Malaysia’s Social Media Age Ban Is Live
1 day ago
Subscribe to our Telegram channel for the latest stories and updates.
When the Australian ban kicked in on 10 December 2025, children started using VPNs, borrowing older siblings’ credentials and spoofing biometric checks with masks. By April 2026, 61 per cent of 12 to 15-year-olds in Australia still held active accounts on every platform the ban was supposed to lock them out of. Regulators noted that platforms had taken “some steps”, but of course, the kids mostly stayed.
Malaysia is betting its approach holds up better because it has infrastructure Australia never had. Verification must be conducted against government-issued records — MyKad, passports or MyDigital ID — which demands considerably more than ticking a checkbox claiming to be 16. The question hanging over the whole exercise is whether platforms will integrate thoroughly with Malaysian identity systems or do just enough to avoid the fine and call it compliance.
What Changed On 1 June
Two codes took effect simultaneously under the Online Safety Act 2025: the Child Protection Code and the Risk Mitigation Code, both applying to every licensed platform with at least eight million Malaysian users — Facebook, Instagram, TikTok and YouTube among them — requiring age verification and blocking registrations from anyone under 16.
Non-compliance carries financial penalties of up to RM10 million (approximately US$2.5 million).
How Age Verification Is Structured
Users must submit government-issued documents — MyKad, passport or MyDigital ID — to verify their age, and the requirement covers both new registrations and existing accounts, which must reverify to remain active.
Malaysia’s approach differs structurally from what most countries have attempted because most age verification systems rely on self-declaration, where the user claims to be old enough and the platform accepts that without challenge. Malaysia requires document verification against government records, which MyKad and MyDigital ID make technically viable in a way they are not in countries without equivalent national identity infrastructure.
MCMC has not specified which technology platforms must use for the verification process itself, which introduces meaningful variation in how rigorously different companies actually implement the requirement.
A platform could integrate directly with MyDigital ID’s API for real-time verification, or it could accept uploaded document images and run them through optical character recognition — a considerably easier process to work around. The code sets the standard and leaves the method to each platform, and those are not the same thing.
What Platforms Must Do Beyond Age-Gating
Age verification is only one layer of what the codes demand.
Under the Risk Mitigation Code, platforms must conduct proactive risk assessments, enforce stricter content moderation and label manipulated or AI-generated content, while recommendation algorithms must be restructured to reduce exposure to child sexual abuse material, pornographic content and financial scams.
Paid advertising is now restricted to advertisers with verified identities — a provision aimed directly at the financial scam operations that have been running paid campaigns on Malaysian social media with minimal friction for years.
The algorithm obligation is going to be harder to verify from the outside than age-gating. A regulator can audit whether a platform checked a user’s MyKad, but auditing whether a recommendation engine has meaningfully reduced harmful content exposure requires a different kind of scrutiny, and MCMC has not published the methodology it plans to use for that assessment.
The Transition Timeline
Platforms have up to six months to complete age verification for existing users, and anyone identified as under 16 gets one month to download or transfer their data before their account is restricted.
This means enforcement will not be fully visible until approximately December 2026. Until then, new accounts face the verification requirement while existing accounts work through the phased compliance window simultaneously.
Where The System Is Most Vulnerable
Malaysia’s document-based requirement raises the bar, but a child with access to a parent’s MyKad can submit that document instead of their own, meaning the system catches registrations from children working alone and stops there.
It does not extend to children in households where a parent’s ID is available and unguarded, which is most households.
The more durable layer of protection may turn out to be the algorithm obligations rather than the registration block, because if platforms genuinely restructure what their recommendation systems surface, the experience for users who get through the age check becomes less harmful regardless of how they got in.
That is harder to audit externally, but the downstream effect on content exposure is potentially more significant than anything a registration gate can accomplish on its own.
The Data Behind The Decision
Australia’s eSafety Commissioner surveyed 2,629 children aged 10 to 15 between December 2024 and February 2025, finding that 96 per cent had used social media and seven in ten had encountered harmful content — misogynistic material, violent videos and content promoting disordered eating and suicide — with nearly half of those aged 13 to 15 who experienced cyberbullying reporting that it happened on a social media platform.
...Read the fullstory
It's better on the More. News app
✅ It’s fast
✅ It’s easy to use
✅ It’s free

