The Indonesian government has taken a significant step toward strengthening child protection in the digital environment with the issuance of Government Regulation No. 17 of 2025, dated March 27, 2025, regarding the Governance of Electronic System Implementation in Child Protection (“GR 17/2025”). This regulation imposes binding obligations on Electronic System Providers (“ESPs”) – both public and private – to implement measures that protect children’s personal data and uphold their digital rights.
These obligations apply not only to services and platforms specifically designed for users under the age of 18, but also to any digital system that, by its design, features, or target audience, is reasonably accessible to or likely to be used by children.
GR 17/2025 provides a two-year transitional period for ESPs to bring their systems, internal policies, and operational practices into compliance with the regulation. Key obligations and implementation considerations are outlined in the sections below.
Key Compliance Obligations
Under GR 17/2025, all ESPs, whether public or private, are required to take active measures to protect children who use or access their platforms. The regulation introduces the following key definitions:
- Child: Any person under the age of 18.
- Electronic System: A set of electronic devices and procedures used to prepare, collect, process, analyze, store, display, announce, transmit, and/or distribute electronic information.
- Electronic System Provider: Any individual, government body, business entity, or community that provides, manages, and/or operates an electronic system, either independently or in cooperation with others, for its own purposes or on behalf of others.
The regulation applies to the following types of products, services, and features:
- Those specifically designed to be used or accessed by children; or
- Those that can reasonably be expected to be used or accessed by children, based on factors such as marketing strategies, user demographics, or the design and functionality of the user interface.
General Obligations
ESPs are required to implement technical and operational safeguards to protect children, including:
- Provide clear information on minimum age requirements, categorized into the following age groups:
- 3–5 years
- 6–9 years
- 10–12 years
- 13–15 years
- 16–17 years
- Implement user age verification mechanisms; and
- Establish reporting mechanisms to address misuse of products, services, or features that violate or may violate children’s rights.
Risk Level Categorization
Digital products, services, and features must be assessed and categorized based on the level of risk they pose to children – either (i) high risk or (ii) low risk.
The risk assessment must consider a range of factors, including:
- The potential interaction with unknown individuals;
- Exposure to pornographic, violent, or otherwise inappropriate content;
- The risk of exploiting children as consumers;
- Threats to a child’s psychological well-being; and
- Potential for physiological harm.
Core Obligations of ESPs
In addition to the above, ESPs are required to:
- Obtain verifiable consent from a parent or legal guardian before granting access to children;
- Conduct a personal data protection impact assessment (DPIA) specific to child users;
- Configure default privacy settings at a high level for products or services used by or accessible to children;
- Provide complete, accurate, and non-misleading information to users in a child-friendly manner;
- Implement digital education and empowerment initiatives for children;
- Provide notifications (e.g., signals or icons) when tracking or monitoring a child’s activity or location;
- Offer age-appropriate features and functionality;
- Clearly designate the party responsible for processing children’s personal data in internet-connected toys or devices;
- Ensure that all third parties working with the ESP comply with applicable child protection standards; and
- Appoint a Data Protection Officer (DPO) to oversee and implement personal data protection measures related to children.
Consent Mechanism and Timing
Importantly, GR 17/2025 requires that consent be obtained before a child is allowed to use any product, service, or feature offered by an ESP. This consent must be actively acquired and transparently communicated, ensuring that parents or guardians are fully informed and involved in the process.
The regulation allows for an opt-out mechanism in certain cases, subject to the following specific conditions:
- For children under the age of 17, ESPs must allow a 24-hour window for the child’s parent or legal guardian to provide explicit consent. During this window, the child must not be granted access. If no consent is received within this 24-hour timeframe, access must be denied; and
- For children aged 17, ESPs may provisionally allow access unless the parent or guardian objects within six hours. If no objection is raised during this period, access may proceed.
If a parent or legal guardian refuses to provide consent, the regulation is clear: any prior consent given by the child is rendered null and void (batal demi hukum) and the ESP is obligated to delete the child’s personal data from its systems.
Prohibited Activities
The regulation prohibits ESPs from engaging in the following activities:
- Using hidden or non-transparent techniques in the development or operation of products, services, or features;
- Collecting the precise geolocation data of children, except where strictly necessary and limited in duration; and
- Engaging in profiling of children, except under strict conditions where it is demonstrably in the best interests of the child or explicitly requested by the child.
Supervision and Sanctions
The Ministry of Communication and Digital Affairs (“MOCDA”) is granted the authority to supervise the implementation of electronic systems as they relate to child protection. This includes the power to monitor compliance, receive and investigate public reports or complaints, conduct both preliminary and follow-up examinations, and access relevant systems, data, and documentation from ESPs. The MOCDA may summon ESPs, request clarifications, inspect digital infrastructure, and coordinate with other government bodies or experts. If violations are found, the MOCDA may impose administrative sanctions.
Violations of GR 17/2025 may result in one or more administrative sanctions, including:
- Written warnings;
- Administrative fines;
- Temporary suspension of products, services, or features; and/or
- Blocking access to systems.
The MOCDA is authorized to publicly announce any administrative sanctions imposed on ESPs through its official channels. In addition, failure to protect children’s personal data may trigger administrative sanctions under Indonesia’s Personal Data Protection Law (Law No. 27 of 2022 regarding Personal Data).
Recommendations
To prepare for full compliance with GR 17/2025, ESPs should begin internal audits of their digital offerings, categorizing which services are likely to be accessed by children and assessing their risk levels. Providers should establish or refine their parental consent workflows, age verification tools, privacy policies, and internal governance structures, including the appointment of a Data Protection Officer with a clear mandate for overseeing children’s data protection.
ESPs are also advised to closely monitor the issuance of implementing regulations, which are expected to provide further clarity on matters such as age group classifications, the extent of MOCDA’s supervisory powers, and the procedural steps for enforcement.
With the two-year transition period now underway, ESPs are encouraged to begin making the necessary adjustments now. Failure to prepare for the upcoming enforcement regime may expose providers to significant legal, reputational, and operational risks. GR 17/2025 marks a broader shift toward more ethical digital practices. ESPs that take the lead in aligning with these standards will not only fulfil their legal obligations but also build lasting trust with the next generation of digital users. (3 June 2025)