Strengthening The Digital Frontier For Child Safety

The United Arab Emirates issued the Federal Decree-Law No. (26) of 2025 Regarding Child Digital Safety Law on January 1, 2026. This historic law represents a specific extension of Federal Law No. (3) of 2016 (Wadeema’s Law). Whereas the former law codified the basic civil and social rights of children, the new Decree-Law tackles the particular legal challenges posed by the digital era, setting very high standards for technology companies, internet service providers (ISPs), and parents.

Scope and Jurisdictional Applicability

The Decree-Law has wide jurisdictional applicability, covering all digital services and platforms available in the State. One of the characteristic features of the CDS Law is its wide jurisdictional reach. The CDS Law not only applies to digital platforms and ISPs operating in the UAE, but also to foreign digital platforms and ISPs targeting users (companies or individuals) in the UAE. The CDS Law repeatedly uses a dual nexus of “operating within the State (the UAE) or targeting users in the State” in its provisions on privacy, age verification, platform controls, and disclosure obligations.

Foreign companies targeting UAE users, especially when children have access to or are exposed to their services or content, fall within the jurisdictional ambit of the CDS Law. Importantly, the following entities fall under the Decree-Law’s jurisdiction:

1. Domestic Entities: All technology companies and ISPs operating in the UAE.
2. Extra-territorial Entities: Foreign digital platforms targeting users in the UAE or serving children living in the UAE.

Key Legislative Pillars

1. Data Sovereignty and the “Under 13” Rule

Article 8 of the Decree-Law imposes a strict ban on the processing of personal data of children under the age of 13. ISPs are subject to a distinct but complementary set of obligations. Policies and regulatory instructions issued by the Telecommunications and Digital Government Regulatory Authority (“TDRA”) will require ISPs to implement network-level content filtering, safe-use measures when the user is a child, and caregiver agreement terms linked to parental control tools. ISPs must provide parental control software and comply with immediate reporting obligations. The TDRA is empowered to review ISP policies and oversee ongoing compliance, reinforcing accountability at the infrastructure layer. Online platforms are prohibited from collecting, storing, and processing such data unless they obtain:

1. Verifiable Parental Consent: The onus of proof rests with the online platform to prove that consent was sought through “explicit and documented” channels.
2. Purpose Limitation: Collected data must be strictly necessary for the provision of the service offered and cannot be used for commercial profiling.

2. Mandatory Safeguard Mechanisms

The law changes the paradigm of safety from “user-beware” to “safety-by-design.”

1. Age Verification: Online platforms are required to adopt effective, technology-based age verification mechanisms. The Decree-Law abandons self-declaration gates and demands measures proportionate to the risk level of the online platform.
2. Privacy by Default: Online service providers are compelled to set the highest privacy settings as the default for minor users, making them invisible to the public and untraceable through geolocation by default.

3. Regulation of Harmful Content and “Dark Patterns”

The law clearly bans children from being exposed to digital content that may endanger their moral and psychological integrity. A major emphasis is placed on:

1. Commercial Gambling: Platforms are banned from advertising gambling-related content to children or incorporating “loot box” systems that replicate betting patterns.
2. Algorithmic Transparency: The law requires that algorithms employed by digital platforms cannot be designed to promote addictive behavior or direct children to harmful content.

Governance and Institutional Oversight

The Decree-Law creates the Child Digital Safety Council, headed by the Minister of Family. The council has the power to:

1. Classify Platforms: Classify digital services according to risk levels and the type of content being distributed.
2. Monitor Compliance: Publish regular reports on the compliance of international and local platforms with UAE safety regulations.
3. Legislative Updates: Recommend changes to ensure the law remains up-to-date with evolving technologies such as Generative AI and the Metaverse.

Legal Obligations for Caregivers

In a major departure, Article 13 sets out the obligations of parents and legal guardians. Non-compliance with these obligations shall render the caregiver liable to prosecution:

1. The Duty of Supervision: Caregivers are obligated by law to employ available parental control software offered by ISPs and platforms.
2. Prevention of Digital Exploitation: The law prohibits caregivers from using children in “virtual worlds” or digital broadcasts (such as social media “influencing”) that could violate the child’s dignity or privacy.

Enforcement and Penalties

The Telecommunications and Digital Government Regulatory Authority (TDRA) is the main enforcing authority. The penalties for non-compliance are stratified and consist of:

1. Administrative Fines: These will be specified by a Cabinet Resolution.
2. Service Restriction: Temporary or permanent suspension of digital services in the State for repeat or serious offenses.
3. Grace Period: All entities covered by this law have until January 1, 2027, to bring themselves into compliance with this law.

 Conclusion

Federal Decree-Law No. (26) of 2025 is a highly advanced step in the UAE’s child protection legal tradition. With its emphasis on technical measures and parental obligations, the UAE has established one of the most advanced legal systems globally for digital protection, ensuring that the rights conferred by Wadeema’s Law are adequately protected in cyberspace.