How will the Online Privacy Code affect my business?


Privacy has become a main concern amongst customers and clients, as business operations continue to shift online. On 25 October 2021, the Australian Government released a draft of the Online Privacy Bill, which amends parts of the Privacy Act 1998 (Cth). Among other things, the Bill seeks to introduce an Online Privacy Code for social media organisations and other platforms. This article outlines the proposed Online Privacy Code, and what your business can do to prepare for the changes.


What is the Online Privacy Code?

The Online Privacy Code is a proposed code which governs privacy obligations of certain organisations. The Code has been proposed as part of the Online Privacy Bill, which seeks to strengthen current Australian privacy laws.


Who will the Online Privacy Code apply to?

The Online Privacy Code will apply to private sector organisations already subject to the Privacy Act, which provide social media services and data brokerage services. This includes sites like Facebook, Zoom and WhatsApp.


The proposed Code applies to ‘large online platforms’ with over 2.5 million customers or users who collect personal information from their users. This may cover many businesses operating online, including retailers, marketplaces, software services and streaming services. As such, businesses should keep up to date with the progress of the Code to ensure they remain legally compliant.


What are the main changes introduced by the Online Privacy Code?

1. New obligation to stop use of personal information upon request

The proposed Code requires organisations to take reasonable steps to stop using or disclosing personal information upon request. This change will extend existing rights under the Australian Privacy Principles (‘APP’) which allow individuals to request access and correction of their personal information (APP 12, 13).


2. New obligation to protect children and vulnerable groups

The Online Privacy Code will introduce new obligations on organisations to take extra steps when dealing with personal information of persons under 18 and vulnerable groups. The Code will clarify how consent may be obtained from these individuals or their parents, guardians or representatives.


Specifically, social media organisations will need to:

  • take reasonable steps to verify the age of users;
  • ensure that collection, use or disclosure of a child’s personal information is fair, reasonable, and in the best interests of the child in the circumstances; and
  • obtain the express consent of a parent or guardian before collection, use or disclosure of a child’s personal information.


3. Clarified obligations under the Australian Privacy Principles

The Online Privacy Code will provide detail on how applicable organisations must comply with existing privacy principles under the Privacy Act 1988 (Cth). In particular, the Code will address:

  • Privacy policies, which must clearly and simply explain how an organisation collects, holds, uses and discloses personal information (APP 1).
  • Consent for collecting personal information, which must be voluntary, informed, unambiguous, specific and current (APP 3, 6).
  • Collection notices of personal information, which must be clear, understandable and timely (APP 5).


What are the other changes introduced by the Online Privacy Bill?

Apart from introducing the Online Privacy Code, the Bill also:

  • Increases civil penalties for serious and repeated privacy interferences to up to $532,800 for individuals. For companies, the maximum civil penalty may be up to $10 million, three times the value of the benefit gained by the company, or 10% of the company’s domestic annual turnover.
  • Introduces infringement notices where an organisation fails to provide relevant information or documents to the Commissioner in relation to investigations. Infringement notices will be accompanied by civil and/or criminal penalties.
  • Clarifies the extra-territorial application of the Privacy Act. Organisations who hold personal information of Australians will be subject to the Privacy Act, even if the organisation itself is outside of Australia.


How does the Online Privacy Bill affect current privacy laws?

The Online Privacy Bill works alongside current privacy laws to provide an additional layer of privacy regulation. The Bill seeks to extend and uphold current Australian Privacy Principles, with a focus on regulating the online space.


Key takeaways:

  • The Online Privacy Bill seeks to strengthen current Australian privacy laws and will introduce and Online Privacy Code for certain organisations.
  • The Code will apply to large online platforms and many retailers, as well as social media and data brokerage organisations.
  • The Code introduces new obligations to stop use of personal information upon request, and specific obligations to protect the privacy of children.
  • The Bill also increases civil penalties for breach of privacy laws and introduces infringement notices for breaching organisations.


What should my business do next?

The Online Privacy Bill and related Online Privacy Code is expected to be implemented soon. In preparation for the changes, businesses should review their privacy policies and processes, making necessary amendments. This includes:

  • clarifying how personal information of clients and customers is used, disclosed and stored;
  • ensuring that clauses are included about an individual’s right to request the stop of use or disclosure of their personal information;
  • adapting privacy policies to COVID-19 government requirements regarding vaccination information; and
  • introducing a specific Social Media Policy and/or Online Privacy Policy.


Gladwin Legal can assist with any of these changes. We are experts in privacy law and have extensive experience in advising businesses. If you would like to know how we can help, please contact us at or 1300 033 934.