Malaysia mandates age checks for social media users, ID verification for advertisers

Malaysia’s National Cyber Security Agency (NACSA) is doing some careful messaging as age verification becomes mandatory for opening social media accounts from today.

Under 16s are now barred from opening social media accounts in Malaysia. Users seeking to create new accounts must verify their age using the country’s MyKad smart ID card and live facial biometric verification through MyDigital ID, Malaysia’s national digital identity platform.

NACSA says the approach is designed to protect children online while minimizing the amount of personal information shared with social media companies.

“MyDigital ID does not require users to submit or store physical ID copies, nor does it store biometric data such as fingerprints or facial images,” said NACSA CEO Megat Zuhairy Megat Tajuddin.

“Instead, it verifies users against official records held by the National Registration Department (NRD) to ensure that sensitive data remains within a secure and trusted government system.”

Tajuddin says a single verification layer reduces the risk of data exposure, with social media platforms only getting confirmation on whether a user meets the age requirements rather than getting other personal details.

“The objective is clear: to enable verification without expanding the attack surface,” he told Bernama. “By limiting data sharing, avoiding duplication, and centralizing verification within a secure national system, we can protect children online without compromising privacy.”

Malaysia now follows Indonesia in age-gating social media, although it’s taking its own approach and with various technological barriers in place. Users must verify through physical MyKad — smart ID cards for anyone aged 12 and above — along with live face biometrics via MyDigital ID, the country’s digital identity platform.

Loophole-chasing teenagers will also find it tougher as an upcoming Cybercrime Bill looks to penalize offences related to misusing digital identity services, which includes the act of supplying another person’s digital identity credentials.

Previously, Tajuddin has said MyDigital ID would only succeed if it was “built on trust, transparency and voluntary adoption,” but that belief in its optionality appears to have fallen by the wayside. The digital identity platform has been integrated with transport services, 29 new partners, and counts 12 million users in a country of 35 million.

Malaysia’s Risk Mitigation Code tackles online scams

The likes of Meta and ByteDance will need to take greater care as Malaysia’s new Risk Mitigation Code (RMC) kicks into gear today.

The sweeping online safety obligations for major social media platforms and digital service providers are now in effect. Issued by the Malaysian Communications and Multimedia Commission (MCMC) under the Online Safety Act 2025, the rules aim to curb harmful content, scams and manipulated media, which includes deepfakes.

They apply to licensed online platforms operating in Malaysia under the Communications and Multimedia Act 1998. The regulator described the RMC as a framework intended to protect users, particularly children and vulnerable groups, from exposure to dangerous or distressing material.

The code requires platforms to assess the risks their services pose to users and to introduce measures tailored to those risks. It follows rising concern over online harms such as financial fraud, child sexual abuse material, cyberbullying, violent or extremist content, and AI-generated impersonation.

Advertisers using sponsored adverts on social media must now verify identities to tackle online fraud. The measure also takes aim at online gambling and the misuse of famous people’s identities.

“We have seen many sponsored posts using the images of well-known individuals to promote content such as dubious investments, financial scams and online gambling, and so far it has been difficult to take action because we do not know who actually paid for the advertisements,” said Deputy Communications minister Teo Nie Ching.

It means individuals and registered entities must undergo identity verification by the platform before they are able to publish sponsored advertisements. Verification must be conducted against government-issued records such as MyKad or NRIC, passports, work permits, business registration documents or incorporation certificates. Platforms may use their own systems or third-party providers, provided they comply with privacy and data protection laws.

Platforms must now carry out detailed, regularly updated assessments of how their features, algorithms and user behaviour could expose people — especially children — to harmful content, including during sensitive periods like elections or national crises. They must also upgrade their reporting and moderation systems so users can easily flag harmful material and platforms can remove it quickly, with penalties such as warnings, restrictions or account suspensions for repeat offenders. Reporting tools must remain accessible and protect users’ anonymity and confidentiality.

Deepfakes in the crosshairs

The code also targets manipulated and AI-generated content. Platforms must introduce measures that help users identify deepfakes or other altered media and distinguish them from genuine content. They must also provide tools and guidance for users and advertisers to disclose when content has been generated or modified using AI.

Platforms must test and adjust their recommendation systems to reduce users’ exposure to harmful content. Platforms must also offer users safety tools such as interaction controls, filters for search and recommendation outputs, and accessible safety settings. These tools are intended to give users more control over their online experience and reduce the likelihood of encountering harmful content.

Any personal data collected for risk assessments or advertiser verification must comply with the Personal Data Protection Act 2010. MCMC said safety measures must be implemented with respect for users’ privacy and data rights.

Failure to comply with the RMC may result in enforcement action under the Online Safety Act, including fines upon conviction or financial penalties of up to 10 million Malaysian Ringgit (US$2.5 million). The regulator may amend or revise the code over time, describing it as a minimum baseline that platforms may exceed with stronger protections.

Deputy Communications Minister Teo Nie Ching has said the government takes the misuse of digital platforms seriously and has been working with major social media companies to remove content linked to investment scams, online gambling and the sale of unregistered products. She noted that no major platform has yet been prosecuted in Malaysia over scam-related advertisements, as such content is typically uploaded by third-party users. Liability depends on the extent of a platform’s role in facilitating its spread.

Between January and April this year, authorities recorded 23,367 online scam cases involving losses of 680.3 million Malaysian Ringgit ($171.5 million).

Article Topics

age verification  |  AI fraud  |  identity verification  |  legislation  |  Malaysia  |  MyDigital ID  |  social media