Introduction
On 18 June 2026, the UAE took a significant step toward strengthening child protection in the digital environment by prohibiting children under the age of 15 from creating, using, or operating personal social media accounts. The resolution, issued by the UAE Cabinet, also limits access to certain platform functionalities for users within this age group.
Far from being a standalone measure, the decision forms part of the implementation of Federal Decree-Law No. 26 of 2025 on Child Digital Safety, a landmark piece of legislation designed to establish a comprehensive framework for protecting children online. Together, these developments signal the UAE’s commitment to creating a safer digital ecosystem while imposing new compliance obligations on digital platforms, service providers, parents, and caregivers.
The law came into force on 1 January 2026 and provides a one-year transition period for affected entities to align their operations, with full compliance expected by January 2027.
Scope of Application
The Child Digital Safety Law applies to digital platforms and internet service providers (“ISPs”) operating within the UAE or targeting users in the UAE, regardless of whether they maintain a physical presence in the country. Digital platforms are broadly defined and include social media platforms, streaming services, e-commerce platforms, gaming platforms, smart applications, search engines and websites. ISPs licensed under the UAE Telecom Law currently are du and Etisalat (e&).
The law also imposes certain obligations on parents, guardians, and other legally responsible caregivers. For the purposes of the legislation, a child is defined as any individual under the age of eighteen. Importantly, the law’s extraterritorial reach means that overseas digital service providers with users in the UAE may also need to assess their exposure, even where they do not maintain a physical presence within the country. Businesses that have historically viewed UAE digital regulation as primarily applicable to locally established entities may need to reconsider that assumption.
Objectives of the Law
The law seeks to protect children from digital risks, harmful content, and online practices that may negatively affect their physical, psychological, social, and moral wellbeing. It also aims to promote safe and responsible use of digital technologies, strengthen awareness of digital rights and responsibilities, and establish a coordinated governance framework involving regulators, businesses, educational institutions, healthcare bodies, and caregivers.
Significant Features of the Act
- Child Digital Safety Council
A key feature of the legislation is the establishment of the Child Digital Safety Council, chaired by the Minister of Family. The Council is responsible for developing national strategies, proposing legislative reforms, monitoring emerging digital risks, conducting research, promoting awareness initiatives, and coordinating efforts between public and private sector stakeholders.
The Council is also tasked with proposing national indicators to measure children’s digital awareness and safety, reviewing the effectiveness of existing policies, and ensuring that the UAE’s regulatory framework keeps pace with technological developments and international best practices.
2. Risk-Based Classification of Digital Platforms
The law introduces a national classification system under which digital platforms will be categorised based on factors such as their nature, content, scale of use, impact on children, and overall level of risk.
The classification system will determine the specific obligations, safeguards, disclosure requirements, age restrictions, and compliance measures applicable to different categories of platforms. As a result, businesses with higher levels of child engagement or greater exposure to potentially harmful content may be subject to more extensive compliance requirements than lower-risk platforms. Several aspects of the classification framework remain subject to further clarification through implementing regulations, including the methodology for classification, applicable compliance thresholds and the specific safeguards expected of different categories of platforms. Businesses may therefore need to monitor regulatory developments closely as further guidance becomes available.
3. Protection of Children’s Personal Data
One of the most significant aspects of the law relates to the protection of children’s personal data.
Digital platforms are prohibited from collecting, processing, publishing, or sharing the personal data of children under the age of thirteen unless strict conditions are met. These conditions include obtaining explicit, documented, and verifiable parental consent, providing clear privacy notices explaining the purpose of data collection, allowing parents to withdraw consent easily, limiting access to personal data to authorised personnel only, and ensuring that such data is not used for commercial purposes, targeted advertising, behavioural tracking, profiling, or marketing activities.
Educational and healthcare platforms may be exempt from certain restrictions, subject to Cabinet approval and the implementation of appropriate safeguards. For many businesses, compliance may require a broader assessment of existing data collection, retention and processing practices, particularly where services are accessible to children or where age verification mechanisms are not currently in place. Businesses may also need to review privacy notices, consent mechanisms and internal governance procedures to ensure alignment with the new framework.
4. Age Verification Requirements
Digital platforms are required to adopt effective and reasonable age-verification mechanisms. The level of verification required will depend on the platform’s classification and the risks associated with its content and services. The purpose of these requirements is to ensure that children can only access content and services that are appropriate for their age while preventing the circumvention of platform safeguards and age restrictions. While the law establishes the obligation to implement age-verification measures, further regulatory guidance is expected regarding acceptable verification standards and technical requirements. Businesses should therefore begin evaluating whether their current onboarding and user-verification processes are likely to satisfy future compliance expectations.
5. Enhanced Child Protection Measures
The law requires platforms to implement enhanced child protection controls designed to create safer digital environments. These measures include privacy-by-default settings for children’s accounts, age-based access controls, age-rating systems, content filtering tools, parental control features, restrictions on targeted advertising, reporting mechanisms for harmful content, and tools enabling caregivers to monitor and manage children’s online activities.
Platforms must also provide functionality that allows caregivers to establish daily usage limits, monitor account activity, and impose mandatory rest periods from electronic devices. In addition, platforms are expected to promote awareness of the risks associated with excessive or uncontrolled use of digital technologies.
6. Restrictions on Harmful Content and Online Commercial Gaming
The legislation places significant emphasis on protecting children from harmful content. Harmful content is broadly defined and includes content that may negatively affect the moral, psychological, or social values of children or that violates applicable media content standards.
Digital platforms must implement mechanisms to detect, block, filter, remove, and report harmful content. They must also provide accessible reporting channels for users and cooperate with relevant authorities when harmful content or child exploitation material is identified.
The law further prohibits children from participating in online commercial gaming activities involving gambling, betting, wagering, or similar activities intended to generate direct or indirect financial returns. Digital platforms and internet service providers must implement technical measures, including age-verification systems and content-blocking tools, to prevent children’s access to such services.
7. Artificial Intelligence and Proactive Monitoring
A notable aspect of the law is its recognition of technology-driven compliance measures. Digital platforms are encouraged to utilise artificial intelligence and machine-learning technologies to proactively detect, remove, report, and prevent harmful content affecting children. This represents a shift from traditional reactive moderation models towards a more proactive approach to online safety and content governance.
The increased emphasis on proactive monitoring may also raise operational, governance and liability considerations for digital platforms, particularly where automated decision-making tools are used to identify, restrict or remove content. Businesses may therefore need to balance child protection objectives with broader legal, privacy and content moderation obligations.
8. Virtual Worlds and Digital Environments
The law also introduces a legal definition of “Virtual Worlds“, recognising emerging digital environments such as metaverse platforms and avatar-based interactive spaces.
This is one of the first instances in UAE legislation where virtual worlds have been specifically addressed in the context of child protection. The law requires caregivers to avoid exposing or exploiting children within these environments in a manner that may compromise their privacy, dignity, psychological wellbeing, or safety.
The provisions also address concerns associated with excessive online exposure and the practice commonly referred to as “sharenting”, where parents or guardians share extensive information or content relating to children online.
9. Obligations of Internet Service Providers
Internet service providers are subject to specific obligations under the law and will be supervised by the Telecommunications and Digital Government Regulatory Authority (TDRA).
Their responsibilities include implementing content-filtering systems, providing parental control tools, enabling supervised internet access for children, reporting harmful content to the relevant authorities, and ensuring that caregivers are provided with appropriate tools to monitor and manage children’s online activities. The TDRA is expected to issue additional policies, standards, and regulatory guidance concerning compliance requirements for internet service providers.
10. Responsibilities of Parents and Caregivers
The law recognises parents and caregivers as essential participants in protecting children online. Caregivers are expected to monitor children’s digital activities, use parental control tools, ensure that children access only age-appropriate platforms, protect children’s privacy and personal data, educate children regarding safe and responsible online behaviour, and report harmful content where necessary.
They must also avoid exploiting children online or exposing them to inappropriate content, whether through social media platforms, digital platforms, or virtual world environments.
11. Awareness and Education Initiatives
Beyond regulatory obligations, the law places significant emphasis on awareness and education. The Child Digital Safety Council will coordinate national awareness programmes involving schools, parents, healthcare professionals, technology companies, and community stakeholders. These initiatives are intended to improve digital literacy, promote responsible online behaviour, increase awareness of digital risks, and address the psychological and health impacts associated with excessive digital usage.
Educational authorities and health authorities will also play an active role in developing programmes aimed at supporting children, parents, teachers, and professionals working with children.
12. Enforcement and Compliance
The law grants competent authorities broad powers to monitor compliance and enforce its provisions. Digital platforms and internet service providers may be required to provide statistics, compliance reports, and information relating to child protection measures. Authorities may also order the removal of harmful content and verify whether platforms are implementing the required safeguards.
Administrative penalties for non-compliance will be introduced through implementing regulations. Potential sanctions may include warnings, fines, suspension of services, partial blocking, complete blocking, or other administrative measures depending on the nature and seriousness of the violation.
Entities falling within the scope of the law must regularise their operations within one year of its entry into force, with compliance expected by January 2027 unless the grace period is extended by Cabinet decision.
Key Practical Considerations for Businesses
While further implementing regulations are expected, businesses operating digital platforms, online services or technology-enabled products should consider assessing:
- Whether existing onboarding processes are capable of supporting anticipated age-verification requirements;
- Whether children’s personal data is currently collected, processed, retained or shared within their systems;
- Whether platform functionalities may require modification to accommodate privacy-by-default settings, parental controls and content restrictions;
- The adequacy of existing content moderation and reporting mechanisms;
- Potential exposure arising from user-generated content, third-party integrations and AI-assisted moderation tools;
- Whether existing terms and conditions, privacy notices, vendor arrangements and data processing agreements remain appropriate in light of the new framework.
Businesses may also wish to conduct an early legal and operational gap assessment to identify areas requiring modification before the expiry of the transition period.
What Businesses Should Be Doing Now
- Determine whether the business falls within the scope of the legislation;
- Map the collection and processing of children’s data across platforms and services;
- Review age-verification and user onboarding procedures;
- Assess existing content moderation, reporting and parental control measures;
- Monitor forthcoming implementing regulations and TDRA guidance;
- Consider undertaking a legal and regulatory compliance review ahead of the January 2027 compliance deadline.
Conclusion
Federal Decree-Law No. 26 of 2025 represents a significant development in the UAE’s digital regulatory landscape. Rather than focusing solely on content moderation, the law establishes a comprehensive child-centred digital governance framework that combines privacy protection, age verification, parental involvement, platform accountability, digital wellbeing measures, awareness initiatives, and proactive monitoring obligations.
Businesses operating digital services in or targeting the UAE should use the transition period to review existing practices, strengthen child protection measures, assess data processing activities, implement appropriate age-verification systems, and prepare for the forthcoming platform classification framework and implementing regulations. Early compliance will not only reduce legal risk but also enhance user trust and demonstrate a commitment to creating safer digital environments for children.
Given the breadth of the legislation and the anticipated introduction of supplementary regulations, organisations should avoid assuming that existing privacy, content moderation or parental control measures will automatically satisfy the new requirements. Early legal, operational and technical assessments may assist businesses in identifying potential compliance gaps, mitigating regulatory risk and reducing implementation challenges before the transition period expires.