Australian privacy law: is it protecting our children when online?

Using websites and playing apps online is very popular with Australian children.
But, is their privacy protected when they are doing this? The short answer is NO.

For concise information on this and other important questions, read on.
For more detailed information, click here.

Is protecting children's privacy all that important?

YES, it is!

In the short term, apps can gather children's data and use it to identify and locate them; can build children's profiles by tracking their likes and dislikes so as to keep them attached and sell them things; and can expose them to personal harm through cyberbullying and social grooming.

In the long term, data collected over childhood and adolescence can be used against them in adulthood, for example when seeking placement in a desired course of study or selection for a “dream” job.

How is Australian law failing children now?

  • Federal law does not actually incorporate any special right to privacy for children.
  • It's not preventing present practices such as tracking by apps.
  • It's allowing app distributors to ask children under 15 to give out their personal information.
  • It's not giving children the right to access their collected data, and to erase it.

Right now, no one but you is protecting your children's privacy when using websites or online apps.

So what can you do?

  • as a parent or carer, and
  • as a citizen who wants to see the law improved

As a parent or carer:

  • Do I understand that websites and apps can be designed to keep users engaged for as long as possible for the key purpose of selling to them?
  • Do I understand that my child could be exposed to harm from bullies, marketers and sexual groomers / predators?
  • Am I aware of the minimum age rules for popular social media sites?
  • How do I manage my child wanting to access sites that are not designed specifically for children?
  • Do I understand both the immediate danger and the long term implications of my child developing a "digital footprint"?

  • It warns children not to use their real names when setting up an account.
  • It collects only the personal information relevant to the functioning of the website or app.
  • It only asks permission to use devices (such as camera or mic) necessary for the app to function.
  • The data collected to verify the user’s age is restricted to the month and year of birth (not the child's exact date of birth).
  • It has effective age verification and gating to bar younger children’s access ie the child cannot access the site after giving an age that is below the age limit for that site.
  • It provides pre-created avatars for navigating the site, so that children do not use personal information to create avatars.
  • It has a chat function that only allows users to select words and phrases from a pre-approved list, so that children do not type freely and inadvertently disclose personal information.
  • It has a privacy policy written in plain, age-appropriate language, or delivers its messages in other ways that are child-friendly and easily understood.
  • Your child is not redirected to another website via advertisements.
  • There is an accessible way of deleting your child’s account information.
  • The website or app encourages parental involvement.

As an informed citizen who wants improved privacy laws for children:

The Commonwealth Privacy Act 1988 provides protection for a range of personal information based on 13 principles (the Australian Privacy Principles, or APPs ). These govern the collection, storage, use and disclosure of personal information, as well as providing individuals with certain rights to access their personal information and correct errors. If you can establish a breach of an APP in relation to your information, you might get an apology and/or compensation and/or an amendment to the record. Some information is considered especially sensitive, but this doesn’t include children’s information as such. Generally, there is no special provision for the protection for children’s information.

There are three government agencies with responsibility connected to the protection of privacy:

  • The Office of the Australian Information Commissioner (OAIC) acts on complaints about breaches of the APPs, and has some proactive enforcement powers, for example to investigate practices that might breach the Privacy Act and to apply to the Federal Court for a civil penalty order. However, there is no requirement that it use those powers specifically for children, and little evidence of it having done so at the time of writing. It has plans to develop a code of practice for digital platforms, which should strengthen protections for children, but its 2019-2020 Annual Report states that this has been delayed due to the COVID-19 pandemic (see page 34).
  • The Australian Competition and Consumer Commission (ACCC) administers rules about things like misleading and deceptive conduct which sometimes overlap with privacy. When this happens, for example recently when a tech company was found to have misled consumers about the personal location data that it collects, holds and uses, the ACCC can be very effective. However privacy is not its primary focus, and not all privacy issues come within its power.
  • The Office of the eSafety Commissioner publishes information and advice on issues where privacy, security and safety interconnect, but has no power in law to protect privacy.

While currently there are ongoing law reform activities relevant to children's interaction with online commercial entertainment media [see What can I do to influence decision makers to improve Australia's privacy protection laws section below] at this point in time, it is a fact that Australian privacy law does not cater to the special needs of children who use websites and online apps.

It is reasonable to expect that . . .

  • Australian privacy law includes particular obligations to prevent breaches relating to children’s information (particularly for the purposes of marketing and profiling), rather than only to react when a complaint is made.
  • all aspects of children’s privacy are protected until they are able to give informed consent, which is 15 years of age for most;
  • all information, communication and agreements for websites and apps popular with children are written in clear and plain language that can be easily understood by a child of the age that is likely to use the website or app;
  • individuals have the right to have their data erased even if they gave consent as a child; and
  • there are specific laws that address cyberbullying, doxxing and grooming.

You can . . .

  • share your expectations on changes needed to protect children's privacy by talking with family, friends and colleagues at every opportunity;
  • join and support organisations that are advocating for changes to the law, such as the Australian Council on Children and the Media (ACCM);
  • sign up for ACCM's free e-bulletin for information on upcoming legislative reviews, opportunities for community input, etc;
  • discuss these issues with your federal member of parliament at every opportunity, for example when they hold street-corner meetings or attend events at your children’s school.
  • send your MP a letter – see attached proforma example. [link to proforma letter]

For more information and resources: