With the Social Media Minimum Age Act 2024 and updated privacy legislation set to take effect on 10 December 2025, privacy specialists warn that many organisations remain unprepared for the law’s new age-assurance obligations and stricter data-handling standards.
The new rules require social media platforms to verify that users are aged over 16, while the Privacy and Other Legislation Amendment Act 2024 introduces tougher penalties for breaches and new requirements for organisations to demonstrate how they collect, store and delete personal information. The obligations extend beyond social media companies to any business that retains identity data as part of its operations, including HR firms, accounting and legal practices, real estate agencies, and conveyancers.
TrueVault Founder Martin Lazarevic said many businesses still retain sensitive identity documents unnecessarily, creating higher privacy and cybersecurity risks.
“Age assurance must not become data collection by another name,” Lazarevic said, adding that organisations often store documents they do not need. “That approach directly contradicts the direction of Australian privacy law. TrueVault removes the risk by verifying IDs without storing the originals and keeps individuals in complete control of what they share and with whom.”
TrueVault’s platform uses a zero-document-storage model, connecting directly with government databases to verify identity and deleting any original documents immediately. The company says this approach aligns with the new legal requirements by ensuring organisations can demonstrate strong data-minimisation practices and reduce exposure in the event of a breach.
The company also offers plug-and-play integrations for digital identity, age verification and other regulatory use cases. It says its “zero-knowledge proof” mechanism allows users to verify their age or identity without disclosing additional personal information.
Lazarevic said the new laws will force businesses to rethink longstanding data-retention practices, noting that compliance frameworks should enhance privacy rather than create additional risks. “TrueVault was built on the principle that privacy compliance should protect people first — not create more risk,” he said.
