Australia: Office of the Australian Information Commissioner released Privacy guidance on Part 4A (Social Media Minimum Age) of the Online Safety Act 2021

On 10 October 2025, the Office of the Australian Information Commissioner (OAIC) released the Privacy Guidance on Part 4A of the Online Safety Act 2021, addressing the Social Media Minimum Age (SMMA) scheme and its interaction with the Privacy Act 1988 and the Australian Privacy Principles. The guidance applies to providers of age-restricted social media platforms and third-party age assurance providers and sets out obligations under Section 63F of Part 4A, including purpose limitation, destruction of personal information once SMMA purposes are achieved, and restrictions on secondary use or disclosure, which require voluntary, informed, current, specific, and unambiguous consent. The guidance clarifies that information collected or generated for SMMA compliance, including biometric data, templates, documents, and artefacts such as binary “16+ yes/no” tokens, must be destroyed once used, and that destruction extends to caches and transient storage. It highlights obligations to adopt privacy by design, conduct Privacy Impact Assessments, minimise collection and retention, and implement transparent just-in-time notices under APP 5. The guidance outlines requirements for handling existing information, proportionality when using inference methods, safeguards against purpose padding, ring-fencing of outputs, and retention in narrowly defined circumstances such as audits, reviews, fraud prevention, and evidence of compliance.