Popular search terms
Click each term for related articles
Asia Pacific
Data Protection & Privacy
In the third article in our series on the Attorney-General's Privacy Act Review Report, we continue to outline the effects these changes will have on the Australian people and its businesses
Following on from our previous articles with respect to the Attorney General’s Privacy Act Review Report (Report) (see Article 1 and Article 2) this article addresses the significant proposals of the Report around establishing a new regime for children’s privacy.
Children’s privacy has been a difficult area in Australian privacy law for some time due, in large part, to both (i) a lack of detail in the Privacy Act and APPs themselves and (ii) the pervasiveness of US providers in the digital economy who follow COPPA (the US Children's Online Privacy Protection Act) under which the age a child can consent for privacy purposes is 13 years old. The key proposals of the Report in relation to the privacy of children are:
In addition, the Report also proposes (as part of the direct marketing, targeting and profiling proposals) to prohibit direct marketing to, targeting of and trading in the personal information of a child (with only very limited exceptions).
The Report also recommends that, like COPPA, a ‘children’s online privacy code’ (to be adopted as a mandatory code) be used to create a regime as regards children’s online privacy, enshrining certain minimum legal requirements, including the following:
In addition to simply clarifying current ‘best practice’ when it comes to dealing with children, the Report’s proposals, in effect, seek to create a set of minimum 'rules of the road' (like COPPA) which are a significant uplift (admittedly from a low base) in Australian privacy law requirements relating to children’s privacy, both generally and online. It will mean that all businesses dealing with children (whether as a large proportion of their customer base or incidentally) will need a significant uplift in their procedures, tech controls, policies and approaches to dealing with children, especially on the marketing side if the direct marketing proposals are also approved. However, we suspect the most uplift will be required for businesses who deal with children only occasionally (or incidentally) which, under current law, have tended to be overlooked/not to apply any special requirements for children using their sites or consuming their services (other than noting their site is not suitable for children).
Legislating the default of 15 years old as the age where capacity may be assumed for privacy purposes does assist to confirm current practice but, unfortunately, does not solve the problem that while a privacy consent can be given at that age, no contract (ie the online terms and conditions of use) can be agreed to by and enforced against anybody under 18 years of age in Australia. This is a missed opportunity.
Also, it still means that a significant cohort of children under 15 years of age, online especially, will need to have their privacy capacity assessed (and the proposals provide more obligations in this regard) individually or, as we suspect in practice, default to obtaining parental or guardian approval. Of course, under the proposals, once a child turns 15 then, pursuant to the children’s online privacy code, the business will need to ensure the child has the 'rights' noted above (eg to 'turn off' parental oversight of and access to their online activities). That is, the proposed changes with respect to children’s privacy will have multiple impacts at different times - at the point of onboarding, assuming they are under 15 years of age at the time and, if they are still users, once they turn 15 years of age.
Again, we suggest that businesses should consider these proposals now in order to start thinking about how you will prepare for what we expect will be a short transition period if the proposals become law. Please do not hesitate to reach out if you have any questions on or if we can be of any assistance.
End