Our response builds upon last summer’s detailed submission, which first addressed the development of a Code.
The Draft Code reflects a number of the positions raised in our earlier submission, and we commended the OAIC for its responsiveness on issues related to the best interests of the child, age-appropriate transparency, and children’s autonomy.
Notwithstanding these measures, our latest response emphasized the need for additional clarity and further refinement on a number of issues, including the following:
- The ‘best interests of the child’ should serve as an overarching guiding principle. As drafted, the Code applies the standard to discrete data processing activities. CIPL sought the adoption of a more flexible, principles-based approach, as under the UK AADC.
- The Code should apply where the likelihood of access by children is significant. CIPL stressed the need to introduce a ‘significance’ qualifier so that the Code will apply only where children’s access is more than minimal and where processing presents a meaningful risk to their rights.
- The Code introduces a new “concerned with the activities of children” threshold. In addition to services likely to be accessed by children, the Draft Code purports to apply to services that are ‘primarily concerned with the activities of children.’ CIPL argued that this undefined term could include services (e.g., websites discouraging underage drinking) that do not process the personal information of children or pose any privacy risk to children.
- The Code fails to adopt a risk-based and outcomes-focused approach. Generally speaking, obligations appear to apply at the entity level, without an initial assessment of the type of service, the risks presented, and the mitigation measures in place.
- The Code’s consent architecture is highly prescriptive. CIPL recommended that the consent provisions be redrafted to focus on outcomes and to provide non-prescriptive guidance on how those outcomes may be achieved across different service types and user interfaces.
Download the Response
Download NowMore like this
May 2026
CIPL’s response to the UK Department for Science, Innovation and Technology (DSIT)’s Consultation on ‘Growing up in the online world: a national conversation’
Find out more
December 2025
CIPL Response to the European Commission and the European Data Protection Board Public Consultation on the Draft Joint Guidelines on the Interplay between the GDPR and the DMA
Find out more
December 2025
CIPL Response to the Notice of Proposed Rulemaking from New York’s Office of the Attorney General Regarding the Stop Addictive Feeds for Kids Act
Find out more
November 2025
A Multi-Stakeholder Dialogue on Age Assurance: Considerations Towards an Interoperable Age Assurance Framework
Find out more
November 2025
Proposal for a Wallet/Credential Manager Framework for Age Assurance Solutions
Find out more
October 2025
CIPL Response to the EDPB Draft Guidelines on the Interplay Between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR)
Find out more
October 2025
CIPL In Focus: Children – Beyond Children’s Privacy – A Candid Look at Best Practices for Child Safety and Wellbeing
Find out more
October 2025
