Australia's eSafety Commissioner has today published regulatory guidance for the online industry, setting out reasonable steps to comply with Australia's Social Media Minimum Age obligation, due to take effect on 10 December.
The guidance provides information for age-restricted social media platforms to ensure they have appropriate measures in place to prevent Australian children under 16 from holding accounts on their services.
Informed by ongoing industry engagement, community consultation and the final report from the Australian Government-sponsored Age Assurance Technology Trial, the guidance outlines how platforms can meet
their obligations through deploying age assurance technologies, improved reporting pathways and clear communication with users.
The guidance builds upon the recently released self-assessment guide which will help services determine if they are age-restricted social media platforms. It also sets expectations for ongoing monitoring, transparency and fairness in relation to how platforms detect and deactivate underage accounts.
eSafety Commissioner Julie Inman Grant said the guidance reflects extensive consultation with industry and stakeholders, as they prepare for the social media minimum age obligation to take effect.
"As we work towards implementing this world-first legislation, we remain deeply engaged with industry to ensure they have all of the information they need to comply," Ms Inman Grant said.
"Our principles-based guidance recognises that there is no one-size-fits-all solution for industry, given the diversity of platforms and technology and to help technology companies meet their obligations in a way that is effective, privacy-preserving and fair.
"We have encouraged platforms to take a layered approach across the user journey, implementing a combination of systems, technologies, people, processes, policies and communications to support compliance," Ms Inman Grant said.
Key expectations for platforms include:
• Detecting and deactivating or removing existing underage accounts with care and clear communication.
• Preventing re-registration or circumvention by underage users whose accounts have been deactivated or removed.
• Taking a layered approach to age assurance to minimise end-user friction, minimise the risk of error rates and provide user choice. Providing accessible review mechanisms for users who believe they've been wrongly flagged.
• Avoiding reliance on self-declaration alone, which is not considered sufficient to meet the legal obligation.
• Continuously monitoring and improving systems to track effectiveness, improve measures over time and provide the public and regulator transparent information about age assurance practices.
Equally important is what eSafety is not asking platforms to do.
• eSafety is not asking platforms to verify the age of all users - platforms are not required to age-verify every user. Blanket age verification may be considered unreasonable, especially if existing data can infer age reliably.
• Platforms cannot use government ID as the sole method - platforms must always offer reasonable alternatives to government ID or accredited digital ID services.
• eSafety is not prescribing specific technologies or measures - The guidance is principles-based. Platforms are not required to use specific technologies or vendors, including those assessed in the Age Assurance Technology Trial.
• Retain personal data from age checks - eSafety does not expect platforms to keep personal information from individual age checks. Record-keeping should focus on systems and processes, not user-level data.
• Automatically transfer underage users to other services - accounts should not be ported to supplementary services without explicit user consent and opt-in.
Ms Inman Grant said the guidance encourages platforms to continuously improve their systems and to work collaboratively with eSafety to ensure compliance, which will be focused on companies achieving the policies intended outcomes of preventing under 16s from having or holding an account.
"We know that many companies are already using sophisticated age indicators-such as behavioural data and natural language processing and analysis-to estimate how old their users are," Ms Inman Grant said.
"It is therefore expected that platforms will leverage these existing signals for safety purposes in a privacy-preserving way to protect younger users.
"We want industry to succeed by building upon the systems they already have and drawing on existing measures to comply with the social media minimum age legislation while they continue to uplift their safety measures," Ms Inman Grant said.
"Children, parents and carers are counting on services to deliver on their obligations and prepare their young users for this monumental change."
"This legislation puts the onus on platforms, not parents, carers or young people. To that end, eSafety will be assessing a platform's compliance based on implementation of systems and processes, not based on individual user accounts".
The guidance encourages data minimising approaches, in accordance with the law's strong protections for personal information collected for age assurance purposes, overseen by the Office of the Australian Information Commissioner (OAIC) and complemented by the Privacy Act.
Importantly, the social media minimum age legislation specifically prohibits platforms from compelling Australians to use government ID to prove their age online. Platforms may offer it as an option as part of their layered approach if they choose but must also always offer a reasonable alternative. This has been reinforced in eSafey's regulatory guidance.
"By taking a layered or 'waterfall' approach, applying different measures across the user experience, including accessible and timely review mechanisms, platforms can manage the risks associated with any errors in age inference or estimation," Ms Inman Grant said.
"It also means that platforms won't have to age verify every Australian user to comply. eSafety recommends the most minimally invasive techniques available."
In addition to the regulatory guidance, eSafety also today published a statement reaffirming its commitment to children's digital rights in its implementation of the social media minimum age legislation.
"Children's best interests are at the heart of everything we do at eSafety and we are seeking to strike a delicate balance," Ms Inman Grant said.
"Respect for and commitment to the rights of the child underpin our guiding principles and should be front of mind for platforms when implementing measures to meet their obligations. This will be a significant change for many young Australians and we must be prepared to provide the right scaffolding and approaches to support them."
Further resources will be released on eSafety's Hub to support children, parents, educators and communities in understanding the new laws and what they mean for online safety.
