Australian Privacy Commissioner issues new guidance for age-restricted social media platforms
The guidance set strict limits on how platforms and age assurance providers can collect and use personal data to verify users’ ages, ensuring that age checks are proportionate, privacy-respecting, and transparent.
The Office of the Australian Information Commissioner (OAIC) has released new regulatory guidance to help social media platforms and age assurance providers comply with privacy rules under the upcoming Social Media Minimum Age (SMMA) scheme, which will take effect on 10 December 2025.
The guidance outlines how platforms that restrict access by age must handle users’ personal information when verifying ages, ensuring that the process respects Australians’ privacy rights. Privacy Commissioner Carly Kind emphasised that the OAIC’s approach aims to balance child protection with strong data protection standards. ‘We’re putting age-restricted social media platforms on notice,’ she said, adding that the OAIC would ensure that all age assurance methods are lawful and proportionate.
The SMMA scheme is jointly regulated by the OAIC and the eSafety Commissioner. While eSafety recently issued rules on what ‘reasonable steps’ platforms must take to prevent underage users from creating accounts, the OAIC’s guidance focuses specifically on how personal and sensitive data should be managed for age verification.
Why does it matter?
The OAIC’s document details several key obligations for social media platforms and third-party age assurance providers. These include:
- ensuring that age assurance methods are necessary and proportionate;
- minimising the collection and use of personal or sensitive data;
- destroying personal information once the purpose of verification has been met;
- gaining clear and withdrawable consent for any optional use of personal information; and
- providing transparent information to users about how their data is handled.
The OAIC also clarified that personal data already collected for other lawful purposes can be reused for SMMA compliance if the original purpose remains valid, but any new collection must follow strict privacy safeguards.
Commissioner Kind stressed that the SMMA framework ‘is not a blank cheque to use personal or sensitive information in all circumstances’ and confirmed that the OAIC will actively monitor compliance. Platforms that fail to meet these standards could face enforcement action for interfering with individuals’ privacy rights.
Further OAIC materials will soon be made available to explain how age assurance processes handle personal data and to provide educational resources for families and children on protecting privacy online.
