The Australian Government has introduced the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (OP Bill) to amend the Privacy Act 1988 (Cth) (Privacy Act).

The OP Bill creates a framework to implement and enforce a new Online Privacy Code (OP Code). This forms part of the government’s strategy to strengthen the Privacy Act to empower consumers and drive the economy. The OP Bill also contains expanded enforcement powers, an enforcement regime and increased penalties to empower the Privacy Commissioner to investigate and respond to privacy breaches. We will cover these in a future post.

What is the Online Privacy Code?

The OP Bill grants the OAIC Commissioner the power to register a binding OP Code that will be developed by either the OAIC or industry, subject to the OAIC’s approval. Although the OP Code has not yet been developed, the OP Bill includes minimum requirements for what the OP Code must cover. This includes who is covered by the OP Code and new privacy obligations including obtaining parental consent before collecting children’s data and allowing individuals to request their personal information to not be used or disclosed.

Who is covered by the OP Code?

The OP Code is binding on large online platforms, social media services and data brokers (OP organisations). The definition of large online platforms and social media services is broad, covering a wide range of organisations.

The Explanatory Paper provides examples of social media services including:

  • Social networking platforms
  • Dating applications
  • Online content services
  • Online blogging or forum sites
  • Gaming platforms where users interact
  • Online messaging and videoconferencing platforms

Large online platforms include organisations that collect personal information of users with 2,500,000 Australian users or more. This captures organisations who collect high volumes of personal information online

Although the OP Code was introduced in response to the recommendation by the ACCC’s Digital Platforms Inquiry to create an enforceable privacy code for social media platforms and search engines, the definition of OP Organisations  goes beyond this recommendation.

Privacy Protections under the OP Code

The OP Bill requires the OP Code to include specific provisions relating to handling children’s personal information. This includes a specific requirement for social media organisations to verify a user’s age and obtain parental or guardian consent of a child who is under 16 before collecting, using, or disclosing the child’s personal information. The OP Code will also require social media platforms to prioritise acting in the best interests of children in their approach to handling data. These requirements aim to protect children and will significantly impact how social media companies engage with children and their personal information online.

The OP Code will also require all OP Organisations to have measures in place that allow individuals to request their personal information to not be used or disclosed. This is not a right to be forgotten, as seen in the GDPR, but does give individuals control over when their personal information is used by certain companies. Only requests considered ‘reasonable in the circumstances’ must be complied with and if an organisation is unable to comply with the request, it must provide reasons why. OP Organisations will need to develop new processes to respond to these requests and to be able to separate and remove the data from where it is being used or disclosed.


The Online Privacy Code will have a significant impact on social media platforms, data brokers and large online platforms. Once the OP Code has been drafted Companies covered by the OP Code will need to introduce new changes to how personal information is dealt with in order to comply with the requirements under the OP Code. Although the OP Bill mandates new requirements that must be included in the OP Code, OP organisations are likely to be involved in drafting the detail of those requirements and may be requested by the OAIC to help develop the code.

However, this is a win for consumers who will gain more control over when and how their personal information is used by these organisations. The new protections for children under 16 should help to protect children’s privacy and place the burden back on social media companies to act in the best interest of children when processing and using their data.

To find out more, or to read the Online Privacy Bill Exposure Draft or Explanatory Paper, see here.

If you have any questions about the impact of the Code or new privacy reforms on your business, get in touch with us.


This article was originally published by OneTrust DataGuidance, here.