finished its public consultation, which closed today, 5 June 2026. The Children's Online Privacy Code must be registered by 10 December 2026 and applies to any online service likely to be accessed by children. That sweeps in a lot more businesses than the ones that think of kids as their audience.
For marketers the important part is direct marketing. Under the draft, marketing to a child is only allowed with consent, only when it is in the child's best interests and only when the data was collected directly from the child rather than bought or scraped from a third party. Targeted advertising to children needs consent up front. Children can ask for their data to be deleted.
Why it matters
Most businesses assume child privacy is a problem for social platforms and game studios. The drafting is broader than that. If a teenager could plausibly use your service, the obligations can reach you. The era of collecting whatever you can and sorting it out later is closing, and this code puts teeth on it well before the wider Privacy Act reforms land.
The date Australia's Children's Online Privacy Code must be registered and starts to bite
The OAIC has run more than 65 stakeholder engagements building this. It is not a thought bubble. It is coming, and the consent and deletion mechanics take real engineering, not a policy page.
What to do about it
Privacy reform in Australia has felt slow for years. This piece has a date. Treat 10 December as the day your current practices stop being optional.