A Sydney-based data privacy lawyer and IAB Australia have warned marketers not to dismiss Australia’s looming Children’s Online Privacy Code (COPC) as something that only affects brands advertising to kids, arguing it could fundamentally reshape digital marketing for years to come.
The code, which is set to be finalised and registered by 10 December, introduces sweeping new protections for people under 18. Advertisers who get it wrong could face significant penalties of up to $3.3 million.
Among the proposed changes are restrictions on profiling children for personalised advertising, using platforms design to encourage them to hand over personal information or make impulsive purchases, and using a child’s personal information for direct marketing without verifiable consent.
However, according to speakers at IAB Australia’s Data & Privacy Summit in Sydney, the real impact will stretch far beyond child-focused brands.
“Children grow up, don’t they?” data and technology lawyer Tanvi Mehta Krensel told the crowd. “Whatever standards today’s children grow up with, as set under this code, will, like it or not, influence their expectations of privacy as adults.”
“I do think the fact that we have a code that’s developed far beyond the Privacy Act is important, because even if your brand is not dealing with children now, it may still influence your relationships with customers and your audience in the future.”
IAB Australia CEO Gai Le Roy agreed, urging advertisers to not to think of the reforms as a niche compliance issue.
“Even if you’re not dealing with children now, kids grow up,” Le Roy said. “The standards they’re raised with will influence their sense of privacy as adults. Everyone is a child to some extent.”
While the code is aimed at protecting children online, many of the concerns raised by IAB centre on how difficult it may be to separate children from adults in practice.
IAB Australia has lodged a detailed submission to the Office of the Australian Information Commissioner (OAIC), warning that the draft code, in its current form, risks extending children’s privacy standards across the broader digital economy.
“The OAIC’s stated preference that entities apply the Code to all users — treating every user as a child — would effectively impose the COPC obligations on the entire digital economy, going far beyond the Code’s stated purpose,” the submission reads.
The industry body argues that many businesses simply won’t know whether they’re “likely to be accessed by children” — the threshold that determines whether the code applies.
Without clearer guidance, the IAB warned organisations could be left with two choices: implement age assurance measures to determine every user’s age or apply the children’s code to everyone.
“The practical effect would be to extend the COPC obligations to all users,” the submission argued.
For advertisers, publishers and media owners, that could have significant commercial consequences.
The draft code introduces a “strictly necessary” test for collecting personal information by default — a higher threshold than the existing “reasonably necessary” standard under the Privacy Act.
According to IAB, that shift could effectively prohibit many forms of personalised advertising for services that choose to treat all users as children, threatening advertising-funded business models while also limiting the ability to deliver age-appropriate advertising to younger audiences.
The organisation is also concerned the draft code expands concepts beyond the Privacy Act itself, including interpreting direct marketing broadly enough to capture targeted advertising.
Speaking during the summit, Krensel said businesses should already be reviewing how they collect, retain and use customer data, regardless of whether the code changes before it is finalised.
“I think data minimisation and data deletion is a thread that is flowing fairly consistently through things that are coming from government and the regulator,” she said.
“If you’re not minimising the data you collect, if you’re not deleting it when the purpose you collected it for has ended, there is a risk that will not be considered reasonable.”
She warned marketers against focusing solely on whether they had technically obtained consent.
“I’d be thinking about what I would say to a regulator if that marketing practice was called into question,” she said. “I wouldn’t necessarily just be focusing on whether consent is made out.”
Krensel also highlighted that privacy regulation is increasingly becoming “principles-based,” meaning businesses cannot assume practices that were acceptable a year ago will continue to be acceptable.
“Just because you did something last year and it was okay, will not mean it’s okay to do it this year.”
The proposed code also introduces new obligations around children’s direct marketing.
“If you want to conduct direct marketing, it needs to be in a child’s best interests,” Krensel said. “The information that you use needs to be collected directly from a child, and you need to have either their or, depending on their age, a parent or carer’s consent to conduct that direct marketing.”
“It’s not quite a prohibition, but there’s a lot of hoops to jump through there.”
Le Roy acknowledged the industry’s desire to comply with stronger protections for children but questioned whether some elements of the draft are workable in practice.
“I think probably the biggest threshold issue is who it applies to,” she said, pointing to uncertainty around what constitutes a service “likely to be accessed by children”.
The concern, she said, is that businesses may end up collecting more personal information simply to determine a user’s age — the opposite outcome of what the privacy reforms are trying to achieve.
In its submission, IAB is calling on the OAIC to clarify that businesses should not be expected to treat every user as a child by default, replace the draft “strictly necessary” standard with the existing “reasonably necessary” threshold under the Privacy Act, adopt a more proportionate approach to age assurance and delay enforcement for up to two years after the code is finalised.
