Acceptable Use Policy (Malaysia)
ACCEPTABLE USE POLICY (AUP)
[Company Name]
Effective Date: [Effective Date]
This Acceptable Use Policy ('AUP') sets out the rules governing permitted and prohibited uses of [Service Description] provided by [Company Name] ('we', 'us', 'our'). By using our services, you agree to comply with this AUP. This AUP is incorporated into our Terms of Service.
1. SCOPE AND APPLICATION
This AUP applies to the following categories of users: [User Types]. It covers all access to and use of [Service Description], including access via web browser, mobile application, API, or any other interface.
2. PERMITTED USES
Our services are provided for the following legitimate purposes: [Permitted Uses]. Use of our services must at all times comply with applicable Malaysian law and the terms of this AUP.
3. PROHIBITED CONDUCT — LEGAL VIOLATIONS
The following activities are strictly prohibited and may constitute criminal offences under Malaysian law:
[Legal Violations]
Violations may be reported to the Malaysian Communications and Multimedia Commission (MCMC) under the Communications and Multimedia Act 1998 (Act 588), the Royal Malaysia Police (PDRM), or other relevant authorities.
4. PROHIBITED CONDUCT — PLATFORM ABUSE
The following activities that harm our services, infrastructure, or other users are prohibited:
[Platform Abuse]
5. ENFORCEMENT
Violation of this AUP may result in the following actions at our sole discretion:
[Enforcement Actions]
We reserve the right to cooperate with MCMC, PDRM, and other regulatory authorities in investigations of suspected illegal activity using our services.
6. REPORTING VIOLATIONS
To report a suspected AUP violation: [Reporting Process]
Abuse reporting email: [Contact Email]
We investigate all reports and take appropriate action. We do not tolerate abuse of our reporting mechanism — frivolous or malicious reports may themselves result in enforcement action.
What Is a Acceptable Use Policy (Malaysia)?
An Acceptable Use Policy in Malaysia sets out the standards and procedures the organisation expects its people to follow.
Malaysia's digital conduct is regulated primarily by the Communications and Multimedia Act 1998 (CMA 1998, Act 588), which is administered by the Malaysian Communications and Multimedia Commission (MCMC). Section 211 of the CMA 1998 prohibits the provision of content which is indecent, obscene, false, menacing, or offensive with intent to annoy, abuse, threaten, or harass any person. Section 233 extends this prohibition to transmitting such content via any multimedia device. The Computer Crimes Act 1997 (Act 563) criminalises unauthorised access to computer systems (Section 3), unauthorised access with intent to commit or support the commission of further offences (Section 4), unauthorised modification of the contents of any computer (Section 5), and wrongful communication of access codes (Section 6).
For organisations operating under ISO/IEC 27001 Information Security Management Systems or the Malaysian Cybersecurity Act 2024, an AUP is a required policy document. The National Cyber Security Agency of Malaysia (NACSA) and CyberSecurity Malaysia, the national information security specialist agency under the Ministry of Digital Malaysia, recommend AUPs as a foundational information security control for all organisations.
An AUP should be incorporated by reference into the Terms of Service or employment contract of the relevant organisation. For internet service providers (ISPs) and cloud service providers regulated by MCMC under the CMA 1998, an AUP that prohibits illegal content and conduct is a regulatory expectation. For corporate networks and SaaS platforms, the AUP informs employees and users of the boundaries of permitted use and establishes the basis for disciplinary action in cases of violation.
An effective AUP must be specific about the prohibited categories of conduct, proportionate in its enforcement provisions, and regularly reviewed to reflect changes in Malaysian law and technology. The MCMC publishes the Content Code of the Communications and Multimedia Content Forum of Malaysia (CMCF Content Code), which sets out content standards that AUPs for content platforms should reflect.
The legal framework governing the Acceptable Use Policy (Malaysia) in Malaysia draws on several key statutes and regulatory bodies. Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Parties executing a Acceptable Use Policy (Malaysia) in Malaysia should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Companies Act 2016 (Act 777) sets the foundational requirements.
When Do You Need a Acceptable Use Policy (Malaysia)?
An Acceptable Use Policy is required for any organisation that provides digital services, network access, or online platforms to users in Malaysia.
An Acceptable Use Policy is needed for any internet service provider (ISP), cloud hosting provider, or managed service provider regulated by the Malaysian Communications and Multimedia Commission (MCMC) under the Communications and Multimedia Act 1998, to document the prohibited uses of the provider's network infrastructure and content standards.
An Acceptable Use Policy is required for any SaaS platform or collaborative online tool serving Malaysian businesses and individuals, to define the boundary between permitted use and abuse of the platform's resources, and to establish the basis for account suspension or termination of violating users.
An Acceptable Use Policy is needed for any employer providing corporate network access, email systems, or internet access to employees in Malaysia, as part of the employer's obligations under ISO/IEC 27001 and the company's information security management system (ISMS). The AUP sets out what employees may and may not do on company systems.
An Acceptable Use Policy is required for any educational institution, university, or online learning platform in Malaysia providing network or platform access to students and staff, to regulate academic integrity, content sharing, and appropriate online conduct.
An Acceptable Use Policy is needed for any marketplace or content platform in Malaysia that allows users to post, share, or publish content, to establish the content standards that govern user submissions and the platform's right to moderate and remove non-compliant content under the CMA 1998.
Parties in Malaysia should prepare a Acceptable Use Policy (Malaysia) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Acceptable Use Policy (Malaysia)
A thorough Acceptable Use Policy for a Malaysian organisation must include the following essential elements.
Scope and Application: A statement of which users, systems, services, and activities are covered by the AUP, and how the AUP interacts with the Terms of Service, Privacy Policy, and employment contracts.
Permitted Uses: A clear statement of the purposes for which the service is intended to be used — for example, legitimate business communications, lawful e-commerce transactions, or accessing licensed software features. Defining permitted uses helps establish the baseline against which violations are measured.
Prohibited Conduct — Legal Violations: Specific prohibition on using the service to violate Malaysian law, including: sending or posting indecent, obscene, menacing, or offensive content contrary to Section 211 of the Communications and Multimedia Act 1998; unauthorised access to computer systems contrary to Section 3 of the Computer Crimes Act 1997; distributing content that infringes copyright under the Copyright Act 1987 (Act 332); transmitting content that incites racial or religious hatred contrary to the Sedition Act 1948 and the Penal Code; distributing spam contrary to Section 233 of the CMA 1998.
Prohibited Conduct — Platform Abuse: Prohibition on activities that harm the platform's technical infrastructure or other users — including distributed denial-of-service (DDoS) attacks, scraping, brute-force attacks, deploying malware or ransomware, and circumventing security controls.
Content Standards: For platforms accepting user-generated content, specific content standards — including prohibitions on defamatory content under the Defamation Act 1957, child sexual abuse material (CSAM) criminalized under the Sexual Offences Against Children Act 2017 (Act 792), and violence-inciting content.
Enforcement and Consequences: The actions the organisation may take in response to AUP violations — including content removal, account suspension, permanent termination, reporting to MCMC or the Royal Malaysia Police (PDRM), and civil claims for damages.
Reporting Mechanism: How users or employees can report suspected AUP violations, including a dedicated abuse reporting email or portal.
Additional compliance elements for a Acceptable Use Policy (Malaysia) used in Malaysia include: Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Forms-legal.com provides this template as a starting point for Malaysia-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Acceptable Use Policy (Malaysia) (Malaysia) [Legal document template]. Forms Legal. https://forms-legal.com/malaysia/business/policies/acceptable-use-policy-malaysia
"Acceptable Use Policy (Malaysia) (Malaysia)." Forms Legal, 2026, https://forms-legal.com/malaysia/business/policies/acceptable-use-policy-malaysia.
@misc{formslegal-acceptable-use-policy-malaysia,
author = {{Forms Legal}},
title = {Acceptable Use Policy (Malaysia) (Malaysia)},
year = {2026},
howpublished = {\url{https://forms-legal.com/malaysia/business/policies/acceptable-use-policy-malaysia}},
note = {Free legal document template. Based on Companies Act 2016 (Act 777)}
}Also available for these jurisdictions:
Frequently Asked Questions
While there is no specific Malaysian law that mandates every organisation to have a formally titled Acceptable Use Policy, several Malaysian statutes impose content and conduct obligations that an AUP gives effect to. The Communications and Multimedia Act 1998 (CMA 1998, Act 588) imposes obligations on content providers and internet service providers to prevent the transmission of prohibited content. Section 211 of the CMA 1998 prohibits content that is indecent, obscene, false, menacing, or offensive with intent to harass. Internet service providers and content application service providers licensed by the Malaysian Communications and Multimedia Commission (MCMC) are expected to have documented policies governing acceptable use of their services. Under ISO/IEC 27001:2022, an AUP is a required control (Annex A, Control 5.10). For employers providing IT systems and network access to employees, an AUP is required under best practice employment policies and the employment contract to establish the rules governing use of company IT resources.
The Computer Crimes Act 1997 (Act 563) criminalises four categories of offences. Section 3 prohibits unauthorised access to any computer or computer material — accessing any computer system, program, or data without authorisation, punishable by a fine not exceeding RM50,000 or imprisonment not exceeding five years, or both. Section 4 covers unauthorised access with intent to commit or facilitate commission of an offence involving fraud, dishonesty, or causing harm — an aggravated offence with imprisonment up to ten years and/or a fine up to RM150,000. Section 5 prohibits unauthorised modification of the contents of any computer — including deleting, adding, or altering data without authorisation, which covers deploying malware, ransomware, or wipers — with imprisonment up to seven years and/or a fine up to RM100,000. Section 6 covers wrongful communication of means of access — sharing passwords, access codes, or authentication credentials to enable another person to obtain unauthorised access. An AUP should prohibit all four categories of conduct.
Yes. A Malaysian employer can monitor employees' use of company IT systems — including corporate email, internet browsing, and network activity — provided that the monitoring is disclosed in the employment contract, employee handbook, or AUP, and that the monitoring is proportionate to the legitimate business purpose. The Personal Data Protection Act 2010 (PDPA 2010, Act 709) applies to personal data processed in connection with commercial transactions, and monitoring of employee communications may involve the processing of personal data. The employer must inform employees of the monitoring in the AUP or IT policy, state the purpose of monitoring (security, compliance, or productivity), and retain monitoring data only for as long as necessary under the Retention Principle (Section 10, PDPA 2010). Monitoring of employee emails without disclosure may expose the employer to claims under the Employment Act 1955 for breach of implied terms and potentially under the PDPA 2010 for non-disclosure of data processing. The AUP should clearly state that employees have no expectation of privacy when using company IT systems for work purposes.
When a user violates an Acceptable Use Policy, the service provider can take several actions depending on the severity of the violation. For minor violations, a warning notice is typically issued requesting the user to cease the violating activity. For serious or repeated violations, the service provider may suspend the user's account, terminate the account permanently, or restrict the user's access to specific features. For violations that constitute criminal offences under Malaysian law — such as distributing child sexual abuse material contrary to the Sexual Offences Against Children Act 2017 (Act 792), hacking contrary to the Computer Crimes Act 1997, or distributing content inciting racial hatred contrary to the Sedition Act 1948 — the service provider may report the violation to the Royal Malaysia Police (PDRM) or the Malaysian Communications and Multimedia Commission (MCMC). The service provider may also pursue civil claims for damages caused by the violation, such as loss resulting from a DDoS attack or data breach caused by the user. The AUP should state these consequences clearly to deter violations.
A Acceptable Use Policy (Malaysia) does not legally require a lawyer in Malaysia, and individuals and businesses may draft and execute the document independently. The Companies Act 2016 (Act 777) does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified Malaysia lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The Federal Court of Malaysia has jurisdiction over disputes arising from this type of document, and Companies Commission of Malaysia (SSM) may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Terms of Service (Malaysia)
A comprehensive Terms of Service agreement for Malaysian websites, SaaS platforms, and online services, compliant with the Consumer Protection Act 1999, Electronic Commerce Act 2006, and Digital Economy Act. Covers user obligations, intellectual property, liability limitations, and governing law.
Privacy Policy (Malaysia)
A Privacy Policy for Malaysia that discloses how a website or business collects, uses, stores, and discloses personal data in compliance with the Personal Data Protection Act 2010 (PDPA 2010, Act 709) and its seven data protection principles. Required for all Malaysian websites and apps that collect personal data.
Cybersecurity Policy (Malaysia)
A professionally drafted Cybersecurity Policy for Malaysian organisations covering information security governance, access controls, incident response, PDPA 2010 compliance, ISMS requirements under ISO/IEC 27001, and obligations under the Computer Crimes Act 1997 and Communications and Multimedia Act 1998.