By -

Age-restricted social media platforms have been put "on notice" by the Australian Privacy Commissioner, Carly Kind, with the release of stringent new regulatory guidance on how they must handle personal information for age assurance under the upcoming Social Media Minimum Age (SMMA) scheme.

The guidance, published by the Office of the Australian Information Commissioner (OAIC) today, sets out the privacy obligations for platforms and third-party age assurance providers ahead of the SMMA scheme taking effect on 10 December. The new regime, which aims to prevent Australians under 16 from holding accounts, is jointly regulated by the OAIC and the eSafety Commissioner.

“Today we’re putting age-restricted social media platforms on notice,” Kind said. “The OAIC is here to guard and uplift the privacy protections of all Australians by ensuring that the age assurance methods used by age-restricted social media platforms and age assurance providers are lawful.”

While the eSafety Commissioner previously released guidance on the “reasonable steps” platforms must take to prevent underage users, the OAIC’s new guidance focuses squarely on the handling of personal information—emphasising that the SMMA legislation is “not a blank cheque to use personal or sensitive information in all circumstances.”

Age-restricted social media platforms and age assurance providers must adhere to five critical privacy rules under the new guidance. Platforms must ensure their age assurance methods are necessary and proportionate, adopt data minimisation by limiting the collection of personal or sensitive information, and destroy that data once the verification purpose is met. Critically, the guidance mandates that further use of this information is strictly optional and requires the user’s “unambiguous” consent. At the same time, it requires platforms to maintain complete transparency regarding data handling in their privacy notices, warning that failure to comply could lead to enforcement action.

“eSafety has provided the rules of the game with their ‘reasonable steps.’ Now the OAIC is setting out what is out-of-bounds when it comes to the handling of personal information for age assurance in the social media minimum age context,” Kind stated.

The OAIC warned that failure to meet these privacy obligations may constitute ‘an interference with the privacy of an individual’ and could trigger enforcement action. The new privacy rules operate alongside the existing Privacy Act 1988 and the Australian Privacy Principles.

The OAIC is preparing further resources to help the public, including children and families, understand what personal information may be handled through age assurance methods as the new regime rolls out.