KUALA LUMPUR, May 15 — A majority of the stakeholders who submitted feedback to the Malaysian Communications and Multimedia Commission (MCMC) during its public consultation on proposed draft codes under the Online Safety Act 2025 showed broad support for flexible, risk-based age assurance measures over a single mandatory age verification model.
The consultation received feedback from 21 respondents, including technology companies such as TikTok Service Pte Ltd, Meta, Google, X Corp., Roblox and rednote (Xiaohongshu), alongside telecommunications providers including Maxis, CelcomDigi, Telekom Malaysia, Time dotCom, YTL Communications and Astro.
According to MCMC’s public consultation report, respondents broadly favoured a proportionate and risk-based framework in which the level of age assurance applied corresponds to the level of harm or risk posed by a particular service.
Instead of relying solely on hard identity checks or government-issued records, respondents advocated a multi-layered age assurance approach that combines different signals and interventions. This, they said, would better balance child protection objectives with privacy safeguards.
Feedback also drew attention to international regulatory approaches, including Australia’s Social Media Minimum Age framework, the United Kingdom’s Online Safety Act 2023, and the European Union’s Digital Services Act, which all emphasise proportionate or “reasonable steps” approaches without mandating a single technical solution.
A consistent concern raised across submissions was that mandatory verification using government-issued identity documents could conflict with data minimisation principles and privacy protections.
Respondents warned that such requirements could force platforms or third-party vendors to collect and store sensitive personal data of millions of users, most of whom are adults.
They further cautioned that this could create centralised repositories of highly sensitive information, increasing exposure to cybersecurity risks and potential large-scale data breaches, with some noting that the resulting harm could outweigh the intended child safety benefits.
Related concerns were raised on proportionality, transparency and human rights implications.
Respondents said identity-linked verification systems could create infrastructure capable of tracking how individuals access and consume information online, while also highlighting limited public information on the procurement process for any third-party verification vendors.
Submissions also noted that strict verification requirements could disproportionately affect vulnerable and marginalised groups, including undocumented persons and refugees, potentially undermining inclusive access to digital services.
On enforcement approaches, some respondents cautioned against mandatory pre-publication assessments of content, describing such measures as potentially amounting to pre-publication censorship that could affect freedom of expression.
Respondents also called for greater clarity in the definition of harmful content, with some stating that existing definitions may be too broad for effective implementation and compliance.
Across submissions, stakeholders also stressed the importance of allowing adequate implementation time, with suggestions that service providers be given up to 12 months from finalisation of the Risk Mitigation Code for compliance purposes, including system adjustments and operational preparation.
MCMC said respondents consistently supported stronger child safety protections but urged a framework that is proportionate, practical and adaptable to different service models.
“The Commission will consider stakeholders’ feedback in finalising the proposed codes under ONSA,” it said.
The finalised codes will set out compliance obligations for licensed service providers under the Online Safety Act 2025.
Other respondents included Unicef, the Malaysian Bar, the Human Rights Commission of Malaysia (Suhakam), the Malaysian Media Council, the Institute of Strategic & International Studies (ISIS) Malaysia, the Asia Tech Alliance, the US-ASEAN Business Council, ARTICLE 19, the Centre for Independent Journalism (CIJ), Sinar Project, and the Online Child Sexual Exploitation and Abuse (OCSEA) Working Group together with ECPAT Malaysia.