Which topic would you like to know more about?
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
The Child Protection Law (Saudi Arabia Royal Decree No. M14/1436) (Child Protection Law) provides that a person under the age of 18 is a minor for the purposes of Saudi Arabian law.
Has the UNCRC been directly incorporated into national law in your jurisdiction?
No.
The UNCRC has not been directly incorporated into Saudi Arabian national law. Saudi Arabia ratified the UNCRC in 1996 but did so with reservations, particularly concerning provisions that might conflict with Islamic law. This reservation applies broadly and allows Saudi Arabia to interpret the UNCRC in a manner consistent with its legal and cultural framework.
Is there an ombudsperson/ commissioner for children in your jurisdiction?
No.
There is no ombudsperson or commissioner for children in Saudi Arabia. The main regulatory body for children in the Kingdom is the Ministry of Human Resources and Social Development. Additionally, there is also the Family Affairs Council, who publish separate guidance notes and regulations relating to family safety and wellbeing; this includes the protection of children.
If there is an ombudsperson/ commissioner for children in your jurisdiction, do they have any responsibility for upholding children’s rights in the digital world or does the relevant regulator have sole competence?
No.
Under the Child Protection Law (Saudi Arabia Royal Decree No. M14/1436), the Ministry of Human Resources and Social Development is primarily responsible for ensuring the protection of children from harm and/or abuse; responsibility for upholding children’s rights in the digital world is not specifically contemplated, although in our view it would likely fall within this general responsibility.
Is there any standalone requirement to collect the consent of one or both parents when processing a child’s personal data (irrespective of any other obligations, e.g. the requirement to have a legal basis for processing)?
Yes.
Article 13 of the Executive Regulations to the Personal Data Protection Law (issued pursuant to Royal Decree No. (M/19) dated 09/02/1443 AH) states that in the case of processing personal data of a data subject that lacks full or partial legal capacity, obtaining the consent of the legal guardian shall be required, conditional upon taking appropriate measures to verify the guardianship validity over the data subject.
At what age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?
While not explicitly stated in the Personal Data Protection Law (issued pursuant to Royal Decree No. (M/19) dated 09/02/1443 AH) or its Executive Regulations, the (Saudi Arabia Royal Decree No. M14/1436) defines a minor as any person under the age of 18.
Are there specific requirements in relation to collection and/or verification of parental consent/ permission concerning the processing of a child’s personal data?
Yes.
In addition to the usual requirements for valid consent under the Personal Data Protection Law (issued pursuant to Royal Decree No. (M/19) (PDPL), Article 13(3) of the Executive Regulations of the PDPL provides that controllers must comply with the following when obtaining consent from a legal guardian:
- Consent given by the legal guardian shall not cause any harm to the interests of the data subject.
- The data subject shall be allowed to exercise their rights stipulated in the PDPL and its Executive Regulations when they reach legal capacity.
Are there any particular information or transparency requirements concerning the processing of children’s personal data?
Yes.
The transparency requirements under the Personal Data Protection Law (issued pursuant to Royal Decree No. (M/19) (PDPL) relate to processing of personal data generally, they do not specifically relate to the processing of children’s personal data.
However, Article 4(5) of the Executive Regulations to the PDPL requires controllers whose activities require continuous or large-scale processing of personal data of individuals lacking full or partial legal capacity to take the necessary measures to inform the individual lacking full or partial legal capacity (i.e., a child) of the information provided in the privacy policy. Additionally, the controller must explain:
- the means and methods of collecting and processing sensitive data, where applicable;
- the means and procedures taken to protect personal data; and
- indicate whether decisions will be made based solely on automated processing of personal data.
Article 4(7) also confirms that once a controller becomes aware that they are processing personal data pertaining to a child, they must provide the information contained in the privacy notice using suitable language.
Can children directly exercise their rights in relation to their personal data without the involvement of their parents?
No.
No, Article 3(3) a) of the Executive Regulations to the Personal Data Protection Law (issued pursuant to Royal Decree No. (M/19) (PDPL) anticipates that the legal guardian responsible for a child will exercise their rights on their behalf.
Can children make complaints on their own behalf directly to your national data protection/ privacy regulator(s)?
No.
The Personal Data Protection Law (issued pursuant to Royal Decree No. (M/19) (PDPL) does not address this point; however, we believe the position would be the same as above e.g., complaints must be submitted via a legal guardian.
Are there any particular requirements/ prohibitions related to:
a. processing specific types of children’s personal data;
b. carrying out specific processing activities involving children’s personal data; and/ or
c. using children’s personal data for specific purposes.
Yes.
Article 16(6) of the Personal Data Protection Law (issued pursuant to Royal Decree No. (M/19) (PDPL) prohibits the disclosure of personal data in the following instances, insofar as it conflicts with the interests of a person that fully or partially lacks legal capacity:
- he data subject consents to the disclosure in accordance with the provisions of the law;
- the personal data has been collected from a publicly available source;
- the disclosure will only involve subsequent processing in a form that makes it impossible to directly or indirectly identify the data subject;
- the disclosure is necessary to achieve legitimate interests of the controller, without prejudice to the rights and interests of the data subject, and provided that no sensitive data is to be processed.
Has there been any enforcement action by your national data protection/ privacy regulator(s) concerning the processing of children’s personal data? In your answer, please include information on the volume, nature and severity of sanctions.
No.
No enforcement actions to date as far as we are aware, although the data protection regulator has only recently become operational and the Personal Data Protection Law (issued pursuant to Royal Decree No. (M/19) is a relatively new piece of legislation in the Kingdom. Please note that future enforcement decisions may not be publicly available, making it difficult to extract clear statements of principle or precedent.
Are there specific rules concerning electronic direct marketing to children?
No.
No; however, there are a number of provisions that we believe are indirectly relevant:
- Article 3.14 of the Child Protection Law (Saudi Arabia Royal Decree No. M14/1436) requires the relevant authorities to prevent the exploitation of children from commercial marketing. The Human Resources and Social Development Authority have subsequently emphasised the importance of protecting children from exploitation from commercial advertising (see here).
- Under the Personal Data Protection Law (issued pursuant to Royal Decree No. (M/19), there is a general requirement for a data subject’s consent to be obtained before a controller can engage in any processing, including direct marketing activities via calling, e-mailing, or texting consumers.
- There are also Executive Regulations to the Child Protection Law – under Article 3(d), the relevant authorities are required to protection all children from harmful media, which includes media that exposes children to material that are obscene, criminal or unsuitable for his/her age.
- Additionally, the Ministry of Human Resources and Social Development, in collaboration with the Family Affairs Council and UNICEF have developed the National Framework for Children’s Online Safety. However, as of yet, nothing of substance has been published following the establishment of this framework.
Are there specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children?
No.
No, there are no specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children.
Are there specific rules concerning online contextual advertising to children?
Yes.
Article 3.14 of the Child Protection Law requires the relevant authorities to prevent the exploitation of children from commercial marketing; we believe this is indirectly applicable. For further information, see the response to this question.
Has there been any regulatory enforcement action concerning advertising to children? In your answer, please include information on the volume, nature and severity of sanctions.
No.
We are not aware of any decisions relating to regulatory enforcement action concerning advertising to children being made publicly available in Saudi Arabia.
At what age does a person acquire contractual capacity to enter into an agreement to use digital services?
The Child Protection Law (Saudi Arabia Royal Decree No. M14/1436) provides that a person under the age of 18 is a minor for the purposes of Saudi Arabian law.
Do consumer protection rules apply to children?
Yes.
There are no specific ‘consumer protection rules’, as such. (We understand this topic is currently under consideration at a legislative level.) General principles found in the Civil Transactions Law are likely to be relevant in a consumer context, as will provisions of the E-Commerce Law (in an e-commerce context).
There is no clear reason why such considerations would not apply to children, although we do note that children, as minors, do not have contractual capacity. If this were to undermine the ability of a child to rely on consumer protection rules, we expect such protections could still be exercised by guardians on behalf of children.
Are there any consumer protection rules which are specific to children only?
No.
No, there are no consumer protection rules which are specific to children only.
Has there been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
N/A.
We are not aware of any decisions relating to regulatory enforcement action concerning consumer protection requirements and children’s use of digital services being made publicly available in Saudi Arabia.
Are there any age-related restrictions on when children can legally access online/ digital services?
No.
Are there any specific requirements relating to online/ digital safety for children?
No.
The Ministry of Human Resources and Social Development, in collaboration with the Family Affairs Council and UNICEF have developed the National Framework for Children’s Online Safety. However, currently these are just guiding principles. To date, however, no guidance has been published following the establishment of the framework. For further information, see the response to this question.
Are there specific age verification/ age assurance requirements concerning access to online/ digital services?
Yes.
No. There are no specific age verification / assurance requirements concerning access to online / digital services. (There are general age classifications for video games, but these are not linked to verification/access requirements.)
Are there requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services?
No.
No. There are no specific requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services.
Has there been any regulatory enforcement action concerning online/ digital safety? In your answer, please include information on the volume, nature and severity of sanctions.
N/A.
We are not aware of any decisions relating to regulatory enforcement action concerning online / digital safety being made publicly available in Saudi Arabia.
Are there any existing requirements relating to children and AI in your jurisdiction?
Yes.
Saudi Arabia does not have specific laws or regulations that directly address the use of AI in relation to children. However, there are general legal frameworks and guidelines that indirectly affect how AI technologies can be used in contexts involving children, focusing on data protection, privacy, and online safety:
- Data Protection: Saudi Arabia’s Personal Data Protection Law (issued pursuant to Royal Decree No. (M/19) (PDPL) governs the collection, processing, and storage of personal data. The PDPL emphasizes the need for consent and the protection of sensitive information, which are crucial when dealing with children's data. While not specific to AI, it will apply to any AI systems processing personal data, including that of children.
- Cybersecurity and Online Safety: The National Cybersecurity Authority sets guidelines and standards for cybersecurity, which can be relevant for AI technologies used in digital platforms accessed by children. These guidelines aim to protect individuals, including children, from online threats and exploitation.
- Child Protection Laws: Saudi Arabia has child protection laws, such as the Child Protection Law (Saudi Arabia Royal Decree No. M14/1436), which safeguard children's rights and welfare. These laws can indirectly influence how AI technologies are used in contexts involving children, ensuring that their rights and safety are prioritised
- Ethical Guidelines for AI: The Saudi Data & AI Authority is responsible for developing ethical guidelines and principles for AI deployment. While not specifically focused on children, these guidelines emphasize responsible and ethical AI use, which includes considerations for vulnerable groups like children.
- Education and Awareness: There are initiatives to promote digital literacy and safety among children and parents, which include educating them about the safe use of technology, including AI-driven applications.
Are there any upcoming requirements relating to children and AI in your jurisdiction?
No.
There are no specific upcoming legal requirements in Saudi Arabia that directly address the intersection of AI and children's rights. However, given the rapid development of AI technologies and the increasing focus on digital governance, there are some areas where future developments might impact how AI is used in relation to children:
- Data Protection: Saudi Arabia's Personal Data Protection Law (issued pursuant to Royal Decree No. (M/19) (PDPL) is still relatively new, and further refinements or updates could include more specific provisions regarding the processing of children's data. This aligns with global trends towards enhancing data protection, particularly for vulnerable groups like children.
- Cybersecurity and Digital Safety: Saudi Arabia continues to strengthen its cybersecurity frameworks, which could lead to new guidelines aimed at protecting children in the digital space. This might involve setting standards for AI technologies used in educational tools, social media, or other platforms accessed by children.
- International Influences: Saudi Arabia is increasingly engaging with best practices in AI and digital governance. As global discussions around AI ethics and children's rights evolve, Saudi Arabia might introduce new regulations or guidelines that reflect these international standards.
Has there been any other regulatory enforcement activity to date relevant to children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
We are not aware of any decisions relating to regulatory enforcement action concerning children’s use of digital services being made publicly available in Saudi Arabia.
Are there any other existing or upcoming requirements relevant to children’s use of digital services?
Yes.
We anticipate the publication of the consumer protection law during the course of 2025. At present, it is unclear whether this will contain anything specific to children.
