Federal Decree-Law No. 26 of 2025 on Child Digital Safety is the UAE's first dedicated statute governing how children interact with the online world. It entered into force on 1 January 2026 and imposes concrete duties on internet service providers and digital platforms — from age verification and default privacy settings to restrictions on processing the data of children under 13 and limits on targeted advertising. Existing operators have a transitional window, with full compliance expected by January 2027.
Who should read this
General counsel and compliance leads at digital platforms, app publishers, online gaming, streaming and e-commerce businesses, and internet service providers that operate in or target users in the UAE — plus schools and any organisation handling children's personal data online.
Directly affected
Key facts
- Instrument: Federal Decree-Law No. 26 of 2025 on Child Digital Safety.
- Issued: 1 October 2025. In force: 1 January 2026.
- Compliance window: existing digital platforms and ISPs are expected to reach full compliance by January 2027; operative detail is set by Cabinet implementing regulations.
- Scope: internet service providers and digital platforms that operate in the UAE or are directed at users in the UAE — websites, search engines, apps, messaging and social media, online gaming, live-streaming, podcasts, video-on-demand and e-commerce platforms.
- Under-13 data: collecting, processing, publishing or sharing the personal data of children under 13 is prohibited unless strict conditions (including verifiable parental consent) are met; educational and health platforms may be exempted by Cabinet resolution.
- Platform controls: default privacy settings, age-verification and age-rating tools, content blocking and filtering, and regulation of targeted electronic advertising to children.
- Governance: establishes the Child Digital Safety Council, chaired by the Minister of Family, as an advisory and coordinating body across federal and local entities and the private sector.
- Standing: a new dedicated federal statute; it does not repeal existing law but operates alongside the UAE's data protection, cybercrime and child rights (Wadeema) frameworks.
Executive summary
Federal Decree-Law No. 26 of 2025 gives the UAE a standalone regime for children's safety online. It moves child protection from general principles scattered across data protection, cybercrime and child rights legislation into a single instrument with named obligations for the entities that build and operate digital services. The law reaches any platform or ISP that serves UAE users, regardless of where the operator is established, so the trigger is the audience rather than the place of incorporation. The centre of gravity is the under-13 age band, where the default position is a prohibition on processing personal data, and a set of design and operational controls that platforms must build into the product rather than bolt on later.
Key provisions
The most consequential rule is the restriction on children's data. Platforms may not collect, process, publish or share the personal data of a child under 13 unless narrow conditions are satisfied — chiefly verifiable parental consent, an easy withdrawal mechanism and clear privacy disclosures. The law also curbs the commercial use of that data and restricts targeted electronic advertising aimed at children. Educational and health platforms can be carved out by Cabinet resolution, subject to safeguards.
Alongside the data rules, the Decree-Law requires platforms to engineer safety into the service: default privacy settings for younger users, age-verification and age-assurance mechanisms, tools that enforce age restrictions, and blocking, filtering and age-rating for content. ISPs carry duties around access and the technical measures that support these controls. The statute defines the concepts it turns on — including harmful content and targeted electronic advertising — so that obligations attach to defined categories rather than open-ended judgement.
On governance, the law creates the Child Digital Safety Council, chaired by the Minister of Family, to coordinate federal and local authorities and the private sector, propose policy and legislation, run national awareness efforts and monitor emerging digital risks. Detailed thresholds and procedures are left to implementing regulations, so the enacted Arabic text and the Cabinet resolutions issued under it should be read together before finalising any compliance position.
Practical implications
For platform operators, the practical question is not whether the law applies — if you have UAE users, it does — but how much of your existing product already meets it. Age assurance is the hardest piece: many services rely on self-declared birth dates, which will not satisfy a verification standard aimed at a under-13 cut-off. Consent flows built for adults do not translate to verifiable parental consent, and advertising stacks that segment by behaviour need review where children may be in the audience.
For ISPs, the exposure sits in access controls and the technical cooperation the law contemplates. For schools and organisations that deploy third-party edtech, the law shifts diligence onto procurement: contracts should allocate responsibility for age assurance, data minimisation and the parental-consent record. Because the regime runs in parallel with the UAE's personal data protection law and the cybercrime framework, a single incident can trigger overlapping obligations, and a compliance programme built for one will not automatically cover the others.
Action points
- Map whether your service is directed at UAE users and confirm which platform category or ISP definition you fall under.
- Audit how you determine user age today and design an age-assurance approach that can support the under-13 threshold.
- Build or upgrade verifiable parental-consent flows, with a straightforward withdrawal mechanism and clear child-facing privacy disclosures.
- Review targeted-advertising and data-monetisation practices for any segment that may include children, and switch on default privacy settings for younger accounts.
- Implement content blocking, filtering and age-rating tools, and document them as evidence of compliance.
- Track the Cabinet implementing regulations and align your timeline to the January 2027 compliance expectation.
Directly affected: digital platform operators, app publishers, online gaming and streaming services, e-commerce platforms, internet service providers, edtech providers and schools, and parents and caregivers.
Enforcement and transitional relevance
The Decree-Law is in force now, but the operative compliance date for existing operators runs to January 2027 as implementing regulations are issued. That window is for building and evidencing controls, not for deferring assessment — enforcement and penalty detail will sit in the Cabinet regulations and the enacted Arabic text, which prevail over any English summary. Businesses that scope their obligations early, and keep a documented record of age-assurance, consent and content controls, will be in the strongest position when supervision begins.
Sources and authorities
Federal Decree-Law No. 26 of 2025 on Child Digital Safety — UAE Legislation Portal.
https://uaelegislation.gov.ae/en/legislations/3912
Issued 1 October 2025 · In force 1 January 2026. A new dedicated federal statute; it does not repeal existing legislation but operates alongside the UAE's personal data protection, cybercrime and child rights (Wadeema) frameworks. Cross-checked against leading practitioner analyses. The enacted Arabic text prevails.
Instrument details
Based on Federal Decree-Law No. 26 of 2025 on Child Digital Safety and cross-checked against leading practitioner analyses. General information only — it does not constitute legal advice, and the enacted Arabic text prevails. For advice on a specific matter, please contact us. Last updated: 2 July 2026.