Notes from the Asia-Pacific region: OAIC draft code enhances protections for children

As we move deeper into 2026, momentum across privacy, artificial intelligence governance and digital responsibility continues to build in meaningful ways throughout the region. Australia saw a particularly significant development this past week with the Office of the Australian Information Commissioner's release of the exposure draft of the Children's Online Privacy Code.  

The draft code proposes a suite of new obligations designed explicitly to ensure that the best interests of children are placed at the center of data collection and handling practices. It would require agencies and organizations to consider children's interests before collecting, using or disclosing their personal information. 

Notably, it introduces strengthened safeguards around targeted advertising, mandating that organizations obtain consent prior to using children's personal information for that purpose, while also empowering children with the right to request deletion of their data.

The draft code also introduces novel, globally leading protections, including requirements for online services to notify a child when a parent has provided consent on their behalf, and when parents or other users are tracking their geolocation on a platform. 

In scope, the draft code is expansive, applying to online services where children face the highest privacy risks such as apps, games, streaming services and educational tools. Alongside the social media minimum age obligation that took effect in December 2025, the draft code represents an important uplift in Australia's online child safety posture. 

Public consultation is now open for 60 days, welcoming contributions from children, parents, industry and civil society before the draft is finalized ahead of becoming law in December 2026.

While policymakers in Australia were marking this milestone, thousands of privacy, cybersecurity and AI governance professionals convened in Washington, D.C., for the IAPP Global Summit 2026, the world's largest annual gathering of digital responsibility leaders. The Summit featured more than 70 breakout sessions and hundreds of speakers, with the agenda dominated by themes of AI governance, the expanding U.S. state privacy law patchwork and the increasing urgency of global privacy enforcement.  

Several keynote moments stood out. Prince Harry, Duke of Sussex, delivered a headline address exploring the tension between digital technology, media intrusion and personal agency, drawing from his own public experiences to highlight the societal consequences of weakened privacy norms. His message underscored that control over one's information is rapidly becoming a collective, not just individual, challenge.

Renowned author Salman Rushdie also offered a deeply human perspective on privacy, reflecting on how his near-fatal 2022 attack forced him to "surrender" his privacy in order to survive, and emphasized global disparities in access to both physical and digital privacy.

On the regulatory front, U.S. Federal Trade Commissioner Mark Meador outlined U.S. enforcement priorities for 2026, including children's safety online, the risks of the attention economy, deepfakes and the growing psychological reliance on AI systems, all of which mirror areas of increasing scrutiny in our own region. The Summit's strong focus on AI governance further reinforced the need for organizations to embed safety by design, deploy AI systems responsibly and anticipate rapidly evolving global frameworks.

With Australia undertaking major reform and global discussions accelerating, it is clear that 2026 is shaping up to be a defining year for privacy and digital responsibility. As a community, our opportunity and responsibility is to help guide organizations through these shifts with clarity, confidence and purpose.