More generally however consent must be:

• voluntary;
• specific;
• current; and
• the individual must have capacity to consent.

Consent must either be given expressly (e.g. using an electronic medium or signature) or can be reasonably inferred from the conduct of the individual and the organisation. For the collection, use and disclosure of any sensitive information it is recommended that consent always be express.

There are no specific rules, however, under the Spam Act 2003 (Cth) a business must not send or cause to be sent electronic marketing communications (e.g. SMS or emails) without the consent of the recipient.

Similarly, under the Privacy Act Australian Privacy principle 7, a business must not use personal information for direct marketing unless the individual has consented or would reasonably expect the business to use their information for those purposes.

Consumer protections apply broadly to all Australians. There are some limited exceptions, for example in relation to safety standards for certain children’s products such as toys for children under the age of 3 and regulations around the use of button batteries.

Under Part 4A of the Online Safety Act 2021 (Cth) (OSA), ‘age restricted social media platforms’ (ARSMPs) must take reasonable steps to prevent users under 16 from having accounts which can access their platform or parts of their platform. An ARSMP is defined as:

1. an electronic service that satisfies the following conditions:

a. the sole purpose, or a significant purpose, of the service is to enable online social interaction between 2 or more end-users;

b. the service allows end-users to link to, or interact with, some or all of the other end-users;

c. the service allows end-users to post material on the service; and

d. such other conditions (if any) as are set out in the legislative rules; or

2. an electronic service specified in the legislative rules.

The OSA also excludes certain electronic services from the scope of ARMSPs, namely:

1. services where none of the material on the service is accessible to, or delivered to, one or more end-users in Australia – while not stated, this could in our view be achieved by way of geo-blocking access;

2. where the service is specified in the legislative rules.

The Online Safety (Age-Restricted Social Media Platforms) Rules 2025 clarifies the scope of ARMSPs, and excludes the following services whose sole or primary purpose is to:

· enable communication by means of messaging, email, voice or video calling;

· enable users to play online games with other users ;

· allow users to share information about products or services, such as reviews, technical support or advice;

· allow users to engage in professional networking or development;

· support the education of users; and

· support the health of users.

It also excludes services that have a significant purpose of facilitating communication between:

- educational institutions and students or students’ families; and

- providers of health care and people using those providers’ services.

On 16 September 2025, the eSafety Commissioner issued the Social Media Minimum Age Regulatory Guidance which provides guidance on what constitutes “reasonable steps” to prevent users under the age of 16 from having accounts.

In addition, on 9 October 2025, the Office of the Australian Information Commissioner (OAIC) released the Privacy Guidance on Part 4A of the Online Safety Act 2021 (Cth), which provides guidance on how privacy obligations under the Privacy Act 1988 (Cth) and the APPs apply to entities implementing the Social Media Minimum Age (SMMA) scheme.

A breach by a provider will be subject to a maximum penalty of 30,000 penalty units (currently equivalent to AU $9.9 million). This increases to 150,000 penalty units (currently equivalent to AU $49.5 million) if the provider is a body corporate. The obligation to take reasonable steps came into force on 10 December 2025.

The Basic Online Safety Expectations (BOSE) created under the Online Safety Act 2021 (Cth) applies to online service providers and sets out core expectations in relation to e-safety. Note that the BOSE are not themselves enforceable, and a failure to meet specific expectations will not trigger penalties for non-compliance. However, the e-Safety Commissioner is empowered to require regulated service providers to report on how they are meeting any or all of the expectations, either on a non-periodic or a periodic basis through a reporting notice or determination and can publicise instances of non-compliance with the Expectations. Financial penalties apply for any failure by a service provider to comply with the reporting notice or determination. Core Expectation 11 requires that providers take reasonable steps to prevent access by children to class 2 material (class 2 material includes content that is likely to be classified as X18+ or R18+ and includes, for example, pornography and other high impact material such as R18+ video games). Examples of reasonable steps that could be taken to meet this Expectation provided by the BOSE include:

- implementing appropriate age assurance mechanisms;

- conducting child safety risk assessments; and

- continually seeking to develop, support or source, and implement improved technologies and processes for preventing access by children to class 2 material.

Industry codes and standards, which apply to social media services, app distribution services, hosting services, internet carriage services, equipment providers, search engine services and relevant electronic services and designated internet services contain measures to address different classes of online material. Split into two phases, phase 1 codes cover ‘class 1A’ and ‘class 1B’ online material. These classes cover the most seriously harmful online content, such as child sexual exploitation material and pro-terror material. Registered in 2025, phase 2 codes cover class 1C and class 2 material such as online pornography that is inappropriate for children.

Please see the response to this question.

The Australian government has also conducted a trial of age-verification programs that will restrict children’s exposure to inappropriate online content, including pornography and potentially social media. On 1 September 2025, the final report of the Age Assurance Technology Trial was published which found that while no single solution fits all contexts, a wide variety of technologies already meet meaningful thresholds for accuracy, security and privacy when carefully selected and implemented.

[B&BD1]Note to web design team: Hyperlink to question 21 to be inserted here.Please see the response to this question.

In 2025, the e-Safety Commissioner commenced enforcement processes against two companies by issuing formal warnings:

- to ‘Bad Kitty’s Dad, LDA’, which operates OmeTV, for allegedly breaching the Relevant Electronic Services Industry Standard by failing to have required safety features and settings, and for allowing adults to have randomised video chats with children without sufficient protections; and

- to an unnamed UK-based technology company for failing to place appropriate safeguards to prevent the creation of child sexual exploitation material, in breach of industry standards.

The e-Safety Commissioner has also issued multiple infringement notices to companies for failing to respond to transparency notices seeking information about steps taken to address any terrorist and violent extremist materials, as well as child sexual exploitation. materials.

The eSafety Commissioner has also proactively used its information gathering powers under sections 63G of the Online Safety Act 2021 (Cth) to obtain information about compliance with Social Media Minimum Age (SMMA) obligations ahead of them coming into force on 10 December 2025.

N/A