UAE Child Digital Safety Rules: What Platforms Must Change in Product, Privacy and Age Assurance
TL;DR
- The UAE’s Child Digital Safety Law applies broadly to digital platforms operating in the UAE or directing services at UAE users, including many foreign platforms without a local establishment.
- A June 2026 Cabinet Resolution prohibits children under 15 from creating or using personal social media accounts. Fifteen-year-olds may use social media only with enhanced restrictions and safety controls.
- Platforms need more than an updated privacy policy. Compliance affects onboarding, age verification, recommender systems, messaging, live streaming, advertising, parental controls, account remediation, risk assessments and regulatory reporting.
Important: This article provides general compliance information and not legal advice. The official English versions of UAE legislation state that the original Arabic text prevails in the event of a conflict. Platforms should obtain UAE legal advice for final interpretation, scope and implementation deadlines.
Contents
- What changed in the UAE?
- Which companies are covered?
- The age thresholds platforms must understand
- What must change in product design
- What must change in privacy and data governance
- How age assurance should be designed
- Advertising and profiling restrictions
- Moderation, reporting and harmful-content controls
- Governance and regulatory evidence
- A 12-month implementation roadmap
- Common compliance mistakes
- Practical readiness checklist
- Frequently asked questions
What changed in the UAE?
The UAE now has a dedicated child online-safety framework built around two important instruments.
Federal Decree-Law No. 26 of 2025
The Federal Decree-Law Regarding Child Digital Safety entered into force on 1 January 2026.
It establishes the broader framework for protecting people under 18 in digital environments. Its scope includes websites, search engines, applications, messaging services, forums, gaming platforms, social media, live-streaming services, podcasts, streaming platforms, on-demand video services and e-commerce platforms.
The law introduces requirements relating to:
- Age verification
- Privacy-by-default
- Children’s personal data
- Content classification and filtering
- Targeted advertising
- Parental controls
- Usage-time controls
- Harmful-content reporting
- Platform risk classification
- Periodic disclosures and regulatory reporting
Entities already subject to the law were given up to one year from its entry into force to regularise their position, unless that period is extended by Cabinet Resolution.
Cabinet Resolution No. 106 of 2026
The Cabinet Resolution Regarding the Regulation of Children’s Access to Social Media Platforms was issued on 17 June 2026.
It adds considerably more prescriptive requirements for services that fall within the definition of a social media platform. The most visible change is a minimum age of 15 for personal social media accounts.
However, the Resolution is not simply an age ban. It also establishes detailed requirements for:
- Approved age-verification mechanisms
- Existing underage-account detection
- Special protections for 15-year-olds
- Restrictions on behavioural advertising
- Child-safety risk assessments
- Parental controls
- Regulatory auditability
- Periodic compliance reporting
The Resolution enters into force on the day following its publication in the Official Gazette. Platforms then receive a 12-month transition period from that effective date.
Businesses should therefore confirm the Official Gazette publication date before calculating their precise compliance deadline rather than treating 17 June 2026 automatically as the start of the transition period.
Which companies are covered?
The broader Child Digital Safety Law
The federal law applies to digital platforms and internet service providers that:
- Operate within the UAE; or
- Direct their services at users in the UAE.
The scope is not limited to companies incorporated, licensed or physically established in the UAE. A foreign platform may be covered where its service is directed at UAE users and children use the platform or are exposed to its services or content.
Indicators that a service may be directed at UAE users can include:
- UAE-specific marketing
- Arabic-language or UAE-localised interfaces
- UAE pricing or payment methods
- UAE advertising campaigns
- Local app-store availability
- UAE customer-support channels
- Significant or intentionally developed UAE user traffic
- Commercial relationships with UAE users or businesses
The legislation does not yet provide a complete test for when a foreign service is considered “directed” at users in the UAE. Platforms should document their scope analysis instead of assuming that the absence of a UAE office removes them from the regime.
The social media definition is wider than the label suggests
The 2026 Resolution defines a social media platform broadly. It covers a service that does one or more of the following:
- Enables public or semi-public accounts or profiles
- Facilitates social interaction
- Allows publication or dissemination of content
- Uses algorithmic or automated systems to display, rank or recommend content
The definition applies regardless of whether the service is free or paid, where the provider is established, its business model or the infrastructure used to operate it.
This creates a classification question for hybrid services.
A platform does not necessarily avoid the Resolution because it describes itself as a game, marketplace, forum, streaming service or collaboration tool. Features such as public profiles, user posts, followers, comments, group channels, recommendation feeds or creator communities may bring part or all of the service within scope.
Examples requiring closer assessment include:
- Gaming platforms with public profiles and community feeds
- Marketplaces with creator pages, comments and social recommendations
- Streaming services with public channels, chat or user uploads
- Messaging applications with open groups and algorithmic discovery
- Education platforms with public student profiles or community spaces
- Fitness applications with public feeds, leaderboards and direct messaging
The correct analysis should focus on product functionality, not the marketing category assigned to the service.
The four age groups platforms must understand
The new framework cannot be implemented with one generic “minor” flag.
Platforms need to distinguish at least four operational age groups.
Children under 13
Under the federal law, platforms are generally prohibited from collecting, processing, publishing or sharing the personal data of children under 13 unless a set of conditions is satisfied.
These conditions include:
- Explicit, documented and verifiable caregiver consent
- A rapid and continuously available consent-withdrawal mechanism
- A clear privacy explanation for both the child and caregiver
- Access restricted to authorised personnel and the minimum necessary level
- No commercial use, targeted advertising or tracking beyond the authorised purpose
Further Cabinet rules are expected to specify which data may be collected and how parental consent must be obtained and verified. Education and health platforms may receive specific exemptions through a Cabinet Resolution, subject to safeguards.
For social media services, this parental-consent route does not override the separate under-15 account restriction.
A parent cannot authorise an under-15 child to open a personal social media account merely because the parent has consented to data processing.
Children aged 13 and 14
These users are above the federal law’s under-13 privacy threshold but below the social-media account threshold.
They therefore cannot create, use or operate personal accounts on services covered by the social-media Resolution.
Platforms must also prevent them from accessing full social features, including:
- Posting
- Commenting
- Sharing
- Joining public groups or open channels
- Participating in large interactive spaces
Caregiver consent cannot remove this restriction.
Children aged 15 but not yet 16
Fifteen-year-olds may access social media, but their accounts must be placed in a specially protected mode.
Platforms must apply measures such as:
- Age-appropriate content classification
- Restrictions on harmful or unsuitable content
- Reduced public sharing
- Limited interaction with unknown users
- Daily and night-time usage controls
- User-friendly parental controls
- Restrictions on high-risk features
- Enhanced privacy protections
The Resolution specifically identifies unrestricted private messaging, open live streaming and intensive algorithmic recommendation systems as elevated-risk functions that may need to be restricted, disabled or supported by additional safeguards.
Children aged 16 and 17
The special 15-to-16 controls in the 2026 Resolution no longer apply in exactly the same way once the user turns 16.
However, users aged 16 and 17 remain children under the broader Child Digital Safety Law. Platforms must therefore continue to apply appropriate child privacy, safety, content, advertising and age-based controls.
Turning 16 should not automatically convert the account into an unrestricted adult account.
What must change in product design?
The new rules require product architecture changes, not just new terms and conditions.
1. Redesign onboarding
The standard onboarding pattern of asking users to enter their date of birth is not sufficient for social media platforms.
The onboarding flow needs to:
- Identify whether the user is in the UAE or using a UAE-directed service.
- Apply an approved or legally supportable age-verification method.
- Assign the user to the correct age band.
- Activate the correct feature configuration automatically.
- Record evidence that the check occurred.
- Avoid retaining unnecessary identity or biometric material.
The account state should be determined before the user obtains access to restricted functionality.
A platform should not create a fully active account and attempt to verify age afterwards.
2. Build age-banded feature controls
Product teams need a central policy layer capable of applying restrictions by age group.
The platform should be able to determine whether a user may:
- Create a personal account
- Publish publicly
- Comment
- Share or repost
- Join open groups
- Be discovered by strangers
- Receive messages from unknown users
- Initiate a live stream
- Appear in recommendations
- Receive personalised advertising
- Make purchases
- Access commercial gaming features
- Use the service during designated night-time periods
A scattered collection of feature flags maintained independently by different product teams will be difficult to audit and more likely to produce inconsistent outcomes.
A centralised age-policy service is generally more defensible.
3. Create a limited under-15 experience
The Resolution prohibits under-15 personal social media accounts and access to full social functionality.
It does not necessarily mean that every form of unauthenticated, non-interactive viewing must be blocked in all circumstances. The precise limits may depend on the service, content and future regulatory guidance.
Where appropriate, a platform might provide an under-15 experience that:
- Does not create a personal account
- Does not allow posting or commenting
- Does not include direct messaging
- Does not build a behavioural advertising profile
- Does not expose public communities
- Presents only age-appropriate content
- Avoids persistent identifiers unless necessary
- Provides clear safety information
This approach should be validated against the platform’s actual functionality and UAE legal advice.
4. Remediate existing accounts
The rules do not apply only to new registrations.
Social media platforms must identify personal accounts belonging to underage children and take immediate measures to suspend or disable them. They must also adopt measures to prevent circumvention.
A defensible remediation process should cover:
- Existing accounts with declared ages below 15
- Accounts with no recorded age
- Accounts showing credible indicators of underage use
- Duplicate or recreated accounts
- Accounts using an adult’s identity
- Appeals following incorrect classification
- Data deletion and account-export requests
- Preservation of evidence where abuse or exploitation is suspected
Automated detection should not be the only control. False positives may affect legitimate users, while false negatives can leave underage accounts active.
Platforms need an appeal and human-review process.
5. Restrict high-risk interaction features
For 15-year-old users, the platform should review:
- Direct messages from adults
- Message requests from unknown users
- Location sharing
- Group invitations
- Public tagging and mentions
- Live-stream discovery
- Viewer comments during streams
- Virtual gifting
- Contact synchronisation
- “People you may know” features
- Public follower lists
- Creator monetisation
- Disappearing messages
Possible safeguards include:
- Known-contact-only messaging
- Private accounts by default
- No public location display
- Restricted tagging
- Disabled adult-to-child message initiation
- Delayed or disabled live streaming
- Limited public search visibility
- Additional warnings before public sharing
- Caregiver-configurable controls that cannot weaken mandatory settings
6. Change recommendation systems
The Resolution identifies intensive algorithmic recommendation systems as a potentially high-risk feature for 15-year-old users.
This means recommender-system compliance should be treated as part of child safety, not merely an artificial-intelligence governance project.
Platforms should assess:
- Whether engagement optimisation repeatedly serves harmful themes
- Whether the system infers sensitive interests
- Whether children are directed toward adult users or communities
- Whether content creates compulsive usage patterns
- Whether negative feedback signals work effectively
- Whether child accounts receive safer ranking parameters
- Whether recommendation testing includes child-specific harm metrics
A child-safety mode may require different ranking objectives rather than simply removing a short list of prohibited content.
7. Implement usage-time controls
Platforms must provide tools for regulating permitted access periods and restricting daily or night-time use for the 15-to-16 age group.
Detailed standards may still be issued by the Child Digital Safety Council and TDRA.
Product teams should nevertheless prepare the underlying capabilities now:
- Daily usage limits
- Night-time access restrictions
- Mandatory breaks
- Disconnection periods
- Caregiver notifications
- Child-visible time reminders
- Controls that work across multiple devices
- Protection against simple clock or timezone manipulation
The federal law also refers more broadly to time limits and mandatory rest and disconnection periods as child-protection controls.
What must change in privacy and data governance?
Age assurance creates a difficult privacy trade-off.
A platform must collect enough information to distinguish adults from children, while avoiding the creation of a new high-risk identity database.
Map all children’s data
The data inventory should identify:
- Data entered directly by children
- Data supplied by caregivers
- Age-verification data
- Biometric inputs
- Identity-document data
- Device identifiers
- Usage and engagement data
- Location information
- Social-graph data
- Messages and user-generated content
- Advertising identifiers
- Inferred interests
- Safety scores and underage-risk signals
The inventory should show which systems, vendors, teams and jurisdictions receive each category.
Separate age verification from identity
Where technically possible, the main platform should receive an age result rather than a complete copy of the user’s identity document.
For example, the age-assurance component could return:
under_15age_15age_16_to_17adultverification_failedmanual_review_required
The platform may still need evidence of the method, time and outcome. However, it should avoid retaining passport images, Emirates ID copies, facial images or biometric templates where an auditable age token would be sufficient.
This separation reduces breach impact and makes purpose limitation easier to demonstrate.
Establish strict retention rules
The 2026 Resolution requires non-retention of biometric data and official documents except to the extent and for the duration necessary to complete age verification and in accordance with applicable legislation.
The retention schedule should distinguish between:
- Raw document image
- Facial image or video
- Biometric template
- Verification transaction record
- Age-band result
- Confidence score
- Fraud signal
- Appeal documentation
- Regulatory audit evidence
“Delete after verification” should be translated into a technical deletion workflow with logs and vendor confirmation, not left as a general policy statement.
Provide age-appropriate notices
The age-verification notice should explain:
- Why the check is required
- What information is collected
- Whether biometrics are used
- Whether a third-party provider is involved
- What result the platform receives
- How long information is retained
- Whether the decision is automated
- How the user can challenge an incorrect result
- What happens when verification fails
The explanation must be understandable to the relevant user, not written solely for lawyers.
For younger users, a layered notice may be appropriate:
- A short, plain-language explanation
- A more detailed privacy notice
- A separate caregiver explanation where required
Review age-assurance vendors
Using a vendor does not remove the platform’s responsibility.
Vendor due diligence should examine:
- UAE approval or licensing status, where required
- Verification accuracy
- False-positive and false-negative rates
- Performance across demographic groups
- Biometric processing
- Data retention
- Sub-processors
- Hosting locations
- Security certifications
- Incident-notification obligations
- Deletion evidence
- Audit rights
- Model changes
- Regulatory cooperation
- Integration with future UAE national systems
Contracts should prevent the vendor from using age-verification data for unrelated analytics, model training or commercial profiling unless clearly lawful and authorised.
How should age assurance be designed?
The Resolution permits several types of age-verification mechanisms, provided they satisfy the required standards.
Potential methods include:
- Digital government identity
- Official identity-document checks
- Document verification supported by biometric matching
- Artificial-intelligence-based age estimation, including biometric methods
- Approved and licensed UAE age-verification providers
- Other methods subsequently approved by the Child Digital Safety Council
Self-declaration of age is expressly insufficient for social media platforms.
The required characteristics
The mechanism must:
- Achieve a high level of accuracy
- Minimise circumvention and material error
- Collect only the minimum necessary data
- Follow purpose-limitation and security principles
- Avoid unnecessary retention of documents and biometrics
- Avoid unjustified discrimination or technical exclusion
- Be capable of integration with approved national systems
- Be reviewable and auditable by TDRA
- Be clearly explained to users
Use a proportionate age-assurance ladder
A practical architecture may use different levels of assurance depending on risk.
Lower-risk access
Possible controls may include:
- Existing verified account information
- Trusted age tokens
- Device or app-store age signals
- Limited, non-interactive experiences
Medium-risk account functionality
Possible controls may include:
- Approved third-party age verification
- Government identity confirmation
- Document-based age checks
- Age estimation with an appeal route
High-risk functionality
Stronger verification may be appropriate before enabling:
- Live streaming
- Contact with unknown adults
- Commercial gaming
- Monetisation
- High-value transactions
- Public creator accounts
- Sensitive communities
- Location-sharing features
The final method must still meet any UAE approval requirements. A risk-based ladder should not be used to justify an unapproved mechanism where the Resolution requires approval.
Provide alternative verification routes
An age-estimation model may perform differently depending on image quality, disability, device type, ethnicity or other factors.
Because the Resolution prohibits unjustified discrimination and technical exclusion, platforms should provide alternatives such as:
- Document verification
- Government digital identity
- Manual review
- A licensed verification provider
- A structured appeal process
Users should not permanently lose access because one biometric method produced an uncertain result.
Make the process auditable
The platform should be able to demonstrate:
- Which method was used
- Which version of the model or vendor system was used
- What age band was returned
- Whether manual review occurred
- What information was retained
- When temporary data was deleted
- Which product restrictions were activated
- Whether the user appealed
- How the appeal was resolved
Auditability does not require retaining all raw identity information.
It requires preserving enough evidence to show that the process worked as designed.
Advertising, tracking and profiling restrictions
The 2026 Resolution prohibits social media platforms from:
- Targeting children with advertisements based on tracking or behavioural profiling
- Exploiting or processing children’s personal data for commercial purposes based on monitoring their digital activity
The Resolution permits:
- Algorithmic processing necessary for child safety
- Processing used to prevent exposure to harmful or age-inappropriate content
- General contextual advertising that does not rely on profiling or privacy intrusion
What advertising teams should review
The review should cover more than the visible advertisement.
It should assess:
- Advertising SDKs
- Tracking pixels
- Cross-device identifiers
- Lookalike audiences
- Retargeting
- Interest segments
- Location-based advertising
- Data-management platforms
- Measurement providers
- Attribution systems
- Creator advertising
- Sponsored recommendations
- Push-notification targeting
- Data-sharing with advertisers
A child account should not be passed into adult advertising workflows simply because an ad partner’s own terms claim that its service is not intended for minors.
Separate contextual and behavioural advertising
Platforms should define the distinction internally.
Contextual advertising may use information such as:
- The page or content category currently being viewed
- The general language of the interface
- Broad, non-profiled geographic context where lawful
- The service section being used
Behavioural advertising may rely on:
- Browsing history
- Previous interactions
- Inferred interests
- Social relationships
- Location history
- Engagement patterns
- Cross-service identifiers
- Predictive profiles
Advertising systems should be configured so that child accounts cannot silently move from contextual to behavioural targeting.
Moderation and harmful-content reporting
The federal law requires platforms to provide clear, user-friendly tools for immediately reporting harmful content and harmful behaviour affecting children.
Platforms must also use their technical capabilities, including artificial intelligence and machine-learning systems, for proactive detection, removal or reporting.
The law separately requires immediate reporting of specified child sexual-abuse material and harmful content to the relevant authorities, together with information requested for investigation. Platforms must also implement removal and reporting orders issued by competent authorities.
Build a child-specific reporting route
A generic abuse form hidden behind several menus may not be enough.
Children should be able to report:
- Bullying
- Sexual solicitation
- Grooming
- Threats
- Impersonation
- Non-consensual images
- Blackmail
- Harmful challenges
- Self-harm content
- Exposure to adult communities
- Unwanted contact
- Commercial exploitation
The reporting interface should explain:
- What will happen next
- Whether the reported person will be notified
- When a caregiver may be contacted
- When the matter may be reported to authorities
- How the child can obtain immediate help
- Whether the child can block the user at the same time
Establish an escalation matrix
The platform should define different workflows for:
- Content-policy violations
- Urgent child-safety risks
- Suspected criminal conduct
- Child sexual-abuse material
- Credible threats to life or physical safety
- Regulatory removal orders
- Requests for account or identifying information
The process should identify the responsible team, response time, evidence-preservation requirements and authority-contact route.
Governance and regulatory evidence
A platform may have technically strong controls but still struggle to demonstrate compliance if responsibilities and records are fragmented.
Assign accountable owners
A cross-functional programme should include:
- Product
- Engineering
- Privacy
- Trust and safety
- Information security
- Advertising
- Legal
- Public policy
- Customer support
- Data science
- Internal audit
- Vendor management
One senior owner should be accountable for the UAE child digital safety programme.
Conduct periodic child-safety risk assessments
The social-media Resolution expressly requires periodic assessments of digital-safety risks relating to children.
The assessment should consider:
- Likelihood of underage access
- Harmful-content exposure
- Adult-to-child contact
- Grooming and exploitation
- Bullying
- Recommendation-system risks
- Compulsive design
- Live-streaming risks
- Commercial exploitation
- Advertising and profiling
- Data-security risks
- Age-verification errors
- Circumvention techniques
- Risks created by new features
The assessment should lead to prioritised remediation actions rather than becoming a one-time compliance report.
Prepare a regulatory evidence pack
The evidence pack should contain:
- Scope and applicability assessment
- Product-feature inventory
- Child-safety risk assessments
- Age-assurance architecture
- Vendor due-diligence records
- Verification accuracy testing
- Fairness and exclusion testing
- Data-flow diagrams
- Retention and deletion controls
- Child and caregiver notices
- Advertising-control evidence
- Moderation procedures
- Regulatory reporting procedures
- Training records
- Testing results
- Management approvals
- Remediation tracking
- Periodic metrics
Plan for two principal supervisory perspectives
Under the Resolution:
- The National Media Authority supervises obligations relating to digital and media content associated with children.
- TDRA supervises the technical obligations, controls and standards.
The authorities may apply measures including warnings, closure, partial blocking, total blocking and administrative penalties, subject to the applicable framework and graduality principle.
The legislation reviewed for this article does not yet provide a complete published schedule of child-digital-safety fine amounts.
Platforms should not rely on unverified penalty figures. The more immediate operational risks already identified in the legislation include warnings, service restrictions and blocking.
A practical 12-month implementation roadmap
Waiting for every technical standard to be finalised is risky. Core obligations are already sufficiently clear to begin architecture and governance work.
Phase 1: Scope and ownership — Days 0–30
- Appoint an executive owner.
- Identify UAE-facing services.
- Map social and interactive features.
- Determine which services may qualify as social media platforms.
- Identify all users and accounts with missing or unreliable age information.
- Map child data and age-verification data.
- Freeze launches that would create material new child-safety risk without assessment.
- Create a regulatory-dependency register for pending standards.
Phase 2: Gap assessment and target design — Days 30–90
- Compare existing controls with the federal law and 2026 Resolution.
- Define age bands and account states.
- Select potential age-assurance methods.
- Design the under-15 account journey.
- Design the protected 15-year-old account.
- Review recommender, messaging and live-streaming risks.
- Identify advertising and profiling dependencies.
- Create the child-safety risk-assessment methodology.
- Begin vendor due diligence.
Phase 3: Build core controls — Days 90–180
- Integrate age verification.
- Build a central age-policy service.
- Implement privacy-by-default settings.
- Restrict messaging, public sharing and live streaming.
- Develop time and parental controls.
- Separate contextual from behavioural advertising.
- Introduce age-appropriate notices.
- Build account-suspension and appeal workflows.
- Implement deletion of age-verification artifacts.
- Improve child-focused reporting channels.
Phase 4: Existing-account remediation — Days 180–270
- Identify accounts requiring reverification.
- Run staged user communications.
- Apply protected account settings.
- Suspend confirmed under-15 accounts where required.
- Test re-registration and circumvention controls.
- Provide lawful account-export or deletion options.
- Monitor support volumes and appeal outcomes.
- Review false-positive rates.
Phase 5: Assurance and regulatory readiness — Days 270–365
- Perform end-to-end control testing.
- Complete discrimination and accessibility testing.
- Conduct a child-safety risk assessment.
- Obtain independent security and privacy review where appropriate.
- Validate vendor deletion and audit evidence.
- Prepare periodic reporting datasets.
- Train support, moderation and incident teams.
- Obtain management sign-off.
- Establish ongoing monitoring and change management.
Common mistakes platforms should avoid
Treating the rules as a privacy-policy update
The main obligations concern product functionality, access control and safety operations. Updating legal text without changing the platform will not address the central requirements.
Relying only on a date-of-birth field
Self-declaration is not accepted as sufficient age verification under the social-media Resolution.
Using parental consent to bypass the under-15 restriction
Caregiver consent cannot authorise an under-15 personal social media account or remove mandatory protections for 15-year-old users.
Keeping identity documents “in case they are needed”
The rules emphasise minimisation, purpose limitation and limited retention. Indefinite storage of documents or biometric data creates additional privacy and security risk.
Applying adult advertising systems to child accounts
A platform must actively prevent behavioural advertising and commercial profiling of children where prohibited. A written policy is insufficient if advertising identifiers continue to flow to adtech vendors.
Ignoring existing accounts
Platforms must identify and address underage accounts already in the system. Controls limited to new registration leave a major compliance gap.
Treating every 15-to-17-year-old account the same
The 15-to-16 bracket has specific mandatory protections. Sixteen- and seventeen-year-olds remain children under the broader federal law, but the control model is not identical.
Assuming a non-social product is outside scope
A marketplace, game, streaming service or application may contain social-media functionality. Scope must be assessed feature by feature.
Launching a new feature without child-safety review
Live streaming, generative AI, public discovery, group chat, gifting and recommendation changes can materially alter the platform’s risk classification.
UAE child digital safety readiness checklist
UAE Child Digital Safety Readiness Checklist
Use this checklist to translate the UAE child digital safety requirements
into practical product, privacy, advertising and governance actions.
| Area |
Minimum practical action |
Evidence to retain |
| Scope |
Identify UAE-facing and UAE-directed services.
|
Written applicability assessment
|
| Classification |
Assess social, gaming, streaming and marketplace features.
|
Product-function inventory
|
| Age bands |
Configure under-13, 13–14, age 15, 16–17 and adult account states.
|
Approved age-policy matrix
|
| Verification |
Implement an effective and legally supportable age-assurance method.
|
Vendor records and test results
|
| Data minimisation |
Collect only the information needed to determine the appropriate age band.
|
Data-flow and minimisation review
|
| Retention |
Delete identity documents and biometric data when they are no longer necessary.
|
Deletion logs and vendor evidence
|
| Under-15 accounts |
Prevent prohibited account creation and identify existing underage accounts.
|
Detection and suspension records
|
| Age 15 controls |
Restrict content, unknown-user contact, public sharing, live streaming and intensive recommendations.
|
Feature-configuration evidence
|
| Privacy defaults |
Apply the highest appropriate privacy settings automatically.
|
Configuration records and test screenshots
|
| Advertising |
Disable tracking-based targeted advertising and commercial profiling for children.
|
Adtech configuration and data-flow tests
|
| Parental controls |
Provide understandable controls without allowing mandatory protections to be weakened.
|
Product documentation and quality-assurance results
|
| Time controls |
Support daily limits, night-time restrictions and disconnection periods.
|
Functional test evidence
|
| Reporting |
Provide simple, visible and child-appropriate reporting channels.
|
Reporting workflow and response metrics
|
| Moderation |
Establish urgent child-safety escalation and authority-reporting procedures.
|
Incident and escalation matrix
|
| Risk assessment |
Assess child-safety risks periodically and before launching material product changes.
|
Approved assessment reports
|
| Regulatory readiness |
Prepare the statistics, records and compliance information required for regulatory review.
|
Reporting pack and control dashboard
|
| Governance |
Assign accountable product, privacy, engineering and trust-and-safety owners.
|
Responsibility matrix and management approvals
|
This checklist provides general compliance information and is not legal
advice. Final interpretation and implementation should be confirmed with
qualified UAE legal counsel.
Frequently asked questions
Does the UAE under-15 rule apply only to platforms incorporated in the UAE?
No. The Resolution applies to social media platforms whose services are made available in the UAE or directed at UAE users, regardless of the provider’s place of establishment.
The broader federal law also has extraterritorial reach where platforms direct services at UAE users.
Are all digital platforms banned for children under 15?
No.
The specific under-15 personal-account restriction applies to services that fall within the Resolution’s definition of a social media platform.
Other digital platforms remain subject to the broader Child Digital Safety Law, including age verification, privacy, harmful-content and child-protection obligations.
Hybrid products require careful classification.
Can a parent consent to a 13- or 14-year-old using social media?
Not under the 2026 Resolution.
Caregiver consent does not create an exception to the under-15 social-media account prohibition.
Can platforms continue asking users only for their date of birth?
Not as their recognised age-verification method for the social-media rules.
The Resolution states that self-declaration of age is not sufficient. Platforms need an effective and reliable method that meets the prescribed standards.
Must platforms store a copy of the user’s ID?
Not necessarily.
The Resolution permits document-based methods but also requires data minimisation and limited retention. A platform should assess whether it can receive and retain only an age result or verification token rather than a full identity-document copy.
Is AI facial age estimation mandatory?
No.
It is one permitted category of mechanism, provided the applicable standards are satisfied. Other options include digital government identity, official-document verification and approved licensed age-verification providers.
Are all advertisements to children prohibited?
The Resolution specifically prohibits targeted advertisements based on tracking and behavioural profiling and commercial exploitation of data based on tracking children’s digital activities.
General contextual advertising that does not rely on profiling or privacy intrusion is expressly distinguished from prohibited behavioural targeting.
What happens when a child turns 15?
A social media account may become permissible, but it must operate under enhanced safeguards until the child turns 16.
The transition should activate the protected account state rather than automatically providing unrestricted access.
What happens when a user turns 16?
The specific 15-to-16 controls may change, but the user remains a child under the broader federal framework until age 18.
Privacy, content, advertising and safety protections should therefore continue to apply as appropriate.
Have specific financial penalties been published?
The federal law provides for a separate administrative-penalties framework.
The instruments reviewed for this article identify possible measures including warnings, closure, partial blocking and total blocking, but do not yet provide a complete child-digital-safety fine schedule.
Businesses should verify later Cabinet instruments and regulator guidance rather than relying on unofficial fine figures.
Sources
- UAE Federal Decree-Law No. 26 of 2025 Regarding Child Digital Safety, including its scope, privacy, age-verification, platform-control, enforcement and transition provisions.
- UAE Cabinet Resolution No. 106 of 2026 Regarding the Regulation of Children’s Access to Social Media Platforms.
- UAE Government announcement summarising the Child Digital Safety Law and the services covered. (UAE Legislation)
- Analysis of the 2026 social-media Resolution and the distinction between general digital platforms and social media platforms. (Bird & Bird)
- Analysis of the federal framework’s scope, privacy, product controls and enforcement structure. (bakermckenzie.com)