AI Regulation Tracker / Guidance
Saudi Arabia's SDAIA Issues National Deepfakes Guidelines and Ties Synthetic Media to the PDPL
Regulatory summary: On May 8, 2026, the Saudi Data and Artificial Intelligence Authority (SDAIA) issued national Deepfakes Guidelines, titled Deepfakes Guidelines: Mitigating Risks While Fostering Innovation. The document distinguishes malicious deepfakes, which are built to deceive, exploit, or harm, from non-malicious synthetic media used in marketing, entertainment, retail, education, healthcare, and culture.
The Saudi Data and Artificial Intelligence Authority has published national Deepfakes Guidelines that split malicious from non-malicious synthetic media and route developer and creator duties through the Personal Data Protection Law and the Anti-Cyber Crime Law. The guidance also asks systems to let people pull their likeness out of training data.
Key takeaways
- Saudi Arabia moved from a public consultation on deepfake principles to a published national guidance document. SDAIA had earlier opened guiding principles for deepfake practices for public consultation, and on May 8, 2026 it issued the finalized Deepfakes Guidelines. The document sets out a malicious versus non-malicious framework, names the PDPL and the Anti-Cyber Crime Law as the compliance baseline, and lists concrete safeguards including privacy-by-design, anonymization, consent management, watermarking, source verification, and a mechanism to remove a person's likeness from training data.
- Synthetic-media and generative-AI developers selling into or operating in the Gulf; marketing, advertising, and entertainment studios producing AI faces, voices, or de-aged actors; retail and healthcare teams using synthetic presenters or virtual tutors; data-protection officers and legal counsel responsible for PDPL compliance; and any non-Saudi developer whose model trains on or generates the likeness of Saudi individuals.
- Status: Issued and published by SDAIA on May 8, 2026, with the full document hosted on the SDAIA website and announced through the Saudi Press Agency.
- Map every synthetic-media workflow that could touch a Saudi person or Saudi data, then check each one against the PDPL baseline the Guidelines invoke: lawful basis and explicit consent, watermarking, provenance, and a likeness-removal request path. Fix the consent and deletion mechanics first, because those are the duties tied most directly to enforceable law.
| Date | Jurisdiction | Rule | Affected professionals | Status or effective date |
|---|---|---|---|---|
| 2026-07-09 | Saudi Arabia | Saudi Arabia moved from a public consultation on deepfake principles to a published national guidance document. SDAIA had earlier opened guiding principles for deepfake practices for public consultation, and on May 8, 2026 it issued the finalized Deepfakes Guidelines. The document sets out a malicious versus non-malicious framework, names the PDPL and the Anti-Cyber Crime Law as the compliance baseline, and lists concrete safeguards including privacy-by-design, anonymization, consent management, watermarking, source verification, and a mechanism to remove a person's likeness from training data. | Synthetic-media and generative-AI developers selling into or operating in the Gulf; marketing, advertising, and entertainment studios producing AI faces, voices, or de-aged actors; retail and healthcare teams using synthetic presenters or virtual tutors; data-protection officers and legal counsel responsible for PDPL compliance; and any non-Saudi developer whose model trains on or generates the likeness of Saudi individuals. | Issued and published by SDAIA on May 8, 2026, with the full document hosted on the SDAIA website and announced through the Saudi Press Agency. It is live guidance, not a draft, but it operates as recommendations sitting on top of the binding PDPL and Anti-Cyber Crime Law rather than as a new penalty regime of its own. |
Frequently Asked Questions
Are SDAIA's Deepfakes Guidelines legally binding?
The Guidelines themselves are guidance and recommendations issued on May 8, 2026, not a standalone statute with its own penalties. Their force comes from the laws they reference, the Personal Data Protection Law and the Anti-Cyber Crime Law, both of which are already binding and enforceable in Saudi Arabia.
Do the guidelines ban deepfakes?
No. SDAIA states that the technology is not inherently harmful and that intent and application determine its impact. It distinguishes malicious deepfakes built to deceive, exploit, or harm from non-malicious uses in marketing, entertainment, retail, education, healthcare, and culture.
What must developers actually implement?
Privacy-by-design, anonymization, consent-management systems, non-intrusive digital watermarks, model documentation and explainability, and human oversight. Creators must apply visible, tamper-resistant watermarks, obtain explicit consent before using a person's likeness, keep auditable consent records, and use provenance techniques.
What is the likeness-removal right?
The Guidelines ask developers to run consent systems that let individuals request removal of their likeness from AI training datasets, meaning a person can ask that their face or voice be taken out of the data a model learns from.
Do these duties apply to non-Saudi companies?
They can. Because the Guidelines route obligations through the PDPL, which protects the personal data of individuals in Saudi Arabia, a foreign developer whose synthetic media uses the likeness or data of Saudi persons falls within scope.
Internal links
Sponsored Training
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.