On June 1, 2026, Malaysia's Communications and Multimedia Commission (MCMC) began enforcing two subsidiary codes under the Online Safety Act 2025: the Child Protection Code (CPC) and the Risk Mitigation Code (RMC). The codes, published by MCMC on May 22, apply to large licensed social media services and carry penalties of up to RM10 million (about US$2.5 million) for non-compliance. Two very different regulatory instincts are bundled inside this single rollout — and they deserve very different verdicts.
The good half: regulating manipulative design, not speech
The most defensible part of the package is the CPC's safety-by-design mandate. According to a Flint Global analysis of the codes, the CPC requires providers to default child accounts to the highest privacy settings, limit adults' ability to contact or view children's information, and crucially "restrict design features that drive compulsive use" while ensuring that "search and recommendation systems do not surface harmful content to children." The Digital Watch Observatory similarly summarises the codes as addressing higher-risk platform features, content governance, and the labelling of manipulated content.
This is dark-pattern regulation done roughly the right way. It targets design — autoplay, infinite scroll, manipulative engagement loops, recommendation systems tuned to maximise time-on-app — rather than the lawfulness of any given post. It is outcome-based and technology-neutral: MCMC tells platforms what harm to mitigate and lets engineers choose how, instead of freezing one verification vendor or one interface into law. And it tracks the international consensus. The UK's Age Appropriate Design Code and the EU's Digital Services Act both police addictive and deceptive interface choices aimed at minors. Targeting the manipulative mechanics of a feed is a far lighter touch on expression than dictating what may be said in it. On this half of the rollout, Malaysia is broadly aligned with proportionate, evidence-led practice.
The blunt half: an ID-gated ban on under-16 accounts
The other half is harder to defend. From June 1, individuals under 16 may no longer open social media accounts at all, and every user — adult or child — must verify their age before creating or continuing to use an account on covered platforms. The South China Morning Post reports that verification runs against government-issued records such as the MyKad national ID, a passport, or the MyDigital ID system, and that existing under-16 users get one month to download or transfer their data before suspension, with verification rolled out progressively over up to six months. Xinhua confirms the RM10 million ceiling and that platforms must also retune recommendation algorithms to reduce exposure to child sexual abuse material, pornography, and financial scams.
The case for this is real and should not be caricatured. Malaysia has logged genuine harms — grooming, scam networks impersonating public figures, and incidents officials have tied partly to social media — and a hard age floor backed by identity checks is, on paper, the most legible way to keep young children out of adult-facing feeds. Deputy Communications Minister Teo Nie Ching pointed to a concrete abuse the RMC's advertiser-verification rule addresses: sponsored posts using "the images of well-known individuals to promote content such as dubious investments." Those are not imaginary problems.
But the chosen remedy is disproportionate to them. A blanket account ban enforced by government-ID verification converts an ordinary act — opening a social account — into an identity-disclosure event for the entire adult population, not just children. ARTICLE 19, the Centre for Independent Journalism, and Sinar Project warned in the run-up that mandatory electronic identity verification is "misguided and disproportionate" and "will undermine the privacy and freedom of expression of all social media users, both adults and children," eroding the anonymous and pseudonymous speech that activists, journalists, whistleblowers, and abuse survivors depend on. Their objection is not that child safety doesn't matter; it is that ID-gating the whole population is a sledgehammer aimed at a problem the design rules already address more precisely.
Privacy by architecture is the redeeming detail
To its credit, Malaysia anticipated the surveillance objection in part. The framework is technology-neutral — platforms pick their own method provided it meets accuracy, security, and privacy requirements — and the state-run option is engineered to minimise data exposure. National cybersecurity chief Megat Zuhairy Megat Tajuddin told Biometric Update that "MyDigital ID does not require users to submit or store physical ID copies, nor does it store biometric data," with verification occurring against National Registration Department records so sensitive data "stays within government systems." That is meaningfully better than forcing every platform to warehouse scans of national IDs, the model that has produced breach after breach elsewhere.
It does not dissolve the core problem. Even a privacy-preserving check still ties a real legal identity to an account, defeating anonymity by design, and it routes verification through state infrastructure that can log who is online. It is also easily defeated: age walls of this kind are routinely circumvented by VPNs and borrowed credentials, which tends to push the most determined minors toward smaller, unmonitored platforms outside the 8-million-user threshold — the opposite of the safety goal.
The lesson
Malaysia's June 1 rollout is a natural experiment in two theories of online-safety regulation. Restraining manipulative, compulsive, and deceptive design is the proportionate path: it attacks the mechanism of harm while leaving speech and anonymity intact. A hard, identity-verified ban is the blunt path: heavier on rights, easier to evade, and largely redundant once the design rules bite. Regulators across the region now weighing Australia-style age bans should watch which half of Malaysia's package actually moves the needle on child safety — and copy that one.