Age Verification in Australia: The Online Safety Act and What Platforms Must Do Now

What the Law Requires

The Online Safety Act gives the eSafety Commissioner broad powers to require online platforms to take "reasonable steps" to prevent children from accessing age-restricted content. This includes the authority to issue codes and standards that specify the technical measures platforms must implement.

The key regulatory concept is "age assurance" — a broader term than "age verification" that encompasses multiple methods of determining a user's age, from hard verification (document-based identity checks) to estimation (facial analysis) to attestation (third-party confirmation).

Platforms are not required to implement a specific technology. The law is technology-neutral — it requires outcomes (preventing children from accessing restricted content) rather than prescribing methods. However, the eSafety Commissioner has published guidance that establishes expectations around what constitutes "reasonable steps," and token gestures like self-declaration checkboxes do not meet the bar.

Age Assurance Methods

Document-Based Verification

The highest-assurance method requires users to present a government-issued identity document that includes their date of birth. The platform verifies the document's authenticity and extracts the age. This provides definitive proof of age but introduces privacy concerns — users must share identity documents with platforms they may not trust with that data.

In practice, document-based verification is best suited for high-risk use cases where the consequences of a minor accessing content are severe. It is less appropriate for general-purpose age gating, where the friction deters legitimate users.

Biometric Age Estimation

Facial analysis technology can estimate a user's age from a selfie photograph without requiring any identity document. The analysis evaluates facial characteristics associated with aging — bone structure, skin texture, proportional relationships — and produces an estimated age with a confidence interval.

This approach is privacy-preserving because no identity document is required, the facial image can be processed in memory and discarded (not stored), and the system only determines whether the user is above or below the age threshold — not who they are.

The trade-off is accuracy. Age estimation is probabilistic, not definitive. A system tuned to minimize false negatives (allowing minors through) will inevitably increase false positives (rejecting adults). The acceptable error rate depends on the use case and the regulatory tolerance.

Third-Party Attestation

Token-based systems allow a trusted third party — such as a mobile carrier, bank, or government identity provider — to confirm that a user is above the age threshold without revealing their actual age or identity to the platform. The user authenticates with the third party, which issues a cryptographic token confirming age eligibility. The platform receives the token (proof of age) without receiving any personal data.

This is the most privacy-preserving approach and aligns well with Australia's broader data protection principles. However, it requires infrastructure that is still maturing — widespread third-party attestation services are not yet universally available.

Privacy Concerns

The tension between age verification and privacy is the central challenge of this regulatory framework. Any system that verifies age collects data about users — and the more rigorous the verification, the more sensitive the data.

Australia's Privacy Act 1988 establishes principles for the handling of personal information, and any age verification system must comply with these requirements. The Australian Information Commissioner has been clear that age verification measures must be proportionate to the risk and must not result in disproportionate data collection.

For platforms, this means implementing verification systems that collect the minimum data necessary to make the age determination, process that data in real time without persistent storage where possible, and provide clear notice to users about what data is collected and how it is used.

The ideal system checks age without knowing identity. This is achievable through biometric estimation (process the face, return the age, discard the image) or token-based attestation (receive age confirmation without receiving personal data). Document-based verification, while more definitive, requires platforms to handle identity data they may not need and that users may not want to share.

How Australia Compares Globally

Australia's approach sits alongside several international frameworks addressing the same challenge.

The United Kingdom's Online Safety Act similarly requires platforms to implement age verification for age-restricted content. The UK's approach has evolved through Ofcom's guidance, which provides detailed expectations around what constitutes adequate age assurance. The UK framework explicitly recognizes that different methods are appropriate for different risk levels.

The European Union's Digital Services Act establishes obligations for platforms to protect minors, with specific provisions around age verification that interact with the eIDAS 2.0 framework. As the EU Digital Identity Wallet rolls out across member states by end of 2026, token-based age attestation using the EUDI Wallet may become the preferred European approach.

Brazil's Digital ECA (Estatuto Digital da Criança e do Adolescente), which took effect on March 17, 2026, mandates biometric age verification for children and adolescents accessing digital platforms — one of the most prescriptive approaches globally.

Implementation Guidance for Platforms

For platforms that need to implement age verification for Australian compliance, here is a practical framework.

First, assess the risk level of your content. Age-restricted content (adult material, gambling, alcohol, tobacco) requires high-assurance verification. General platforms with mixed content may satisfy requirements with lower-friction approaches.

Second, choose a method proportionate to the risk. High-risk: document-based verification with deepfake detection (to prevent minors using parents' documents). Medium-risk: biometric age estimation with confidence thresholds. Lower-risk: third-party attestation where available, or self-declaration combined with behavioral monitoring.

Third, minimize data collection. Whatever method you choose, collect only the data necessary for the age determination. Process in real time where possible. Discard raw biometric data after processing. Do not retain identity documents longer than necessary for the verification decision.

Fourth, prepare for enforcement. The eSafety Commissioner has demonstrated willingness to take enforcement action. Document your compliance measures, maintain audit logs of verification decisions, and be prepared to demonstrate that your approach constitutes "reasonable steps."