What is the Online Safety Act?
Australia's Online Safety Act 2026 is administered by the eSafety Commissioner and came into force on March 9, 2026. It requires any platform that can generate or provide access to "Class 1" or "Class 2" content (sexually explicit material) to implement age verification for Australian users.
The scope is wider than most people expected. It's not just traditional porn sites. AI image generators, AI companion and girlfriend apps, and any other platform that can produce explicit content on request are all in scope. If the platform has an NSFW mode or lets users generate explicit images, it's covered.
The Act itself isn't new. The base Online Safety Act 2021 already gave eSafety broad enforcement powers. The 2026 update brought specific age verification codes into force for adult content platforms, which is what's now creating pressure on AI companion apps specifically.
The timeline: how we got here
This didn't happen overnight:
- 2021 — Online Safety Act 2021 passed, establishing the eSafety Commissioner's regulatory framework and content removal powers
- 2023–2024 — eSafety ran a consultation process on age verification codes, taking submissions from industry, civil society, and the public
- 2025 — Age verification codes finalised and registered, with a 12-month industry transition period announced
- March 9, 2026 — Codes came into force. Platforms providing access to Class 1 or Class 2 content now had a legal obligation to verify age
- April 2026 onwards — eSafety working through initial compliance assessment before issuing formal notices
The 12-month transition period gave platforms time to build compliant systems. Most AI companion apps didn't use it.
What the Act actually requires
The Act calls for "solid" age verification. That's eSafety's own language in the codes, not mine. It means a real technical check, not a button. Acceptable methods under the Act's codes include:
- Credit or debit card verification (treating the card as a proxy for adult status)
- Government-issued ID upload and verification
- Third-party age verification services in the sign-up flow
- Digital identity verification using government-linked systems (including myGovID)
What does not count:
- A button or checkbox asking users to confirm they are 18+
- A date-of-birth entry form with no backend check
- A Terms of Service acknowledgement
The distinction matters because it's the difference between a platform being technically compliant and one that just looks like it tried. A self-declaration button is better than nothing for their own liability purposes, but it doesn't satisfy the code.
What age verification actually looks like in practice
If platforms did comply, here's what you'd realistically encounter:
Credit card check — the platform verifies your card at sign-up as a proxy for being 18+. Fast, low friction. The downside is it creates a financial record linking you to the platform. Most adult sites that have gone down the compliance path have used this route because it's the least intrusive on paper.
Third-party age verification service — services like AgeID or Veriff sit between you and the site. You verify once, get a token, and use it across any participating site. In theory this reduces data exposure. In practice, it centralises your verification history with a third party you may not have heard of.
Government-linked digital identity (myGovID) — technically the most solid option under the Act, but it requires users to have set up a myGovID account and is unpopular for obvious privacy reasons. I haven't seen any AI companion platform even consider this route.
There's a real tension here. The Act is trying to keep explicit content away from minors. But every compliance method also creates a paper trail that many adults would prefer didn't exist. That's why the debate around the codes was contentious, and why some platforms might choose to block AU users rather than ask their customers to verify identity.
How AI companion apps have actually responded
I tested six platforms from an Aussie IP in April 2026. Every single one is non-compliant. Here's what they've done:
| Platform | Age gate type | AU accessible? | Compliant? |
|---|---|---|---|
| JOI | None | Yes | No |
| Secrets.ai | Self-declaration button | Yes | No |
| Candy.ai | Self-declaration button | Yes | No |
| Promptchan | Self-declaration button | Yes | No |
| Xotic AI | Self-declaration + ToS scroll | Yes | No |
| DarLink AI | Self-declaration button | Yes | No |
Pornhub went the other direction. It blocked Aussie IPs entirely rather than deal with compliance. AI companion apps have taken the path of least resistance: add a button, stay accessible, and wait to see what eSafety does.
JOI is the outlier here. It's the only platform with no age gate at all, not even a non-compliant one. That makes it the easiest to access right now, but it also has the largest compliance gap of any platform I tested.
What eSafety can actually do
The eSafety Commissioner, Julie Inman Grant, has broad powers under the Online Safety Act. This is not a toothless regulator. What she can actually do to non-compliant platforms:
- Formal compliance notices — requiring a platform to implement compliant age verification within a set timeframe
- Civil penalty orders — up to $782,500 per day for corporations that continue operating in breach after receiving a compliance notice
- Service disruption notices — requiring Australian ISPs to block access to the platform at the network level, similar to how some piracy sites are blocked
- Infringement notices — immediate fines for specific breaches
The daily penalty figure is the important one. For a small AI companion startup, $782,500 per day is existential. For a larger platform like Candy.ai or Promptchan, it's painful but potentially survivable. The more likely outcome in both cases is compliance or IP blocking before penalties ever reach that level.
eSafety's past behaviour suggests they start with compliance notices and give platforms a reasonable window to fix things before escalating to penalties. But that pattern could change if political pressure builds around AI companion apps specifically.
What this means for Australian users
Right now, nothing. The Online Safety Act puts obligations on platforms, not on the people using them. Visiting or subscribing to any of these apps as an adult is legal in Australia. You're not in breach of anything.
The uncertainty is all on the platform side. eSafety could issue compliance notices requiring proper age verification or imposing penalties. If that happens, you'd likely see:
- Real age verification added to the sign-up flow: more friction, but still accessible
- Aussie IPs blocked entirely, like Pornhub did
- Nothing, if eSafety focuses enforcement elsewhere first
My honest guess is that eSafety focuses initial enforcement on the biggest and most visible platforms, which probably means traditional adult sites and major AI image generators before AI companion apps. But that is a guess. I'll update all reviews on this site if AU access changes for any platform.
If you're already a paying subscriber, keep an eye on any email updates from the platform. Changes to AU accessibility would normally come with some notice. If access does get cut, that would be your main path to a refund.
Why JOI stands out here
JOI is the only major AI companion platform I tested with no age gate at all, not even a non-compliant button. That makes it the easiest to access right now, but it also has the largest compliance gap of any platform I looked at. Whether eSafety notices that first is an open question.
For users today, the lack of an age gate is just a practical convenience. See the JOI Australia review for full details on the platform itself.