What are we asking for in a children’s data code?

What are we asking for in a children’s data code?

The code would be a piece of regulation that outlines the key principles governing the lawful collection and use of children and young people’s data.

These principles ensure that data is only collected and used when it is their best interest.

1. Creates the best and safest digital world for children and young people

  • Protect everyone under 18 years olds
  • Cover all services children and young people may use
  • Put children’s best interest at the heart of decision making about their data
  • Put children and young people in control of their data by requiring:
    • Expressed consent – Only process data when children (and parents) have meaningfully consented, except in their best interests*
    • Transparency and accountability – Children (and parents) should know every time their data is processed, except in their best interests*
    • Data minimisation and restricted data sharing – Only collect the data you really need, and don’t share it, except in their best interests*

*Best interests might include things like an emergency situation with ambulance or police, or things that are work for children, like social workers talking to schools

2. Is overseen by a strong and enabled regulator.

  • Enforced by a regulator well resourced to oversee these new responsibilities
  • Can issue meaningful penalties that match the scale of any breach
  • For extreme violations, there could be the option of criminal sanctions

3. Aligns with the Online Safety Bill and Basic Online Safety Expectations.

  • Australia has some world leading legislation around eSafety, takedown and moderation.
  • A code must join up seamlessly with this legislation
  • Takes a systemic focus

“There needs to be more regulations around it than the typical adult because we are more impressionable. We are still children.”

From Reset Australia Profiling Children forAdvertising Report (16 year old)

What requirements would this place on service providers?

Ensure accountability and transparency

Publish T&Cs in plain-speak and enforce them. Have a clear process to ‘make things right’ where things go wrong.

Ensure safety and privacy

High privacy by default. Undertake and publish data protection impact assessments.

Put children and young people in control of their data

Be transparent around data collection and use. Minimise collection and restrict sharing. Make it easy to access, correct and delete data.

Engage with children and young people

Speak to young people to take into account their thoughts about how their data is collected and used.

Respect children and young people as digital citizens

Don’t shut down or downgrade service because it’s ‘too hard’ to meet their needs.

How might this affect some features and products?

Automated decision making

Limited to when it is in children’s best interests, and require human oversight if it is a serious decision


Turned off unless it is essential to a service (like maps) or is in children’s best interests

Commercial marketing and profiling

Restricted unless it’s essential to a service (like a personalised learning app) or is in children’s best interests

Nudging and persuasive design

Limited to when it is in children’s best interests (like a nudge to take a break)

Parental controls

Children should know when these are on and and it should be clear to them what data their parents can see

Age verification

Any tools used to verify age must preserve privacy