On June 18, 2026, the UAE Cabinet issued a resolution making 15 the minimum age to create, use, or operate a personal social media account — the first such rule in the Arab world. Children under 15 are barred from posting, commenting, sharing, joining public groups, or entering large interactive spaces. Fifteen- and sixteen-year-olds may stay, but only behind enhanced safeguards: age-appropriate content controls, limits on contact with unknown users, screen-time tools, and parental supervision. Crucially, parental consent does not buy an exemption from the under-15 prohibition. Platforms have up to 12 months — roughly mid-2027 — to comply, under the watch of the National Media Authority, the Telecommunications and Digital Government Regulatory Authority (TDRA), and a new Child Digital Safety Council.
The strongest case for the rule
The case for acting is real, and worth stating plainly before criticising any of it. A decade of evidence on compulsive feed design, algorithmic amplification of self-harm and disordered-eating content, and contact risk from adult strangers has accumulated faster than any platform has voluntarily addressed it. Self-declared age — the industry standard for twenty years — is a fiction every nine-year-old knows how to defeat. A government that watched the UK pass the Online Safety Act and Australia bar under-16s in December 2025 can reasonably conclude that waiting for platforms to self-correct is waiting indefinitely. On that logic, a hard floor with real verification is not paternalism; it is the first enforceable child-safety standard the sector has ever faced.
The design is more proportionate than the headline suggests
What distinguishes the UAE's resolution from a blunt prohibition is its gradient. It does not ban teenagers from the internet; it bans personal accounts for under-15s and then permits 15- and 16-year-olds with guardrails — an acknowledgment that a 16-year-old and a 9-year-old are not the same regulatory problem. The 12-month runway, per The National, gives platforms time to build rather than demanding overnight compliance, and enforcement is graduated — warnings before partial or full blocking, per Gulf News. For a publication that favours proportionate regulation, those are the right instincts: targeted, staged, and reviewable rather than absolute and immediate.
The verification mandate is where it can go wrong
The risk sits in one sentence of the rule: platforms must move beyond self-declaration to "effective and reliable" age verification, including digital identity checks and AI-supported biometric tools approved by the Child Digital Safety Council. Age assurance at population scale is the hardest unsolved problem in this entire policy area. Done carelessly, it forces every adult user to surface a government ID or submit to a facial-age scan to read a feed — converting a children's-safety rule into a mass-identification regime for the whole population, tourists included, since the UAE has confirmed the ban applies to visitors too. That is a privacy cost the resolution's own language tries to contain — minimise collection, secure processing, retain nothing longer than necessary — but mandates rarely respect the restraint written above them.
The UAE has, at least, written the privacy guardrails into the text. The open question is whether "AI-supported biometric tools" can verify age without building a face-print database of everyone in the country. Privacy-preserving age assurance — on-device estimation, zero-knowledge tokens, double-blind ID checks that confirm "over 15" without disclosing identity — exists, and the Council's approval power is the lever that decides whether the UAE adopts those methods or the lazy ID-upload default. That single procurement choice will determine whether this rule is a model or a warning.
Australia is the cautionary data point
Australia's world-first under-16 ban took effect on December 10, 2025, and the early returns are sobering. Within weeks, University of Sydney analysts and Australian press documented children migrating to VPNs, messaging apps, and fringe platforms like RedNote and Lemon8, while several major platforms faced non-compliance investigations. The lesson is not that age rules are pointless — it is that prohibition without credible, low-friction verification pushes minors toward less-moderated spaces, the opposite of the safety goal. The UAE's longer runway and explicit verification standard are a direct improvement on Australia's stumble, but only if execution avoids the same enforceability gap.
The AI-hub contradiction Abu Dhabi has to manage
There is a strategic irony worth naming. The same state is positioning itself as a global AI capital — its sovereign funds and AI subsidiaries are anchors in the largest technology deals on the market, from frontier-model labs to data-centre build-outs financing the SpaceX IPO, as Rest of World documented in June 2026. A jurisdiction courting OpenAI-, Anthropic-, and xAI-adjacent capital, and building the ADGM and Dubai free zones into innovation magnets, now also wants to be among the strictest child-safety regulators in the world. Those goals are not inherently contradictory — a serious AI hub should be able to deploy serious, privacy-preserving age assurance — but they are in tension. If compliance friction makes the Emirates a harder place to operate a consumer platform, the same openness that attracts AI infrastructure could repel the services that sit on top of it.
The verdict
The UAE has chosen a more defensible structure than its predecessors: graduated by age, staged over a year, privacy-conscious on paper, and enforced short of immediate blocking. That is roughly what proportionate child-safety regulation should look like. The danger is entirely downstream — in whether the Child Digital Safety Council mandates privacy-preserving verification or settles for mass ID collection, and whether enforcement stops short of the heavy-handed blocking the statute permits. Get verification right and the UAE writes the template the rest of the region copies. Get it wrong and it builds a surveillance-by-default identity layer in the name of protecting children — while the children simply switch on a VPN.