Part 4A comes into force on 10 December 2025 and introduces the social media minimum age scheme (the SMMA). Part 4A applies to providers of an age-restricted social media platform, defined in Part 4A to include, at a high level, certain electronic services, the sole or significant purpose of which is to enable online social interaction, allowing an individual to connect to other users and post material on the service. A provider of an age-restricted social media platform must take reasonable steps to prevent age-restricted users (i.e. those under the age of 16) from holding accounts with the platform, for example by implementing some form of age assurance process to identify whether the individual is under the age of 16.
The Guidance explains the interaction between Part 4A and privacy law, recognising that age assurance may require the handling of personal information. It notes that whilst the Privacy Act 1988 and the Australian Privacy Principles continue to apply in parallel, Part 4A introduces additional, more stringent obligations regarding the handling of personal information for the purposes of complying with the SMMA requirements. For example, the Guidance emphasises the strict purpose limitation under Part 4A s63F(1) and information destruction requirements under s63F(3).
Key considerations
The Guidance calls out certain key considerations regarding privacy in the context of the SMMA. Amongst other things, it highlights the need to take a privacy by design approach to age assurance methods. It also articulates the advantages of privacy impact assessments and addresses transparency requirements. The Guidance identifies the importance of the necessity and proportionality principles when considering or offering age assurance methods. It encourages age-restricted social media platforms to only use more intrusive approaches to the handling of personal information when necessary. The Guidance acknowledges that age assurance methods may involve the handling of sensitive information such as biometric templates, behavioural signals and formal identification documents. Steps should be taken to minimise the use of both personal information and sensitive information and when it is no longer required for the relevant purpose, the information should be destroyed.
The s63F requirements of Part 4A (purpose limitation and information destruction) apply to personal information collected for the purpose of preventing access to an age-restricted social media platform. However, the Guidance recognises that some age assurance processes may rely on existing personal information, originally collected for an alternative purpose. In that case, the Guidance clarifies that s63F destruction obligations do not apply to the extent the personal information remains in use for the original purpose. The Guidance also recalls the need to establish a basis for the secondary use of personal information for age assurance purposes and identifies the importance of a well-designed consent request in that context.
More detail
Detailed sections of the Guidance include practical examples, privacy considerations and good practice case studies regarding, amongst others, the collection of personal information, its destruction and the approach to secondary use or disclosure of personal information in the context of Part 4A.
For example, with regard to the collection of personal information, the Guidance recalls that the Australian Privacy Principle, APP 3.4(a), permits collection and handling of personal information to the extent required or authorised by law. In the SMMA context, if Part 4A requires age-restricted social media platforms to prevent those under the age of 16 from holding accounts with the platform, APP 3.4(a) may permit the collection and handling of personal information as is necessary and proportionate to meet that requirement. Where APP 3.4(a) is not engaged, the Guidance highlights that Australian Privacy Principles 3.2 and 3.3 still apply and indicates that, in practice, these limit what personal information may be collected to those steps that would fulfil a platform’s obligation to comply with Part 4A. The Guidance also sets out certain practical considerations regarding collection. For example, the Guidance recommends that personal data collection is minimised by collecting binary information (under 16/16+) rather than detailed age or non-age related information. The Guidance encourages temporary processing (where personal information input is not retained), and where existing personal information is repurposed for use in relation to Part 4A, the basis for such processing should be well documented.
Where existing personal information is used to infer a user’s age, the Guidance clarifies that, consistent with the comments on secondary use above, the original personal information is not subject to the s63F requirements of Part 4A (purpose limitation and information destruction). However, the Guidance does note that any personal information generated as a result of that inference process (e.g. a binary under 16/16+ flag) will be caught by s63F obligations. In relation to the use of inference, the Guidance provides further practical considerations when determining whether the approach is proportionate. For example, how sensitive is the personal information, what volume of personal information is required and for how long must it be retained to enable the age to be inferred, is the processing necessary to achieve the requirements of the SMMA and would the individual reasonably expect their personal information to be repurposed in this way?
Further detailed guidance is provided regarding the s63F Part 4A obligation to destroy personal information collected for the purposes of the SMMA requirements. The Guidance notes that the Part 4A obligation to destroy the personal information is stricter than the more general retention of personal information principle under APP 11.2. Specifically, under Part 4A there is no ability to rely on de-identification instead of personal information destruction. There is also no scope to retain the personal information just because there is another potential business use case. As noted in the context of personal information collection, the s63F destruction requirements do not apply to existing personal data re-purposed to comply with SMMA requirements. However, any new artefact created as part of the age assurance process would be subject to the more stringent destruction requirements. The Guidance identifies practical considerations to address the different risk profiles of age assurance input data (such as biometric information) and output data (such as a binary under 16/16+). The Guidance also suggests ring-fencing age assurance outputs for ease of compliance management, calls out the need to manage retention carefully when the personal information is collected for multiple purposes and discusses limited scenarios where minimal personal information may be retained on a time-limited basis for specific, tightly-controlled, reasons (e.g. audit logging and complaints management).
The Guidance considers the secondary use of personal information collected for SMMA as well as the disclosure of output information. Under Part 4A, such secondary use or disclosure is only permitted on the basis of unambiguous consent or in certain other exceptional circumstances (as articulated in APP 6.2). With regards to unambiguous consent, the Guidance clarifies that this consent cannot be obtained through pre-selected settings or opt-outs mechanisms. Rather, it must be optional, designed for all users to understand, and relating to a limited scope of personal data (i.e. only the binary under 16/16+ flag)
In the overview to the Guidance, amongst other things, the Guidance states that where there is uncertainty as to the nature of information, caution is encouraged. The Guidance suggests treating that information as personal or sensitive information, in accordance with Part 4A and Privacy Act requirements.
The OAIC recommends reading the Guidance alongside other OAIC guidance and eSafety’s regulatory guidance on reasonable steps platforms can take to comply with their safety obligations.
The Guidance is available here, and the press release is available here.
