New online safety codes require age verification for explicit content

The eSafety Commissioner has registered new industry codes which, among other measures, will require certain online service providers to verify that users are 18+ before accessing certain content.

What are the new Codes?

After a period of industry consultation, the eSafety Commissioner has now registered 9 industry codes (Codes) that focus on preventing children’s access to class 1C and class 2 material, primarily covering pornographic material (including simulated pornography such as deepfakes) and other high impact material (including self-harm and simulated gambling material).

As summarised in our previous articles, existing industry codes and standards dealt with class 1A and 1B material which primarily relate to illegal content such as child sexual abuse and exploitation material, pro-terror content and extreme crime and violence.

Who do the Codes apply to?

The 9 Codes apply to each of the 9 areas of the online industry, being:
•    Hosting services
•    Internet carriage services
•    Internet search engine services
•    Social media services (core features) (including services that include AI companion chatbot features)
•    Social media services (messaging features)
•    Relevant electronic services
•    Designated internet services
•    App distribution services
•    Equipment
 
There are separate obligations under each Code to reflect the role and risk of each service provider.

What do the Codes require?

The main objective of the Codes is to prevent children from being exposed to class 1C and class 2 material. The specific obligations vary amongst the different service providers. Some of the more significant obligations include:

• Age assurance: requiring service providers to undertake age assurance measures. Examples of age assurance measures include photo ID, use of AI to estimate age and credit card checks. The eSafety Commissioner has clarified that self-declaration of age will not be considered sufficient for compliance with the Code.
• Download restrictions: implementing restrictions to prevent Australian children from accessing or downloading apps containing class 1C and 2 material.
• Parental controls and default settings: making parental controls available on the service and ensuring appropriate default safety settings for child accounts.
• Monitoring and continuous improvement: requiring service providers to implement, invest in and take appropriate steps to detect class 1C and 2 material, and automatically action that material before it is encountered by end-users, including by filtering material, removing material from marketing and/or recommender systems, blocking material and blurring material.

When do the Codes come into effect?

Three of the Codes were registered on 27 June 2025 and will come into effect on 27 December 2025. These apply to hosting services, internet carriage services and search engine services.

The other six Codes were registered on 9 September 2025 and will come into effect on 9 March 2026.

What are the consequences for non-compliance?

Compliance with the Codes is mandatory. Failing to comply with a Code carries a maximum civil penalty of AUD$9.9m.

What next?

Online service providers should familiarise themselves with the Codes and prepare to implement compliance measures by the relevant commencement dates of December 2025 or March 2026.

Given the age assurance requirements carry privacy concerns, service providers should also familiarise themselves with their privacy obligations under the Privacy Act 1988 (Cth). Concerns relating to age assurance technologies like age verification and age estimation have already been raised as part of the OAIC’s consultation on the Children’s Privacy Code.

Further guidance may be issued by the OAIC relating to this issue. See our dedicated page for the latest developments in relation to technology, privacy and data.