Malaysia's Communications and Multimedia Commission (MCMC) began enforcing its Child Protection Code and Risk Mitigation Code on June 1, 2026, under the Online Safety Act 2025 (Act 866) — legislation that received Royal Assent on May 6, 2025 and was gazetted on May 22, 2025. The codes require any social media platform with at least 8 million users in Malaysia — Facebook, Instagram, TikTok and YouTube among them — to verify that account holders are 16 or older, using government-issued records such as MyKad, passport or MyDigital ID. Non-compliance carries fines of up to RM10 million (~$2.5 million) (The Star).
The Case for the Rule
The regulator isn't inventing a problem. MCMC's own Online Safety Act portal reports 880,000 CSAM files seized in 2025, RM2.7 billion in online scam losses that year, and 38,470 bullying and harassment posts removed between 2022 and 2025 (mcmc.gov.my/onsa). Malaysia has 35.4 million internet users at 98% penetration and 30.7 million social media identities — 85% of the population (DataReportal) — with children ages 13-17 alone making up 7.7% of the population. That is an enormous, largely unsupervised surface area for exploitation and scams, and Communications Minister Fahmi Fadzil notes that age-verification requirements of this kind are now in place in more than 25 countries. Malaysia follows Australia and Indonesia, both of which enforced comparable under-16 restrictions earlier (Bernama). A regulator watching those numbers has a legitimate case for intervention, and delaying account ownership to 16 — the policy is publicly framed as "Tunggu 16," or Wait Until 16 — is a narrower ask than an outright content ban.
Where the Design Overshoots
The problem is not the goal; it's the mechanism. Because MCMC's guidance requires ID-based verification for existing account holders as well as new registrants, and because self-declaration is explicitly disallowed, the practical effect is that all 30.7 million of Malaysia's social media users — not just the fraction who are minors — must eventually submit a MyKad, passport or MyDigital ID number to a licensed platform to keep their accounts. A child-safety statute has become the delivery vehicle for what is, functionally, a national identity-verification mandate for an entire adult population's social media use. Law firm analysis of the codes confirms the 8-million-user threshold and the flat RM10 million exposure for any licensed provider that gets this wrong (Rahmat Lim & Partners) — a structure that gives platforms every incentive to over-collect identity data rather than under-collect it, since the penalty sits entirely on the compliance side and none of it sits on the privacy side.
That asymmetry is exactly what civil society groups flagged when the broader Online Safety Act was being debated. ARTICLE 19 has argued that mandatory verification requirements under the Act risk turning routine platform access into a surveillance chokepoint, warning that expanded data collection by service providers — layered onto the Act's already broad content-moderation and monitoring powers for MCMC — pushes Malaysia toward what the group has called a surveillance state dynamic, where privacy erodes and expression narrows under a child-safety label (Article 19 resources page, malaysia-mandatory-age-verification-undermines-privacy-and-free-expression). Whether or not one accepts that framing in full, the underlying critique is sound: a rule that requires government ID to read a Facebook post is a much larger intervention than a rule that keeps 14-year-olds off Instagram, and the two are not being debated as separate policy choices.
An Enforcement Regime Still Being Written
Six weeks after the June 1 effective date, the rule is still being negotiated in practice. Fahmi disclosed that the government has held more than 30 engagement sessions with platforms since a regulatory sandbox began in January, and MCMC describes its approach as "outcome-based," giving providers flexibility in how they implement verification rather than prescribing a single technical standard (Digital Watch Observatory). That flexibility is defensible as a way to avoid mandating a specific vendor or technology, but it also means the RM10 million exposure attaches to a standard that isn't yet fixed — a compliance environment global platforms can absorb with legal teams and engineering budgets, and one that would crush a smaller domestic app long before it ever reached 8 million users.
The Better Version of This Policy
People of Internet's editorial position is pro-innovation and proportionate regulation, not anti-regulation. Malaysia's underlying child-safety concern is real and evidenced by MCMC's own removal statistics. But the fix should scale to the problem: age assurance methods that estimate a plausible age bracket from device or account signals, without requiring every adult to register a government ID with a private platform, would achieve most of the child-protection benefit at a fraction of the privacy cost. MCMC should publish the technical verification standard it ultimately settles on, commit to data-minimization and retention limits for any ID data platforms collect, and report compliance and false-positive rates publicly — the same transparency it now demands of platforms. Absent that, Malaysia's under-16 rule risks becoming a template less for child safety than for identity-verification creep, one other Southeast Asian regulators are already watching closely.