08 May 2025
Indonesia’s Child Protection Regulation Poised to Enhance Children’s Rights Protection in Digital Space

It is inevitable that the internet has become a fundamental infrastructure in various aspects of society, including trading, entertainment, education, and government administration. The offering of digital products via digital media, via websites, applications, and platforms has indisputably brought convenience and increases accessibility to a broader market, at an unprecedented rate. Digital products are easily accessible by users regardless of their location, education, and age. While this development offers substantial benefits for the public and economy, it poses inherent risks to one of the most vulnerable groups in society: children. The rapid flow of information, combined with children’s lack of maturity, may expose them to exploitation or adversely affect their growth and development. 

Attempts to create a safer digital space for children have been reflected through Law No. 1 of 2024 on the Second Amendment to Law No. 11 of 2008 on Electronic Information and Transaction (“EIT Law”), specifically under Article 16A and Article 16B. On 27 March 2025, the government subsequently issued the Government Regulation No. 17 of 2025 on the Governance of the Operation of Electronic Systems in Child Protection (“Online Child Protection Regulation”), which provides more detailed rules on the implementation of child protection requirements under the EIT Law.

The Online Child Protection Regulation establishes more detailed provisions on the scope and mechanisms of protection that must be employed when offering online products to child users. This includes the responsibilities of electronic systems operators (“ESOs”) in safeguarding children’s rights, supervision, and administrative sanctions for noncompliance. The Online Child Protection Regulation gives a grace period of 2 years since its enactment for ESOs to fully comply with the provisions within.

The key provisions of the Online Child Protection Regulation are as follows:

  1. Scope of Child and ESO

Any person under the age of 18 is classified as a child (“Child/Children”) and falls within the protection established under the Online Child Protection Regulation. This stipulation helps clarify the legal ambiguity of the legal age, particularly considering the multiple age thresholds recognized under Indonesian law. For instance, the Indonesian Civil Code stipulates the age limitation to 21 years old and not married or previously married, meanwhile the Indonesian Criminal Code defines a child as anyone under 16.

The Online Child Protection Regulation applies to both public and private ESOs that develop and/or operate products, services, or features connected to the internet or capable of connecting to the internet (“Products, Services, or Features”). These include websites, cellular applications, social media applications, game platforms, or any features thereof. These Products, Services, or Features —whether monetized or not —are not limited to those specifically designed for Children, but also include those that may be accessed by them. As such, even ESOs that do not target Children must assess whether their Online Products, Services, or Features would be accessible by Children.

This assessment must consider the following indicators:

  1. the ESO’s terms, conditions, rules, or policiespublished or compiled in an internal document indicate that the Products, Services, or Features are intended for use by Children;
  2. there is strong evidence that the composition of regular users are Children;
  3. advertising content is directed to Children;
  4. the design elements are made or displayed in such a way as to be attractive to Children;
  5. the Products, Services, or Features are substantially similar to others known to be used by Children.

 

  1. Responsibilities of ESOs

    1. Minimum Age

ESOs must disclose and provide information on the minimum age required to use the Products, Services, or Features and ensure that these offerings are age-appropriate. Under the Online Child Protection Regulation, the minimum age for a Child allowed to use such products or services is 3 years old. The Online Child Protection Regulation also classifies Child users into the following age groups:

  1. 3 to 5 years old
  2. 6 to 9 years old
  3. 10 to 12 years old
  4. 13 to 15 years old
  5. 16 to under 18 years old.

 

  1. Age Classification for Account Creation

ESOs that require user registration or account creation must comply the following limitations:

  1. Children under 13 years of age, may only have accounts in Products, Services, or Features specifically designed for Children and is classified as having a low risk profile;

  2. Children aged 13 to under 16 years, may only have accounts in Products, Services, or Features with low risk profile;

  3. Children aged 16 to under 18 years, may have accounts in any Products, Services, or Features.

However, in all cases, the creation of an account by a Child must be based on Parental consent is required in all cases of account creation. ESOs must implement effective technical and operational measures that allow parents to monitor and supervise their Child’s activity.
 

  1. Geolocation Restrictions

Collection of precise geolocation of Children are expressly prohibited, including collection of geolocation by default, except where the geolocation data collection is: (i) absolutely necessary to deliver a requested service; and (ii) only for a limited period. Even then, Children must be clearly notified that their location is being tracked. 
 

  1. Profiling Restrictions

The Online Child Protection Regulation touches on the topic of profiling Children. Under the PDP Law, "profiling" means the activity of electronically identifying an individual including but not limited to the Personal Data Subject's employment history, economic condition, health, personal preferences, interests, reliability, behavior, location, or movements. While the PDP Law does not prohibit profiling, it is prohibited for children unless there is a compelling justification on the necessity aspect. The profiling of Children for the purpose of offering products or services is also prohibited under the Online Child Protection Regulation, with the exemption wheresuch profiling is in the best interests of the Child. 

Profiling children—regardless of the method or purpose—is prohibited unless:

  • There is a compelling justification that the profiling is in the child’s best interest; or

  • It is an essential component of a Product, Service, or Feature that the Child has actively and consciously requested. 
     

  1. Age Verification

ESOs must implement a mechanism using technical and operational measures for age verification to ensure that Children accessing their services are within the permitted age ranges, with the level of scrutiny adjusted based on the potential risks to the Child's rights. This means that Online Products, Services and Features considered more sensitive or potentially harmful will require more robust verification processes.

Importantly, any age verification mechanism must respect the privacy of Child users. Personal data collected for verification must only be used for that specific purpose and must be deleted once the process is complete, unless retention is permitted by applicable law. ESOs are also expected to offer a clear process for users to object or change decisions based on age, if the actual age of the user does not match the identified age, and to ensure that their services are accessible to all users, including those with protected characteristics. If ESOs are unable to meet these verification standards, they’re still required to safeguard Children's data using appropriate technical operational measures.

  1. Sanctions for Non-Compliance 

The Minister of Communications and Digital (“MOCD”) has the authority to monitor ESO activities and investigate any suspected violations of the Online Child Protection Regulation. In the event of non-compliance, the MOCD may impose the following administrative sanctions on the ESO:

  1. written warning;
  2. administrative fine;
  3. temporary suspension; and/or
  4. access termination.

Sanctions will be determined based on the severity of the violation is assessed based on its duration, the number of affected Children, and the impact on their rights. The ESO’s level of cooperation and other mitigating or aggravating factors will also be considered.

  1. ABNR Commentary

The Online Child Protection Regulation has been an awaited regulatory framework for regulating child protection in the digital space. It decisively clarifies how ESOs must protect Children's rights when offering online products and services. ESOs are now required to assess whether their offerings could be accessed by Children, and must ensure that the privacy, safety, and welfare of child users are prioritized at every stage. 

ESOs must also ensure that their products and services are age-appropriate for Children by implementing age verification mechanisms and adhere to prohibitions regarding the collection Children’s data, especially in collecting specific geolocation information as well as using the personal data of Children for profiling purposes. This forward-thinking mandate rightly places Children's best interests at the forefront, fostering a much-needed safer digital environment.

As mentioned above, the regulation grants a two-year transition period for ESOs to achieve full compliance. Thus, ESOs are given ample time to plan and implement the requirements as set out in the regulation, both upcoming Products, Services or Features, and for integrating Child protection measures to existing ones.  

By partner Agus Ahadi Deradjat (aderadjat@abnrlaw.com), senior associate Mahiswara Timur (mtimur@abnrlaw.com), associates Beverly Laza (blaza@abnrlaw.com) and Marshel Miyata (mmiyata@abnrlaw.com)

 

This ABNR News and its contents are intended solely to provide a general overview, for informational purposes, of selected recent developments in Indonesian law. They do not constitute legal advice and should not be relied upon as such. Accordingly, ABNR accepts no liability of any kind in respect of any statement, opinion, view, error, or omission that may be contained in this legal update. In all circumstances, you are strongly advised to consult a licensed Indonesian legal practitioner before taking any action that could adversely affect your rights and obligations under Indonesian law.  

 

NEWS DETAIL

08 May 2025
Indonesia’s Child Protection Regulation Poised to Enhance Children’s Rights Protection in Digital Space

It is inevitable that the internet has become a fundamental infrastructure in various aspects of society, including trading, entertainment, education, and government administration. The offering of digital products via digital media, via websites, applications, and platforms has indisputably brought convenience and increases accessibility to a broader market, at an unprecedented rate. Digital products are easily accessible by users regardless of their location, education, and age. While this development offers substantial benefits for the public and economy, it poses inherent risks to one of the most vulnerable groups in society: children. The rapid flow of information, combined with children’s lack of maturity, may expose them to exploitation or adversely affect their growth and development. 

Attempts to create a safer digital space for children have been reflected through Law No. 1 of 2024 on the Second Amendment to Law No. 11 of 2008 on Electronic Information and Transaction (“EIT Law”), specifically under Article 16A and Article 16B. On 27 March 2025, the government subsequently issued the Government Regulation No. 17 of 2025 on the Governance of the Operation of Electronic Systems in Child Protection (“Online Child Protection Regulation”), which provides more detailed rules on the implementation of child protection requirements under the EIT Law.

The Online Child Protection Regulation establishes more detailed provisions on the scope and mechanisms of protection that must be employed when offering online products to child users. This includes the responsibilities of electronic systems operators (“ESOs”) in safeguarding children’s rights, supervision, and administrative sanctions for noncompliance. The Online Child Protection Regulation gives a grace period of 2 years since its enactment for ESOs to fully comply with the provisions within.

The key provisions of the Online Child Protection Regulation are as follows:

  1. Scope of Child and ESO

Any person under the age of 18 is classified as a child (“Child/Children”) and falls within the protection established under the Online Child Protection Regulation. This stipulation helps clarify the legal ambiguity of the legal age, particularly considering the multiple age thresholds recognized under Indonesian law. For instance, the Indonesian Civil Code stipulates the age limitation to 21 years old and not married or previously married, meanwhile the Indonesian Criminal Code defines a child as anyone under 16.

The Online Child Protection Regulation applies to both public and private ESOs that develop and/or operate products, services, or features connected to the internet or capable of connecting to the internet (“Products, Services, or Features”). These include websites, cellular applications, social media applications, game platforms, or any features thereof. These Products, Services, or Features —whether monetized or not —are not limited to those specifically designed for Children, but also include those that may be accessed by them. As such, even ESOs that do not target Children must assess whether their Online Products, Services, or Features would be accessible by Children.

This assessment must consider the following indicators:

  1. the ESO’s terms, conditions, rules, or policiespublished or compiled in an internal document indicate that the Products, Services, or Features are intended for use by Children;
  2. there is strong evidence that the composition of regular users are Children;
  3. advertising content is directed to Children;
  4. the design elements are made or displayed in such a way as to be attractive to Children;
  5. the Products, Services, or Features are substantially similar to others known to be used by Children.

 

  1. Responsibilities of ESOs

    1. Minimum Age

ESOs must disclose and provide information on the minimum age required to use the Products, Services, or Features and ensure that these offerings are age-appropriate. Under the Online Child Protection Regulation, the minimum age for a Child allowed to use such products or services is 3 years old. The Online Child Protection Regulation also classifies Child users into the following age groups:

  1. 3 to 5 years old
  2. 6 to 9 years old
  3. 10 to 12 years old
  4. 13 to 15 years old
  5. 16 to under 18 years old.

 

  1. Age Classification for Account Creation

ESOs that require user registration or account creation must comply the following limitations:

  1. Children under 13 years of age, may only have accounts in Products, Services, or Features specifically designed for Children and is classified as having a low risk profile;

  2. Children aged 13 to under 16 years, may only have accounts in Products, Services, or Features with low risk profile;

  3. Children aged 16 to under 18 years, may have accounts in any Products, Services, or Features.

However, in all cases, the creation of an account by a Child must be based on Parental consent is required in all cases of account creation. ESOs must implement effective technical and operational measures that allow parents to monitor and supervise their Child’s activity.
 

  1. Geolocation Restrictions

Collection of precise geolocation of Children are expressly prohibited, including collection of geolocation by default, except where the geolocation data collection is: (i) absolutely necessary to deliver a requested service; and (ii) only for a limited period. Even then, Children must be clearly notified that their location is being tracked. 
 

  1. Profiling Restrictions

The Online Child Protection Regulation touches on the topic of profiling Children. Under the PDP Law, "profiling" means the activity of electronically identifying an individual including but not limited to the Personal Data Subject's employment history, economic condition, health, personal preferences, interests, reliability, behavior, location, or movements. While the PDP Law does not prohibit profiling, it is prohibited for children unless there is a compelling justification on the necessity aspect. The profiling of Children for the purpose of offering products or services is also prohibited under the Online Child Protection Regulation, with the exemption wheresuch profiling is in the best interests of the Child. 

Profiling children—regardless of the method or purpose—is prohibited unless:

  • There is a compelling justification that the profiling is in the child’s best interest; or

  • It is an essential component of a Product, Service, or Feature that the Child has actively and consciously requested. 
     

  1. Age Verification

ESOs must implement a mechanism using technical and operational measures for age verification to ensure that Children accessing their services are within the permitted age ranges, with the level of scrutiny adjusted based on the potential risks to the Child's rights. This means that Online Products, Services and Features considered more sensitive or potentially harmful will require more robust verification processes.

Importantly, any age verification mechanism must respect the privacy of Child users. Personal data collected for verification must only be used for that specific purpose and must be deleted once the process is complete, unless retention is permitted by applicable law. ESOs are also expected to offer a clear process for users to object or change decisions based on age, if the actual age of the user does not match the identified age, and to ensure that their services are accessible to all users, including those with protected characteristics. If ESOs are unable to meet these verification standards, they’re still required to safeguard Children's data using appropriate technical operational measures.

  1. Sanctions for Non-Compliance 

The Minister of Communications and Digital (“MOCD”) has the authority to monitor ESO activities and investigate any suspected violations of the Online Child Protection Regulation. In the event of non-compliance, the MOCD may impose the following administrative sanctions on the ESO:

  1. written warning;
  2. administrative fine;
  3. temporary suspension; and/or
  4. access termination.

Sanctions will be determined based on the severity of the violation is assessed based on its duration, the number of affected Children, and the impact on their rights. The ESO’s level of cooperation and other mitigating or aggravating factors will also be considered.

  1. ABNR Commentary

The Online Child Protection Regulation has been an awaited regulatory framework for regulating child protection in the digital space. It decisively clarifies how ESOs must protect Children's rights when offering online products and services. ESOs are now required to assess whether their offerings could be accessed by Children, and must ensure that the privacy, safety, and welfare of child users are prioritized at every stage. 

ESOs must also ensure that their products and services are age-appropriate for Children by implementing age verification mechanisms and adhere to prohibitions regarding the collection Children’s data, especially in collecting specific geolocation information as well as using the personal data of Children for profiling purposes. This forward-thinking mandate rightly places Children's best interests at the forefront, fostering a much-needed safer digital environment.

As mentioned above, the regulation grants a two-year transition period for ESOs to achieve full compliance. Thus, ESOs are given ample time to plan and implement the requirements as set out in the regulation, both upcoming Products, Services or Features, and for integrating Child protection measures to existing ones.  

By partner Agus Ahadi Deradjat (aderadjat@abnrlaw.com), senior associate Mahiswara Timur (mtimur@abnrlaw.com), associates Beverly Laza (blaza@abnrlaw.com) and Marshel Miyata (mmiyata@abnrlaw.com)

 

This ABNR News and its contents are intended solely to provide a general overview, for informational purposes, of selected recent developments in Indonesian law. They do not constitute legal advice and should not be relied upon as such. Accordingly, ABNR accepts no liability of any kind in respect of any statement, opinion, view, error, or omission that may be contained in this legal update. In all circumstances, you are strongly advised to consult a licensed Indonesian legal practitioner before taking any action that could adversely affect your rights and obligations under Indonesian law.