OAIC weighs in on privateness facets of Social Media Minimal Age regime

Key themes and actions for platform suppliers and their know-how companions



13 min learn

From 10 December 2025, age-restricted social media platforms should take ‘affordable steps’ to stop customers beneath the age of 16 from having accounts. Although the social media minimal age (SMMA) regime sits throughout the Online Safety Act and can be primarily enforced by the eSafety Commissioner (eSafety), the Office of the Australian Information Commissioner (OAIC) will play a vital function in regulating privateness compliance.

In this Insight, we discover key themes from the OAIC’s latest guidance and description motion objects for platform suppliers and their know-how companions making ready for the brand new regime.

Key takeaways

• Interplay between privateness and on-line security legal guidelines: compliance would require guaranteeing that age assurance strategies are efficient but additionally minimise intrusion into person privateness. Both eSafety and the OAIC will play an enforcement function. Although the OAIC’s steering will not be binding, it’s a sturdy indication of how the OAIC will search to implement the privateness compliance facets of the SMMA regime.¹
• Privacy by design approach: platform providers must embed privacy considerations, including by conducting privacy impact assessments when selecting age assurance methods.
• Data minimisation is key: data collection must be limited to what is necessary for SMMA compliance. Entities are encouraged to use pre-existing data or low-intrusion methods wherever possible.
• High-risk practices require caution: more intrusive methods such as biometric analysis should be used only when absolutely necessary and be accompanied by robust safeguards.
• Consent for secondary uses: unambiguous consent is required for any secondary use or disclosure of personal information collected for SMMA compliance purposes.
• Destruction obligations go beyond Australian Privacy Principles (APPs): Personal information collected specifically for SMMA compliance (inputs) must be destroyed immediately after use. Retention of outputs (such as 16+ yes/no tokens) must be short-lived and this data must be ring-fenced.
• Using pre-existing data: the use of pre-existing user data for SMMA purposes is subject to the APPs. Any new record generated from pre-existing data will be subject to the specific purpose limitation and destruction requirements of the SMMA regime (which apply alongside the APPs).
• Continuous improvement required: age assurance measures should evolve proactively alongside changes in platform features and user behaviour.

Actions you can take now

The SMMA regime explained

Overview of relevant legislation, rules and guidance.

SMMA regime to commence 10 December 2025

The SMMA regime will come into effect on 10 December, requiring social media platform providers to take ‘reasonable steps’ to prevent Australians under the age of 16 (age-restricted users) from having accounts on their platforms. This follows amendments to the Online Safety Act in late 2024 introducing the SMMA framework under Part 4A.

The Online Safety Act does not prescribe specific methods for how to ensure users meet minimum age requirements. Rather, platform providers must implement ‘reasonable steps’ tailored to their context.³ eSafety’s guidance sets out baseline expectations around reliability, accuracy, robustness and effectiveness in using age assurance to assess user age. These expectations mirror the findings of the community consultation on the implementation of the SMMA regime conducted by eSafety and the Age Assurance Technology Trial, which we explore in our Insight.

This ‘reasonable steps’ requirement applies to both existing accounts and new accounts. This means platform providers will need to determine whether existing accounts on their platforms are held by age-restricted users and deactivate or remove those accounts, as well as prevent age-restricted users from creating new accounts.

Who does the regime apply to?

The SMMA requirement applies to providers of ‘age-restricted social media platforms’ (platform providers), which are defined as services that meet the following conditions:

• the sole purpose, or a significant purpose, of the service is to enable online social interaction between two or more end-users;
• the service allows end-users to link to, or interact with, some or all of the other end-users; and
• the service allows end-users to post material on the service.

This definition is broad and will encompass most social media platforms.

The Online Safety (Age-Restricted Social Media Platforms) Rules 2025 issued under the Online Safety Act specify the types of online services that are not covered by the SMMA. These are services with the sole or primary purpose of:

• messaging, email, voice calling or video calling (eg WhatsApp)
• online gaming
• allowing end-users to share information about products or services (eg reviews, technical support or advice)
• professional networking and professional development (eg LinkedIn)
• supporting education and health or facilitating associated communications.

eSafety guidance on ‘reasonable steps’

In September 2025, eSafety issued guidance on the ‘affordable steps’ platform suppliers are anticipated to take to stop age-restricted customers from having on-line accounts. This includes, at a minimal, assessing person age through ‘age assurance‘ mechanisms—outlined broadly as processes used to confirm or infer age. Age assurance could also be undertaken by platform suppliers themselves or outsourced to contracted distributors—that are known as third-party age assurance suppliers.

The steering additionally units out eSafety’s principles-based method to the SMMA restrictions, emphasising that:

• when contemplating whether or not a platform supplier has taken affordable steps, eSafety will use a holistic method and won’t consider measures in isolation;
• the SMMA guidelines do not prescribe particular varieties of age assurance strategies or suggest a minimal accuracy stage for these strategies. Instead, the steering offers an outline of various age assurance strategies to help platform suppliers in figuring out what’s technically possible and practicably implementable; and
• platform suppliers don’t want to make use of strategies or distributors that had been concerned with the Age Assurance Technology Trial and can use inner strategies or depend on exterior distributors (however are anticipated to conduct applicable due diligence on exterior distributors).

The steering additionally offers guardrails to help platform suppliers in growing their compliance measures, clarifying what’s strictly not prescribed beneath the SMMA guidelines and what measures will not be thought of affordable steps. Some key examples of those guardrails are under.

Platform suppliers ought to:

• create pathways for potential underage accounts to be reported;
• forestall re-registration or circumvention for accounts which were eliminated or deactivated; and
• present overview mechanisms for customers who might have been incorrectly flagged in age assurance.

Platform suppliers shouldn’t:

• confirm the age of all customers on the platform;
• depend on singular, relatively than a number of, age-related indicators to deduce age; or
• use authorities ID because the sole methodology for age assurance.

Privacy and the SMMA regime

Recent OAIC steering

On 9 October 2025, the OAIC launched guidance setting out its expectations concerning privateness compliance for each platform suppliers and third-party age assurance suppliers dealing with private data for age assurance functions within the SMMA context. The OAIC steering sheds mild on how these entities ought to adjust to their obligations beneath the Privacy Act 1988 (Cth) (Privacy Act) when taking the ‘affordable steps’ required for SMMA compliance functions beneath the Online Safety Act.

Together, the steering issued by each eSafety and the OAIC displays a regulatory method that makes an attempt to strike a steadiness between defending younger folks from harms related to social media use, whereas emphasising privateness and proportionality.

The relationship between the Privacy Act and the Online Safety Act

Part 4A of the Online Safety Act operates alongside the Privacy Act, introducing stricter obligations on platform suppliers and third-party age assurance suppliers whereas dealing with private data for SMMA compliance functions.

This means the regulators for Online Safety Act and the Privacy Act—eSafety and the OAIC respectively—play totally different, however complementary enforcement roles within the SMMA context.

Part 4A of the Online Safety Act (s63F) imposes the next data-handling necessities on platform suppliers and third-party age assurance suppliers—these apply along with the Privacy Act extra usually:

Failure to adjust to the Part 4A privateness obligations is an interference with the privateness of a person for the needs of the Privacy Act. This means:

• non-compliance with these obligations is throughout the remit of the enforcement powers of the Information Commissioner beneath the Privacy Act; and
• people are entitled to complain to the Commissioner about alleged contraventions of those obligations.

Steps to adjust to SMMA obligations may even not be ‘affordable’ except an entity additionally complies with its Privacy Act obligations. eSafety is chargeable for imposing the ‘affordable steps’ obligation beneath the Online Safety Act.

The OAIC’s steering enhances eSafety’s steering by outlining the way it expects entities to align their privateness practices with these technical measures. The steering categorises private data used for SMMA functions into three sorts:

• Inputs: uploaded paperwork or selfies supplied by customers for age assurance functions.
• Outputs: the end result of the age assurance course of—eg a binary sure/no token confirming whether or not a person is over 16.
• Existing knowledge: metadata or different pre-existing information used to deduce age.

Each class requires strict controls on assortment, use, disclosure, storage and destruction.

OAIC’s key themes

Privacy by design and steady enchancment

The OAIC encourages a privateness by design method when deciding on age assurance strategies, emphasising the significance of privateness influence assessments. The OAIC is obvious that compliance with the SMMA regime might improve knowledge breach danger—knowledge safety should be the precedence, significantly when dealing with delicate data within the type of biometric knowledge. The OAIC states that entities ought to construct and keep their age assurance practices in order that high quality (APP 10) and safety and retention limitations (APP 11) are enforced by design.

In addition, the OAIC reiterates eSafety’s steering that the measures taken by platform suppliers to adjust to the SMMA regime shouldn’t be static—suppliers ought to ‘proactively monitor and reply to modifications of their platforms’ options, features and end-user practices’. eSafety additionally expects platforms to take proactive steps to detect accounts held by age-restricted customers on an ongoing foundation.

Data minimisation

The OAIC is obvious that platform suppliers and third-party age-assurance suppliers should restrict their assortment to what’s truly needed for compliance with the SMMA regime. Otherwise, entities danger breaching the APP 3 requirement that assortment is ‘fairly needed’ for his or her features or actions. The OAIC acknowledges that assessing what knowledge is ‘needed’ within the circumstances includes weighing competing pursuits however emphasises knowledge minimisation as key. The OAIC recommends, for instance, that entities:

• use pre-existing knowledge for age assurance the place doable (relatively than accumulating new knowledge) (see Using existing data for SMMA purposes);
• gather solely binary outcomes—like sure/no tokens—relatively than date of start or actual age;
• if scanning paperwork, analyse the date of start solely and redact/keep away from different fields;
• use tech options that briefly course of private data inputs and don’t retain them (noting nevertheless that even transient storage will represent a assortment of non-public data beneath the Privacy Act);
• strictly adhere to knowledge destruction necessities (see Information destruction – ‘destruction-on-decision’); and
• when selecting or providing an age assurance methodology (or mixture of strategies), contemplate layered or ‘waterfall’ approaches that begin with low-intrusion strategies (akin to utilizing non-sensitive, pre-existing knowledge) and escalate to extra intrusive strategies (akin to requiring a government-issued ID, accredited digital ID add or use of biometrics) provided that needed.

Purpose limitation: unambiguous consent for secondary makes use of

Part 4A of the Online Safety Act offers that private data collected for age assurance can’t be repurposed (ie used or disclosed for secondary functions) with out unambiguous consent (outdoors customary APP 6 exceptions, akin to the place use or disclosure is required for regulation enforcement).

The Guidance provides the instance of a platform supplier permitting a person to consent to the platform supplier sharing an output (eg a 16+ token) with a 3rd occasion to permit the person to enroll to that third occasion’s service. The OAIC is obvious that consent to any secondary makes use of or disclosures can’t be achieved by way of pre-selected settings or an opt-out method—a separate, devoted consent movement is required. Further, the OAIC’s view is that unambiguous consent requires the person to have the flexibility to withdraw consent—within the instance given, this might require each events to delete the token from their programs upon the withdrawal of consent.

Information destruction: ‘destruction-on-decision’

Part 4A of the Online Safety Act requires platform suppliers and third-party age assurance suppliers to destroy private data collected for SMMA functions after dealing with it for that objective. This is a far stricter obligation than APP 11.2 which permits for:

• doable retention if there are different potential enterprise use instances for the info; and
• de-identification as an alternative choice to destruction.

In specific, the OAIC has harassed that inputs (akin to doc photos, OCR textual content, selfies, liveness movies or different biometric data or templates used for a point-in-time age verify) should be destroyed instantly following the age assurance verify, together with caches and storage—the OAIC sees inputs as highest danger. Outputs or ‘choice artefacts’ (akin to binary outcomes 16+ sure/no, timestamps and tokens) are seen as decrease danger—these could be retained briefly however solely inside ring-fenced environments for restricted operational wants, and supplied the entity is clear concerning the instantly associated functions arising from the age verify that contain retention for an extended interval. The OAIC provides three examples of such instantly associated functions:

• audit logging and proof of compliance: to show a verify has occurred, the end result, the way it was performed and when;
• troubleshooting, fraud and circumvention: to analyze errors, suspected spoofing and re-registration makes an attempt; and
• complaints and evaluations: to reply to person/father or mother challenges to the age verify or its consequence (like criticism dealing with, troubleshooting or fraud detection).

The OAIC strongly means that entities create a ring-fenced SMMA surroundings to adjust to these destruction necessities and block promoting, analytics and machine-learning pipelines from the surroundings. Appropriate time-based retention intervals ought to be utilized in respect of every class, with data being destroyed as soon as the time interval for the final allowed objective has expired.

The Guidance additionally confirms that this quick destruction requirement doesn’t apply to current knowledge already held by an entity simply because that knowledge is used for an SMMA-compliance objective (eg the place a platform supplier makes use of current knowledge it already holds a few person to find out whether or not they’re beneath 16 years). Such knowledge should proceed for use, disclosed and destroyed (or de-identified) in accordance with the APPs extra usually.

Biometrics

As famous above, the OAIC is obvious that inputs (akin to doc photos and selfies or different biometric data) should be destroyed instantly. The OAIC offers the next extra steering on biometric data and templates extra particularly.

• Biometric knowledge shouldn’t be first port of name: to minimise privateness impacts on people, much less delicate data ought to be dealt with over extra delicate data akin to age evaluation carried out on pictures or movies or audio evaluation on voice.
• Be cautious about reusing biometric data: the OAIC says entities ought to be ‘cautious’ about utilizing current biometric data for SMMA functions—in our view it’s extremely probably that entities would wish to hunt extra, specific consent to reuse current biometric data.
• No watchlists: the OAIC warns towards indefinite retention or constructing watchlists primarily based on biometric identifiers—checks ought to be event-based and point-in-time, and long-lived behavioural profiles shouldn’t be constructed.

Using current knowledge for SMMA functions

As a part of stopping customers beneath 16 from having accounts, age-restricted platform suppliers should assess current accounts and take steps to de-register customers beneath 16.

The OAIC makes the next key feedback concerning utilizing current knowledge for age assurance functions.

• No one-size-fits-all method: the OAIC reiterates eSafety’s steering that though there isn’t a one-size-fits-all method, it could be doable for platform suppliers to substantiate with a excessive stage of confidence that sure customers are 16+ primarily based on pre-existing data akin to account tenure or creation date (eg if an account has been held for 12 years, and the person persistently indicators in with an AU IP tackle, it could be affordable to deduce the person is an Australian person over 16).
• Use metadata / system knowledge over behavioural and content material knowledge: using non-sensitive, non-content indicators akin to metadata and system knowledge is preferable to utilizing behavioural and content material knowledge (akin to a person’s posts, content material engagement, behavioural patterns and voice evaluation).
• Consider APP compliance: the APPs proceed to use to any use of current private data for SMMA functions. Platform suppliers will, for instance, must fulfill themselves of compliance with APP 6 (eg that the person has consented or the use can be fairly anticipated by the person and associated to the first objective of assortment) and APP 10 (that affordable steps have been taken to make sure the info is correct, up-to-date and full).
• Any newly-generated information are topic to part 63F: the place a brand new report (akin to a 16+ sure/no token) is created from current knowledge, that new report is topic to part 63F—ie it is probably not used for different functions (see part Purpose limitation – unambiguous consent for secondary uses) and it should be promptly destroyed (see part Information destruction – ‘destruction-on-decision’).