A plain-English Digital ID Australia explainer covering the Digital ID Act 2024, what changed in 2025, what is and isn't mandatory in 2026, and what privacy-focused Australians can do to keep control of their identity data. The "is Digital ID Australia mandatory" question keeps coming up — short answer below, full detail throughout.
No. The Digital ID Act 2024 explicitly establishes Digital ID as voluntary. Section 76 prohibits a participating service from refusing you service solely because you decline to use Digital ID. There is currently no proposal to make it mandatory.
The "Digital ID is mandatory now" framing that's been circulating online conflates two different things: the federated identity system (voluntary) and specific verification requirements (sometimes mandatory) that the system can satisfy among other methods. The social media age-verification rules that came into force from 10 December 2025 require some method of age verification — Digital ID is one option, but not the only one.
The longer answer below covers the system itself, the legislation, what changed when, and what you can do.
Australia's federated identity framework — the Australian Government Digital ID System, formerly known as the Trusted Digital Identity Framework (TDIF) — is a way for accredited identity providers to verify your identity once and then issue cryptographic assertions to participating services on your behalf. The intent is that you don't have to email a passport scan to every service that needs identity verification; instead, the participating service trusts the identity provider's already-verified assertion.
The accredited identity providers as of 2026 include:
The framework is overseen by the Australian Competition and Consumer Commission as the Digital ID Regulator, with privacy oversight from the Office of the Australian Information Commissioner.
The Act establishes the legal framework for the federated system, sets accreditation criteria for identity providers, mandates information-handling and breach-disclosure rules, and — critically — codifies the voluntariness principle.
Before 2025 the system was largely government-to-citizen. From mid-2025, private-sector services (banks, telcos, online platforms) could integrate as participating relying parties. This is the change most likely to affect you in daily life: your bank may now offer "log in with Digital ID" as an option alongside username/password.
The eSafety Commissioner's enforcement of the social media minimum age of 16 created a wave of online confusion that Digital ID had become mandatory. The age-verification requirement is real; the requirement to use Digital ID specifically is not. The platforms can satisfy the requirement with Digital ID, with credit-card age inference, with biometric age estimation, or with several other methods.
A trial of mandatory age verification on adult-content sites began in late 2025. This is a context where verification of some kind is mandatory; the choice of which method (Digital ID, ID-document upload, credit card, age-estimation tech) is left to the platform.
A federated identity system genuinely reduces some risks: you stop emailing passport scans to fly-by-night services, the identity provider's security work is consolidated, and the assertions sent to relying parties are minimal (often just "this person is over 18", not the full identity record). Those are real privacy gains.
It also creates new risks. The identity provider sees a richer picture than any individual relying party — they know which services you use Digital ID with, when, and how often. If the identity provider is breached, the consequences are larger than any single-service breach. If your identity provider account is compromised, the attacker can authenticate as you to multiple services at once.
For most Australians, the privacy trade is favourable. For specific threat models — journalists protecting source identity, executives whose movements should not be aggregable, survivors of domestic violence whose identity should be unlinkable from prior identity — the trade tilts the other way. Those threat models warrant the operational separation we cover on the consultation page.
A hardened GrapheneOS phone with proper profile separation, network tunnel, and Phantom Protocol is the foundation any identity-management strategy depends on.
Browse Phones → Book a ConsultationNo. The Digital ID Act 2024 explicitly establishes Digital ID as voluntary. Section 76 prohibits a participating service from refusing service solely because someone declines to use Digital ID.
A federated identity framework. Accredited providers (myID, Australia Post Digital iD, OCR Labs, Mastercard, others) verify your identity once and issue cryptographic assertions to participating services. Overseen by the ACCC and bound by the Digital ID Act 2024.
Digital ID Act 2024 came into full effect. Private-sector services (banks, telcos) became eligible. Social media age-verification commenced 10 December 2025 — created public confusion that Digital ID itself had become mandatory; it had not.
No legislation has been introduced. The voluntariness principle is enshrined in the Act and would require a separate amendment to remove.
Reduces some risks (you don't hand passport scans to dozens of services) and increases others (the identity provider sees a richer picture). Trust in the provider is the central question.
Use Digital ID where the alternative is worse. Decline where alternatives are acceptable. Compartmentalise across user profiles. Audit linked services twice a year. Use a hardware security key.
No. myGov is the Australian Government online services portal. myID is one of several accredited Digital ID providers under the federated framework.