Overview

With the goal of strengthening children’s online protection, the Indonesian Government recently enacted Government Regulation No. 17 of 2025 on the Governance of Electronic System Implementation in Child Protection (New Regulation), which came into force on 27 March 2025. The New Regulation implements Articles 16A and 16B of Law No.1 of 2024, which is the second (and most recent) amendment to Law No.11 of 2008 on Electronic Information and Transactions Law (EIT Law).

The New Regulation sets out specific obligations that require electronic system providers (ESPs) to ensure the protection of children from online threats when they access or use electronic systems.

Who is impacted by the New Regulation?

The New Regulation applies to all ESPs, including public ESPs (those operated or owned by the government or designated agencies) and private ESPs, that provide products, services or features (collectively referred to as the System) that are either specifically intended for children or are likely to be accessed or used by children.

Under the New Regulation, a “child” is defined as an individual under the age of 18 and sets the minimum age for a child that can access or use the System at three years old.

An ESP may be deemed likely to be accessed or used by children if any of the following indicators are present:

• the terms, conditions, rules or policies (whether published or outlined in an ESP’s internal document) indicate that the System is intended for use by, or accessible to, children;

• advertisements on the System are targeted at children;

• the System is substantially similar to other Systems that are designated or specifically intended for children;

• there is strong evidence that a significant portion of the regular users of the System are children; and/or

• the design of the System is created or presented in a way that appeals to children.

The New Regulation does not regulate how the Minister of Communication and Digital Affairs

The New Regulation does not regulate how the Minister of Communication and Digital Affairs (the Minister) will use the above indicators to assess whether an ESP and its System will be subject to the New Regulation. The New Regulation contemplates that the Minister will issue an implementing regulation on this subject.

Key provisions on ESP obligations relating to child protection

A summary of the key ESP obligations under the New Regulation is set out below:

1. Risk level assessment and verification

An ESP is required to self-assess the risk level that its System may pose to children or minors (Risk Assessment). The System will be classified as either low or high risk. In determining the appropriate classification, the ESP must consider the following aspects that may affect children:

(a) exposure to or interaction with unknown individuals through the System;

(b) exposure to pornographic, violent, life-threatening or other content inappropriate for children;

(c) exploitation of children as consumers;

(d) threats to the security of children's personal data;

(e) the potential for addiction to the System;

(f) the potential for psychological health disorders in children; and

(g) the potential for physiological impairment.

If the System has one or more of the above aspects, it will be classified as having high risk. In contrast, if the System does not have any of the above aspects, it will be classified as having low risk.

Following completion of the Risk Assessment, the ESP must report the Risk Assessment results to the Minister for verification of the System's risk profile (whether the System is considered as low-risk or high-risk).

The New Regulation contemplates that the Minister will issue an implementing regulation addressing the procedures and parameters for the Risk Assessment. We also anticipate that the implementing regulation will include details on the format and timeline for submission to the Minister, which are not currently regulated under the New Regulation.

2.Information on the minimum age limit for children and consent

ESPs are required to provide information on the minimum age limit and age range for children that is suitable for its System. For ESPs that require its users to register their accounts, the New Regulation classifies children into three main age categories. Different age ranges have the following different permissible account type requirements:

ESPs must obtain a parent’s or guardian’s consent within 24 hours before providing access and must not provide access to the System until such consent is obtained.

The New Regulation provides leniency for 17-year-old children where an ESP must give a six-hour objection period to the 17-year-old’s parents or guardian. The ESP must not give the 17-year-old access to the System during the six-hour objection period.

3. Verification mechanism for child user

The New Regulation requires ESPs to have a mechanism in place to verify that the user is a child within the age limits as outlined in point 2. above. In implementing such verification, the ESP must ensure the protection of children's personal data, including processing data solely for the purpose of age verification and deleting the data used for verification once the purpose has been fulfilled.

4. Providing an easily accessible reporting mechanism for the misuse of a system that violates (or may potentially violate) children’s rights, which must be available to children, parents and guardians

ESPs are required to provide tools, services or features that can be easily used or accessed by children or their parents or guardians, to exercise the children's right to submit reports or complaints regarding issues they encounter relating to the System. ESPs must also implement operational and technical measures to respond to and/or follow up on such reports or complaints.

5.Complying with children’s data protection requirements in processing their data in the system

(a) ESPs’ obligations to protect children’s data privacy

ESPs must ensure children's data privacy protection, including by:

(i) obtaining consent from the child's parent/guardian for children under 17 years of age or the child’s consent with notification to the parent/guardian for children over 17 years old before the child can use or access the System;

(ii) conducting a Personal Data Protection (PDP) Impact Assessment (DPIA) in accordance with the Indonesian PDP law;

(iii) providing an option to set privacy levels (either permanently or temporarily) based on the results of the DPIA, or configuring the System settings specifically designed for children to default to high privacy settings;

(iv) providing complete, accurate, truthful and non-misleading information for users to understand the System, using language that is easy to comprehend and in a format that is accessible to both children and their parents/guardians;

(v) conducting education and empowerment of the digital ecosystem;

(vi) providing clear notifications, indicators or signals to children, if the System has features for parents/guardians or other users to monitor the child’s activities or track the child’s location;

(vii) providing features options that are appropriate to the child’s capacity and age;

(viii) determining the party responsible for processing the child’s personal data in the provision of gaming systems that enable connection to the internet;

(ix) ensuring that parties appointed or cooperating with the electronic system comply with child protection requirements; and

(x) appointing an officer or personnel responsible for carrying out personal data protection functions.

(b)Prohibitions for ESPs in processing children’s data

In addition to the obligations on child data protection referred to above, ESPs are prohibited from conducting the following activities:

(i) using any methods, techniques, or practices that are hidden or not transparent in the development or operation of the System, which encourage a child to disclose unnecessary personal data, release or reduce privacy protection functions or cause harm to their physical, mental, or overall well-being. Examples include directing a child to permanently change their privacy settings or designing the interface in a way that nudges the child toward less privacy-protective choices. This could include making those less safe options more visually appealing, easier to access, or more prominently displayed than the safer alternatives;

(ii) collecting a child's exact location data, unless for a limited of time for the ESP to provide its System based on the child's request, and must be done with a clear notification or an indicator to the child that the location data is being collected by the ESP; and

(iii) creating profiles of children (profiling), including for the purpose of offering products or in any way influencing content preferences based on the content history accessed by the child over a certain period, unless it is in the child's best interest.

Enforcement and transition period

Failure to comply with the above obligations may expose the relevant ESPs to administrative sanctions imposed by the Minister that may include written warnings, fines, temporary suspension and/or termination of access to the System. The government has provided a two-year transition period from the enactment of the New Regulation on 27 March 2025, to allow ESPs and other relevant parties time to comply with the provisions. This transition period only applies to the New Regulation and not to the requirements for protecting children’s personal data under the Indonesian PDP law.

What is next?

Given the two-year transition period, ESPs are encouraged to begin preparing for compliance with the New Regulation. Proactive preparation will help ensure a smoother transition and facilitate compliance with the New Regulation.

It is hoped that with the New Regulation in place, children are assured increased online protection against potential predatory activities and other threats.

We will continue to monitor legal developments and keep you updated as more information on the New Regulation’s implementation becomes available. As mentioned above, we are expecting several new implementing Ministerial regulations to be issued in the near future and will report on them once they have been passed.