Countdown to Compliance: Are You Ready for 10 December?

The countdown is on with only 2 weeks until the social media minimum age (SMMA) restrictions come into force on 10 December 2025.

As discussed in our previous article, platforms that meet the definition of an ‘age-restricted social media platform’ (ARSMPs) must take reasonable steps to ensure that children under the age of 16 do not hold an account on their services.

In addition to the well-known minimum age restriction, ARSMPs must also adhere to key privacy obligations in relation to personal information which is collected for, or including, a social media minimum age purpose, along with strict requirements on the use, disclosure and destruction of such personal information. The OAIC has published guidance to clarify these privacy requirements (see our summary here).

eSafety’s approach to compliance monitoring and enforcement 

Regulatory Guidance released earlier this year by the eSafety Commissioner (eSafety) indicates that those platforms with the greatest numbers of under 16s will be the focus of eSafety’s attention when it comes to monitoring compliance with the new provisions.[1] Though this guidance is not binding as a matter of law, it provides useful insights as to how the regulator views the SMMA regime and its perspective on enforcement. 

In terms of enforcement, eSafety has indicated it will also have regard to the technical sophistication, resources and maturity of ARSMP providers in its compliance monitoring in a proportionate and risk-based approach.

While proactive engagement with eSafety is encouraged (for example, notifying of any challenges faced in implementation), eSafety has broad information-gathering powers under s 63G of the Online Safety Act 2021 (Cth). These powers allow eSafety to obtain any information from a provider about:

• whether their service is included as an ARSMP under the relevant rules;
• their compliance with the SMMA obligation (for example, the age-assurance measures in place, research undertaken to develop new age verification tools, the number of account deactivations as a result of the tools and measures and more); and
• their adherence to the privacy-related obligations in subsections 63DA(1) (collecting information) and 63DB(1) (use of certain identification material). 

An important point to note is that section 63G has incredibly broad application. Section 63G(2) of the Act enables the regulator to obtain any information from any electronic service provider that is relevant to whether the service is excluded or included as an ARSMP. 

What to do if you receive a s 63G notice?

If you receive a s 63G notice, you must comply with the notice to the extent that you are able to do so. 

eSafety will give written notice to you if it makes a request for information pursuant to s 63G, and that notice will contain the period, manner and form in which you are required to produce the information relevant to your compliance with the Act. 

Failure to comply with an information request carries with it a hefty penalty of up to a theoretical maximum of $825,000 (or $165,000 for an individual) for each contravention. Alternatively, eSafety has the power to issue an infringement notice of up to $19,800 (or $3,960 for an individual) in relation to suspected contraventions of s 63G. eSafety has demonstrated an inclination towards administrative remedies such as infringement notices in similar contexts in the past; for example, earlier this year eSafety issued an infringement notice to a company for failing to respond to a transparency reporting notice deadline. 

Tips to prepare

To ensure your business is ready to respond to a s 63G notice, we recommend ARSMP providers keep clear and consistent records of:

• the steps taken to prevent age restricted users from holding accounts and to detect any circumvention;
• the effectiveness of the steps taken through regular reviews; and
• any observations or insights that may help inform eSafety’s enforcement of the SMMA obligation and promote children’s online safety.

Other electronic service providers should also ensure to document any assessments undertaken to determine whether their platform is included or excluded as an ARSMP.

Failure to demonstrate reasonable steps taken to prevent underage users from holding accounts and failure to adhere to the corresponding privacy obligations may result in significant enforcement action. The process of responding to a regulatory investigation or enforcement action brought by a regulator is usually a lengthy and expensive process, the costs of which may not be recoverable, so it is important for businesses to get on top of these new rules by 10 December 2025.   

Navigating the new eSafety regime requires a proactive approach to information collection and compliance. Rather than waiting for a notice to arrive, ARSMP providers should take initiative and review their current practices to ensure they align with the evolving requirements in the SMMA space. Given eSafety’s broad information gathering powers, electronic service providers (beyond just ARSMP providers) should also take steps to document any internal assessment regarding the application of the SMMA requirements to their platform(s), including any decision-making process around why those requirements do or do not apply to the relevant platform. 

Reach out to our expert team for more information on what to do if you receive an information request from eSafety, and how to prepare to stay ahead of regulatory obligations.