Australia’s privacy watchdog has issued detailed guidance for social media platforms subject to the Social media Minimum Age (SMMA) scheme and for third-party age assurance providers, ahead of the regime taking effect on 10 December.
“Today we’re putting age-restricted social media platforms on notice,” Ms Kind said. “The OAIC is here to guard and uplift the privacy protections of all Australians by ensuring that the age assurance methods used by age-restricted social media platforms and age assurance providers are lawful.”
The Office of the Australian Information Commissioner (OAIC), which co-regulates the SMMA with eSafety, said its guidance sets clear guardrails on how personal information can be handled for age checks. It follows eSafety’s publication last month of regulatory guidance outlining what ‘reasonable steps’ platforms must take to prevent age-restricted users from holding accounts.
“The OAIC is committed to ensuring the successful rollout of the SMMA regime by robustly applying and regulating the privacy rules contained in the legislation, in order to reassure the Australian community that their privacy is protected,” said Privacy Commissioner Carly Kind.
The privacy guidance tells platforms and age assurance providers to ensure any age-checking method is necessary and proportionate, with privacy impacts assessed up front. It emphasises data minimisation, including limiting the use of sensitive information; clear transparency at the points where personal information is handled; and destroying personal information collected specifically for SMMA once the purpose has been met. Where pre-existing personal information is later used for SMMA purposes, it does not need to be deleted if it is still required for the original, ongoing purpose. Any secondary use of personal information gathered for SMMA must be strictly optional, based on unambiguous consent and easy to withdraw. The OAIC also stresses the SMMA privacy obligations operate alongside the Privacy Act 1988 and the Australian Privacy Principles.
“eSafety has provided the rules of the game with their ‘reasonable steps.’ Now the OAIC is setting out what is out-of-bounds when it comes to the handling of personal information for age assurance in the social media minimum age context.
“Together, eSafety and the OAIC’s regulatory guidance outlines the field of play for age-restricted social media platforms and third-party age assurance providers.
“SMMA is not a blank cheque to use personal or sensitive information in all circumstances; we’ll be actively monitoring platforms to ensure they stay within the bounds by deploying age assurance proportionately and lawfully.”
The regulator warned that breaching these safeguards could amount to an unlawful intrusion on privacy and attract enforcement action. It plans further materials to help Australians understand what personal information may be processed for age checks, along with education resources for children and families.
More information and the full guidance are available at: www.oaic.gov.au/privacy/privacy-legislation/related-legislation/social-media-minimum-age
Background: The OAIC oversees compliance and enforcement of the privacy provisions in Section 63F of Part 4A of the Online Safety Act 2021, operating in tandem with the Privacy Act 1988, while eSafety regulates other aspects of the SMMA scheme.
