Social media minimum age restrictions: the net widens, enforcement begins and gaming platforms in the frame

Australia's social media minimum age restrictions came into effect on 10 December 2025. We've already examined the Online Safety (Age-Restricted Social Media Platforms) Rules 2025 (Cth), the eSafety Commissioner's September 2025 Regulatory Guidance on "reasonable steps", and the phase 2 industry codes. Since then, the Minister for Communications has amended the Rules to introduce a new requirement that narrows which platforms are covered, the eSafety Commissioner has published its first compliance update, and regulatory scrutiny has extended into the gaming sector.

The definition for "age-restricted social media platform" sharpens

The definition of an "age-restricted social media platform" has been narrowed, so that a service is only within scope of the social media minimum age obligation if it also has a recommender feature or a logged-in feature. The starting point is section 63C of the Online Safety Act 2021 (Cth), which broadly captures electronic services whose sole or significant purpose is to enable online social interaction, that allow end-users to link to or interact with others, and that allow end-users to post material, subject to any further conditions set out in the Rules.

The Online Safety (Age-Restricted Social Media Platforms) Amendment Rules 2026 (Cth) were registered on 25 March 2026 and commenced the following day. They insert a new section 4A into the Rules, filling in the condition left open by paragraph 63C(1)(a)(iv) of the Act.

Section 4A(1) provides that it is a condition for being an age-restricted social media platform that the service has either or both of a recommender feature or a logged-in feature. A service has a recommender feature if it can select and display material to an end-user by reference to information associated with that user's account, capturing what the Explanatory Statement describes as "for you", "explore" and "discover" feeds. A service has a logged-in feature if it has one or more of an endless-feed feature, a feedback feature, or a time-limited feature, and does not enable an end-user to access at least one such feature unless they are using the service with an account.

Three aspects of the new condition warrant close attention for services conducting self-assessments:

• default disabled features still count: whether a feature is disabled as a default setting, or can be disabled by an end-user, is irrelevant; its mere availability and accessibility to end-users is sufficient;

• a single sub-feature is enough: the logged-in feature condition is satisfied if a service has at least one of the three sub-features (endless-feed, feedback, or time-limited content) that is only accessible to logged-in users, regardless of whether the other sub-features are also present or accessible when logged out; and

• engagement-driven design is the target: the purpose of the Amendment Rules, as stated in the Explanatory Statement, is to target the social media minimum age obligation at services purposefully designed to maintain persistent engagement, by tying the definition to the features most closely associated with harm to children.

A service that deploys neither an account-linked recommender feature nor any of the three sub-features that are accessible only when a user is logged in to an account will not meet the new condition, even if it otherwise resembles a social media platform in a colloquial sense.

The eSafety Commissioner has confirmed that its assessment of the 10 platforms it currently considers to be age-restricted is unchanged following the Amendment Rules. Services not currently within scope should continue to self-assess, including when introducing new features or observing changes in user engagement.

What the compliance update tells us about "reasonable steps"

The eSafety Commissioner published its first compliance update in March 2026, drawing on 23 legally enforceable information-gathering notices issued to 10 platforms, five of which are now the subject of active investigations into potential non-compliance. The update confirms that the eSafety Commissioner is investigating potential non-compliance by a number of major platforms and aims to finalise at least some of those investigations and make enforcement decisions by mid-2026.

The compliance update identifies four key observations that give practical content to the Regulatory Guidance:

• previously self-declared under-16s should not be allowed to increase their age: some platforms prompted users who had already self-declared as being under 16 to undergo age assurance in order to correct their declared age upward, in some cases using low-confidence methods such as facial age estimation near the 16-year threshold where error rates are known to be higher. The Regulatory Guidance requires platforms to prevent previously self-declared under-16s from increasing their declared age to avoid deactivation;

• repeated attempts with the same method are not enough: allowing repeated attempts using the same age assurance method was flagged as inconsistent with the Regulatory Guidance's waterfall approach, which requires escalation to a more robust method where signals of under-16 status remain;

• reporting pathways need to be accessible: reporting pathways for underage accounts have generally not been sufficiently accessible, particularly for parents; and

• self-declaration at sign-up will not be sufficient: relying on self-declared age at sign-up alone will not discharge the social media minimum age obligation. Proactive measures to prevent new account creation by under-16s are required.

Enforcement tools are graduated, ranging from platform provider notifications through to enforceable undertakings, infringement notices, court-ordered injunctions, and civil penalties of up to $49.5 million for body corporates. The eSafety Commissioner has confirmed it will review the Regulatory Guidance by June 2026 and will seek stakeholder feedback, providing an opportunity for platforms to engage with the framework's further development.

Roblox and the reach of the broader framework

Recent regulatory activity involving Roblox is a reminder that the Act's reach extends well beyond the age-restricted social media platform definition. While the eSafety Commissioner is currently of the view that Roblox falls outside the scope of the social media minimum age obligation because it is a service primarily characterised as online gaming, it has been subject to sustained and escalating engagement with the eSafety Commissioner under the Act's separate requirements, including the Basic Online Safety Expectations and the phase 2 industry codes.

Following months of engagement, Roblox made nine specific safety commitments in September 2025, including making accounts for users under-16 private by default, restricting unsolicited contact from adult users, and switching off direct and in-experience chat by default until age estimation is completed. Age estimation rolled out in Australia from December 2025, ahead of a global expansion in January 2026.

Notwithstanding those commitments, the eSafety Commissioner notified Roblox in February 2026 that it intended to directly test the implementation and effectiveness of each commitment, citing ongoing concerns about child grooming and exposure to harmful material. Most recently, the eSafety Commissioner issued legally enforceable transparency notices to Roblox alongside Minecraft, Fortnite and Steam, requiring each to explain how its systems, staffing and safety-by-design measures address grooming, sexual extortion, cyberbullying and violent extremism. Failure to respond carries daily penalties of up to $825,000.

The Government has reaffirmed its commitment to legislating a Digital Duty of Care as part of its formal response to the Online Safety Act review. For services outside the age-restricted social media platform definition, the Roblox experience underscores that regulatory exposure under the Act is not limited to the social media minimum age framework. Gaming services, messaging platforms and other digital services with significant under-18 user bases should assess their obligations under the industry codes and Basic Online Safety Expectations independently.