We are calling for a Children’s privacy code to:

1. Codify Children’s privacy rights:

Ensure that all processing of children’s data is subject to a ‘best interests’ test, and only occurs where it is in children’s best interests
Require a children’s best interests assessment before data processing¹ — These assessments must include identifications of any potential issue, and include reasonable attempts to mitigate these risks. This ensures that platforms that process children’s data have to pro-actively consider children’s rights, and that data processing would only be lawful where they had considered and acted to protect rights. This would align with a number of other suggestions proposed within the Privacy Act Review. These risk assessments must consider how children’s data is processed by the following systems and how these function in children’s best interests and do not harm via:
- Targeting Systems; e.g.:
  - Recommender systems and algorithms (content, friends etc)
  - Advertising systems
- Privacy-by-design settings
- Training for ‘extended-use’ and ‘engagement’ design
- Use of ‘sensitive’ personal data, e.g.:
  - Geolocation data
  - Health data
  - Data about protected characteristics

Requiring privacy-by-design best practice be implemented for accounts under 18s accounts — such as defaulting them to private when they are opened, and not nudging them towards lower privacy settings
Require data minimisation and restricted data sharing — only strictly necessary data should be processed, and it should not be circulated except where it is in their best interests to collect or share (e.g. medical emergencies)
Require accessible ways for children to request, access, correct and delete their data — and for children under the age of data consent, except where it is in their best interests to retain or refuse data access requests (e.g. medical emergencies)
Require active, expressed consent — data should only be processed where children have meaningfully consented and been informed, and parents for children under the age of data consent, except if it is in their best interests to process data without expressed consent (e.g. medical emergencies or permitted health situations). Consent can not justify data abuse.

¹ These may need to have some sort of size exemption, i.e. only processors who handle X amount of children’s data need to do this.

2. Codify accountability and transparency to child users by:

Children’s Best Interests Assessments must be submitted to the OAIC for review
Requiring T&Cs be published in plain speak, accessible to the youngest users
Requiring T&Cs be enforced. Providers should live up to their T&Cs, and children, parents and advocates should have a right of redress if they do not. This should include a public complaints review facility, which if a child feels they have not received an adequate response to, should have an independent complaints board available
Offering a clear process to ‘make things right’ where things go wrong. Children should be able to exercise their rights easily, and mechanisms should be child-friendly. This should include an independent complaints review facility, which if children, parents and advocates can use if they feel an initial complaint raised with a platform has not been adequately addressed

3. Respect young people’s rights in the Code development and implementation

Apply to all children under 18, and all products and services that they are likely to use.
OAIC must lead the way on drafting the Code, not industry.
Consult with children and young people as the Code is being developed, and in an ongoing fashion with the OAIC as the Code is being implemented. Other advocates, like parents, teachers and child rights advocates should also be consulted.
Ensure that children and young people are respected as digital citizens. This means ensuring that age-appropriate services don’t shut them out, or downgrade their service because it’s ‘too hard’ to meet their rights as described in the Code
Ensure that children and young people are provided with clear accessible information on their rights that underpin the code and the mechanisms that are available through the code (and ideally elsewhere in consumer rights, health consumer rights, and rights to safety, information and education). This should also include details of restrictions and limitations with rationales, such as gambling, pornography etc, and in appropriate circumstances the opportunity for challenge to those restrictions
Ensure the Code is meaningfully implemented and enforced, which will require appropriate resourcing for regulators

Are you an organisation who wants to join the campaign for a Children’s Privacy Code?

Get in Touch

We acknowledge and pay our respects to the Traditional Custodians of the land on which we work and live. Sovereignty was never ceded. We pay our respects to the First Peoples of this country, and Elders past, present and emerging.