Privacy law

OAIC publishes new guidance for under-16s social media ban

by

reviewed by

Malcolm Burrows

Reading Time:

5–8 minutes

On 10 October 2025, the Office of the Australian Information Commissioner (OAIC), led by Privacy Commissioner, Ms Carly Kind, released a twenty-nine (29) page Privacy Guidance on Part 4A (Social Media Minimum Age) of the Online Safety Act 2021 (New Guidance).  This New Guidance details the privacy obligations for Age-Restricted Social Media Platforms (Restricted Platforms) and third-party age assurance providers.  The Privacy Commissioner put these entities “on notice“, stressing the need to ensure that age assurance methods are implemented lawfully.

Context of New Guidance

This New Guidance precedes the Social Media Minimum Age (SMMA) scheme taking effect on 10 December 2025.  The SMMA regime, which aims to prevent Australians under sixteen (16) from holding accounts on Restricted Platforms, is jointly regulated by the OAIC and the eSafety Commissioner, Ms Julie Inman Grant.

While the eSafety Commissioner published guidance on “reasonable steps Restricted Platforms must take to prevent underage users, the OAIC’s New Guidance focuses on the handling of personal information and ensuring compliance with existing legislation such as the Privacy Act 1988 (Cth) (Privacy Act). 

The Privacy Commissioner emphasised that the SMMA legislation is “not a blank cheque to use personal or sensitive information in all circumstances” and affirmed that the OAIC will be actively monitoring Restricted Platforms to ensure they deploy age assurance “proportionately and lawfully“.

The New Guidance is comprised of the following seven (7) chapters:

  • Key considerations;
  • Overview of Part 4A;
  • Adopting a privacy by design approach when choosing an age assurance method;
  • Privacy guidance – collection;
  • Privacy guidance – destruction;
  • Privacy guidance – secondary use or disclosure of personal information collected for SMMA compliance purposes; and
  • Privacy guidance – frequency of checks.

Overview of New Guidance

Part 4A of the Online Safety Act 2021 (Cth)

Part 4A of the Online Safety Act 2021 (Cth) (Online Safety Act) requires providers of Restricted Platforms to take reasonable steps to prevent children under the age of sixteen (16) years (Age-Restricted Users), from having an account on their social media platform.

The onus is on Restricted Platforms to introduce demonstrable systems that ensure that Age-Restricted Users cannot create or continue holding a social media account.

Part 4A does not prescribe what ‘reasonable steps’ platforms must take.  However, it has been made clear by the OAIC and the eSafety Commissioner that Restricted Platforms will be required to implement age assurance technology at a minimum.

Part 4A operates alongside the Privacy Act and the Australian Privacy Principles (APPs), and introduces additional, more stringent obligations on Restricted Platforms.

Section 63F(1) states that where Restricted Platforms hold personal information about an individual that was collected for SMMA compliance purposes, they must not use or disclose that information for any other purpose, except where:

  • disclosure is required by Australian statute, a Court order, law enforcement or health-related reasons; or
  • with the voluntary, informed, current, specific and unambiguous consent of the individual.

New Guidance on SMMA data collection obligations

“New collection” for age verification

Restricted Platforms may collect limited personal information, such as selfies or copies of Government-issued identification, to verify if a user is at least sixteen (16) years old.  It is preferable to collect binary information, such as whether someone is or is not an Age-Restricted User, rather than more personal details like date of birth.  Restricted Platforms are encouraged to use on-device or temporary processing, to avoid storing selfies or documents, and to offer clear options and alternatives, such as facial age check or digital ID token.

Using existing information for age verification

If Restricted Platforms already hold user information such as date of birth, this can be used to confirm age without triggering new privacy obligations. However, where new data is created, such as a “16+” flag attached to an account, the obligations would be triggered.  Restricted Platforms should also avoid unnecessary use of sensitive information like biometrics, which carries greater privacy obligations, when non-sensitive personal information suffices.

Age verification by inference

Restricted Platforms can infer age using metadata, behaviour, or account history, however these inference results, such as “likely 16+”, are considered new personal data.  This process is less accurate than other methods and may be disproportionately invasive, hence this process should start with low-risk age signals like IP address and account age and avoid profiling or sensitive data unless necessary.

For more information on age verification technology, see our article on the Federal Government’s Final Report on the Age Assurance Technology Trial.

New Guidance on SMMA data destruction obligations

Section 63F(3) of Part 4A of the Online Safety Act also requires Restricted Platforms to destroy SMMA information after using or disclosing it.  This rule is stricter than APP 11.2, which allows retention if reasonably necessary for ancillary business needs.  Deidentification of personal information is not sufficient in lieu of destruction.

Inputted data like selfies, documents, and biometrics are higher risk and must be destroyed immediately after use, while outputted tokens, inferences, and methods of collection can be kept briefly in a separate ring-fenced SMMA cyber environment away from other systems.

It is recommended that prior to destruction, personal information is kept in read-only Application Programming Interfaces (APIs) that allow retrieval but explicitly prevent the modification or creation of data.  Minimal retention is acceptable in certain cases including for:

  • audit logging, where a record with minimal personal information may be kept as evidence that an age check occurred;
  • troubleshooting or fraud, where information may be retained only for case-specific investigations; and
  • complaints and reviews, where information may be stored temporarily in a redacted form before destruction.

Each of these purposes must have defined time limits for retaining information, strict access controls and automated deletion processes in place.  Vague or padded purposes, such as “future research”, cannot be used to justify longer retention, and an objective, platform-wide retention matrix is recommended to manage and limit how long data is kept.  A failure to comply is considered an interference with the privacy of the individual pursuant to section 13 of the Privacy Act.

New Guidance on ongoing SMMA data obligations

SMMA compliance measures must be proactive and adaptive, requiring regular monitoring of platform changes and user behaviours to identify emerging risks and attempted circumvention by Age Restricted Users.

Ongoing compliance, such as through recurring checks or triggers, should be proportionate and necessary.  Any reuse that relies on existing personal information should have consent or another clear legal basis, as per APP 6.  Restricted Platforms should build and maintain their age assurance practices so that quality is maintained in compliance with APP 10, and security and retention limitations required by APP 11 are enforced by design.

Takeaways for Restricted Platforms

Key takeaways are as follows:

  • collect only what is needed for SMMA purposes;
  • destroy data promptly after SMMA purposes are met as de-identification is not sufficient;
  • do not store raw inputs unless strictly necessary and time-limited;
  • secondary use and disclosure is prohibited without clear, unambiguous consent or a valid legal exception;
  • maintain clear retention schedules, with automatic deletion mechanisms;
  • build ring-fenced systems to support compliance and accountability; and
  • do not bundle consent with general terms, instead provide separate and opt-in conditions.

Links and further references

Legislation

Privacy Act 1988 (Cth)

Online Safety Act 2021 (Cth)

Further information about SMMA scheme obligations

If you need advice on the impending SMMA scheme obligations for your online business or platform, contact us for a confidential and obligation free discussion:

Doyles Recommended TMT Lawyer 2024

Related insights about privacy compliance

  • Bill to allow victims of AI deepfakes to sue for emotional damages

    Bill to allow victims of AI deepfakes to sue for emotional damages

    On 24 November 2025, Senator David Pocock introduced a private Senator’s bill, the Online Safety and Other Legislation Amendment (My Face, My Rights) Bill 2025 (Cth) (Bill) to amend the Online Safety Act 2021 (Cth) (Online Safety Act) and the Privacy Act 1988 (Cth) (Privacy Act). 

    Read more …

  • Malcolm Burrows on ABC’s “Legal Eagles” segment – Deepfakes

    Malcolm Burrows on ABC’s “Legal Eagles” segment – Deepfakes

    On 3 December 2025, Malcolm Burrows appeared live on Katherine Feeney’s ABC Radio program, “Legal Eagles” as the Technology and Intellectual Property Lawyer to discuss the proposed amendments to the Online Safety Act 2021 (Cth) through the introduction of the Online Safety and other legislation Amendment (My Face Rights) Bill (Cth) 2025 (My Face Rights…

    Read more …

  • OAIC publishes new guidance for under-16s social media ban

    OAIC publishes new guidance for under-16s social media ban

    On 10 October 2025, the Office of the Australian Information Commissioner (OAIC), led by Privacy Commissioner, Ms Carly Kind, released a twenty-nine (29) page Privacy Guidance on Part 4A (Social Media Minimum Age) of the Online Safety Act 2021 (New Guidance).  This New Guidance details the privacy obligations for Age-Restricted Social Media Platforms (Restricted Platforms)…

    Read more …

  • Aust Clinical Labs fined $5.8mil for failing to report data breach

    Aust Clinical Labs fined $5.8mil for failing to report data breach

    On 8 October 2025, the Federal Court published the judgement of Justice Halley in the case of Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 (AIC v ACL).  Australian Clinical Labs Limited (ACL) was ordered to pay $5.8 million in civil penalties in relation to a 2022 data breach.  This…

    Read more …

  • Federal Government releases report into age verification trials

    Federal Government releases report into age verification trials

    On 31 August 2025, the Australian Government published the Final Report (Report) on the Age Assurance Technology Trial (Trial).  Conducted by the independent Age Check Certification Scheme (ACCS), the Trial offers insights into the technical feasibility, privacy implications, and operational deployment capabilities of various age assurance technologies.  While the Report explicitly states it is neutral…

    Read more …

  • What is the US Take It Down Act?

    What is the US Take It Down Act?

    The Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act (Take It Down Act ) is a United States (US) federal law enacted on 19 May 2025. The Take It Down Act amends 47 U.S. Code § 223 (Code) of the Communications Act 1934 (US) (Communications Act) by establishing new…

    Read more …

  • Federal parliament enacts cyber security legislation

    Federal parliament enacts cyber security legislation

    On 25 November 2024, the Australian Parliament passed a suite of legislation, collectively referred to by the Australian Government as the Cyber Security Legislative Package 2024.  The purported impetus for this legislation was a series of high-profile data breaches in 2022 and 2023.

    Read more …

  • Privacy Act amended to increase penalties to a max of $50 million

    Privacy Act amended to increase penalties to a max of $50 million

    The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) was passed by both Houses of Parliament on the 28 November 2022 and now awaits Royal Assent.  The Bill was passed with virtually no amendment.

    Read more …

  • What should APP Entities include in data destruction policies?

    What should APP Entities include in data destruction policies?

    This article summarises the Australian Privacy Principles (APPs) and the importance of having a data destruction policy (DDP) in place. It outlines the steps to take when destroying or deidentifying personal and sensitive information, and the consequences of not doing so.

    Read more …

Send this to a friend