Children’s Online Privacy Code 2026: Consequences and liability for schools

On 31 March 2026, the Office of the Australian Information Commissioner (OAIC) released an Exposure Draft of the Children’s Online Privacy Code (the Code) for public consultation, alongside an Explanatory Statement. The Code represents a targeted shift in the Australian privacy landscape. It outlines how certain online services likely to be accessed by children, or primarily concerned with the activities of children, must comply with the Australian Privacy Principles (APPs) and additional legislative requirements.

The Code, which will be in place by 10 December 2026, will complement other initiatives to protect our children online, including the Social Media Minimum Age obligation.

Background and Purpose of the Children’s Online Privacy Code

The Code primarily targets online services directly accessed by children such as apps, games, online tools, and websites. These online services expose children and young people to the highest privacy risks.

Notwithstanding this statutory focus, the Code also applies to schools in certain ways. In a school setting, the code may impact school’s usage of online learning platforms, other apps on school devices, messaging services used for notifying parents, and may even extend to schools’ social media posts involving students.  

Below is a high-level summary of the key draft provisions that schools should pay most attention to.

Key provisions affecting schools

1. Children’s best interests must come first

Online services must place children’s best interests first when handling personal data.

Schools will be expected to clarify with their online providers exactly how the software design contemplates children’s best interests as a top priority when handling personal data. Schools should also require vendor evidence that the Code’s requirements are not ignored for the pursuit of a commercial or financial objective. Schools should confirm with vendors that “high privacy” settings are the default. Children are also to be provided with a clear option to “opt out” regarding personal information, unless strictly necessary for a software’s service provision, a narrow test which excludes marketing purposes.

2. Data minimisation is required, not optional

The Code imposes data retention requirements on online services required to comply with the Code. To this effect, schools should ensure that providers:

• Only collect the minimum personal information necessary for the pursuit of education;
• Avoid default collection of personal data; and
• Delete stored personal data as soon as it is no longer needed.

3. No secondary use of children’s data

Schools should ensure that their online service providers are not using children’s data for targeted advertising, profiling, product marketing, or unrelated analytics. It follows that children’s data should not be sold, shared or monetised. These requirements are crucial as by the time a child turns 13, there is an estimated 72 million data points that may have been gathered about them.

4. Clear limits on consent and parental authority

Schools should test with their online service providers that:

• Consent can only be given by a child 15 years of age or older. Parental consent is required for younger children;
• Parental consent does not allow the collection of all types of data;
• Consent must be voluntary, informed, current, specific and unambiguous;
• Consent may be revoked and is only valid for a maximum period of 12 months.

The Code further proposes novel mandates to alert children where parents consent on their behalf. This is drafted to enhance transparency and respects children’s rights to their agency.

5. Age-appropriate transparency is required

The OAIC has determined that verbose, legalistic privacy policies are not suitable for children’s services. Instead, schools should look for vendors to provide clear, age-appropriate language in policies, including understandable explanations and visuals for children where necessary. Vendors should also supply transparent declarations on their handling of personal data, why it is collected, and for how long.

Schools will need to ensure that their general privacy policy is clear, simple, and concise enough for the children to understand. Alternatively, schools will need to introduce an additional version of their privacy policy, that is in a form and language understandable by the children. Such a policy must be easily accessible.

A clear complaints procedure for privacy complaints must also be established, with an option to make complaints of a general nature anonymously. The complaints procedure should also make clear how a complaint can be made to the OAIC. Schools need to respond to complaints within 30 days.

6. Children’s rights to access and delete data must be supported

Significantly, the Code introduces a statutory right for children (and parents, where appropriate), to request deletion of their personal information. A provider must respect this right and respond to such requests within 30 days. Schools should also support requests to access children’s personal information, as long as this is conducted in accordance with the school’s privacy policy.

7. Geolocation and tracking requires heightened caution

The Code has made it clear that geolocation tracking is a high-risk area, and should be considered unnecessary, unless absolutely essential for the functioning of the service. Therefore, schools should ensure that tracking via their online service providers is transparent and minimised. Children have the right to be notified when this tracking occurs, irrespective of parental consent. The legislative intent is to safeguard children’s rights and provide them with agency when it comes to their personal data.

8. Schools are not the privacy “shield”

In order to protect their legal position, schools should be clear with online service providers that under the Code:

• The provider is directly and wholly responsible for compliance with the Privacy Act and the Code;
• School or parental consent does not mitigate the provider’s existing legal requirements; and
• Subcontractors and cloud providers are also caught under the legislation.

9. Security and breach readiness are essential

In addition to maintaining their internal systems, schools should seek confirmation from providers that their technical and organisational measures are secure and suitable to handle children’s personal information. Schools should also consider the ability for staff to access personal data and acquaint themselves with data breach response procedures in accordance with the Australian law. All school staff interacting with children’s data must be provided education and training to understand their obligations under the new provisions. Record of this training should be kept and provided to the OAIC upon request.

10. Contractual commitments are expected

It is expected that schools will implement their privacy commitments into their respective privacy policies. However, it is also vital that these obligations and expectations are written and enforceable in contracts, in a transparent manner. When the Code is finalised, privacy policies, procedures and contracts should be updated to reflect compliance with the Code. Privacy practices and procedures are also expected to be updated annually, and records of such updates and reviews must be kept and provided to the OAIC upon request.

Additional considerations

Additionally, the Code recognises that children’s personal information may be handled by services that are not directly accessed by children but are nonetheless primarily concerned with children’s activities and that such services may present similar privacy risks. This includes, for examples, online apps and systems that track childhood development, facilitate photo sharing of students to parents and otherwise support schools to monitor student performance.

How we can help

Moores supports non-government schools, and other education bodies and not-for-profits with privacy compliance, data breach response and cyber incident management. Additionally, Moores will release our Privacy Toolkit for Organisations during Privacy Awareness Week 2026. Our team regularly advises not-for-profits, schools and education providers on privacy compliance, data breach response plans and proactive redesign of processes to implement privacy-by-design.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

---

^{Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.}