As part of the
2023-2030 Australian Cyber Security Strategy, the Australian Government is committed to ensuring Australians can trust their digital products are safe, secure and fit-for-purpose. Alignment with international best practice helps ensure consistency and protect consumers from cyber risks in everyday technologies.
Australians use applications (apps) daily to access services and to communicate. Improving app security is key to raise the cyber security baseline across the economy.
The department has developed voluntary guidance for App Store Operators and App Developers in Australia that aligns with international best practice. The Australian Code of Practice, along with broader
efforts to improve cyber security across smart products, strengthens consumer cyber protections. It also supports Australia’s goal to become world-leading cyber secure nation by 2030.
The Australian Government recently invited stakeholders to provide feedback on the approach to app security. Public consultation closed on 11 July 2025. Submissions revealed that:
- Most stakeholders supported a voluntary Code of Practice aligned with existing international approaches to minimise regulatory burden on industry.
- Particularly, the
UK Code of Practice for App Store Operators and App Developers was seen as best practice.
- Stakeholders highlighted the need to tailor the code to Australia’s specific privacy and security landscape.
- As a result, the department developed an equivalent but distinct code that aligns with international expectations while maintaining strategic autonomy to suit Australia’s needs.
Australian Voluntary Code of Practice for App Store Operators and App Developers.
Obligations under Australian Privacy Law
App Store Operators and App Developments should be aware of their obligations under privacy and data protection laws. The
Privacy Act 1988 (Privacy Act) is Australia’s main legislation regulating the management of personal information. The Code of Practice is intended to supplement, and not replace, these legal requirements.
The Privacy Act includes Australian Privacy Principles (APPs), which apply to most Australian Government agencies and privacy sector organisations with an annual turnover of over $3 million. The APPs also apply to health service providers, operators of residential tenancy databases, credit reporting bodies and other businesses. The Office of the Australian Information Commissioner (OAIC) promotes awareness of the Privacy Act and help organisations comply with it.
The below privacy obligations are particularly relevant to the Code of Practice:
- Transparency: APP entities must handle personal information in an open and transparent way. This includes having a clear privacy policy that explains how they manage personal information and the systems they use.
- Collection and use limitation: APP entities must only collect personal information if it is reasonably necessary for their functions or activities. They must get consent to use or disclose the information for any other purpose, (other than the purpose of collection) unless an exception applies.
- Security: APP entities must take reasonable steps to protect personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. When an APP entity no longer needs the personal information for a permitted purpose and is not required to retain it either as part of a commonwealth record or under Australian law or court order, they must either destroy it or ensure it is de-identified.
- Data breaches: APP entities have obligations to notify individuals and the Australian Information Commissioner about data breaches that are likely to cause serious harm.
The OAIC publishes guidance on the operation of these requirements and other obligations under the Privacy Act on its website:
Australian Privacy Principles guidelines | OAIC.
Joint Statement by Australia and the United Kingdom on the Release of Australia’s Voluntary Code of Practice for App Store Operators and App Developers
On 23 October 2025, Australia and the United Kingdom released a Joint Statement on our aligned approaches regarding app and app store security. This follows the release of the
Australian Voluntary Code of Practice for App Store Operators and App Developers.
The statement highlights the collaborative alignment of both countries’ Codes of Practice while recognising the nuances in local industries and markets.
Read the full Joint Statement.
