Indonesia sets child protection standards for electronic system providers
On 27 March 2025, Indonesia issued Government Regulation No. 17 of 2025 on the Governance of Electronic System Providers in Relation to Child Protection (“Regulation 17”), which took effect immediately. Regulation 17 implements Law No. 11 of 2008 on Electronic Information and Transactions, specifically in relation to the protection of children in their use of and access to electronic systems.
This article outlines the key obligations of electronic system providers under Regulation 17.
General requirement
Under Regulation 17, electronic system providers (“ESPs”) must provide protection for children, defined as anyone under 18 years old, who use or access any products, services, or features (“PSFs”) within their electronic systems. This protection includes upholding children’s rights, such as privacy and personal data protection, freedom from sexual or economic exploitation, freedom of expression and opinion, and ensuring their physical, mental, and psychological safety from the misuse of electronic information and/or electronic documents that violate these rights.
ESPs include individuals, state administrators, entities, and communities that provide, manage, and/or operate electronic systems for their own purposes and/or the benefit of others, either individually or jointly.
When developing and/or providing PSFs intended for children, ESPs must prioritise the best interests of the child and ensure children’s rights take precedence over commercial interests.
Minimum age
ESPs must set out the minimum age required to use their PSFs. Under Regulation 17, this requirement is set at three years old. ESPs are also required to implement a user age verification mechanism that incorporates technical and operational measures to ensure compliance with the minimum age limit.
Risk profiling
ESPs must assess their PSFs against the following aspects to determine whether they are a high or low risk for children:
|
· Contact with unknown persons |
· Exposure to pornographic, violent, or life-threatening content, or other content that is not suitable for children |
|
· Exploitation of children as consumers |
· Threats to the security of children’s personal data |
|
· Risk of addiction |
· Psychological health disorders |
|
· Physiological disorders |
|
A PSF is classified as high-risk if it is assessed as high-risk in any one of the above aspects. Conversely, it is considered low-risk only if it is assessed as low-risk across all aspects.
ESPs must report the results of their self-assessment to the Minister of Communication and Digital Affairs (“Minister”) for verification and final determination of the risk profile. Regulation 17 does not provide a timeframe for the conduct and reporting of mandated self-assessments. However, the procedures for assessment under Regulation 17 is expected to be enumerated further in subsequent regulations.
Reporting mechanism
ESPs must implement a reporting mechanism that is accessible to children, parents, and guardians for the misuse of PSFs that violates or may potentially violate children’s rights. Any party aware of any actual or potential violation of an ESP’s obligations may submit a report to the Minister either online or in writing. The report must specify details of the alleged violation, supporting evidence, and the identities of both the reporter and the ESP being reported. The Minister will conduct an initial assessment and may request additional documents or evidence before deciding on further action.
Parental consent
Before a child can access a PSF, the ESP must obtain consent from the child’s parents or guardians. Access may only be granted after the consent is obtained. For children under 17, parents or guardians must be given 24 hours to provide their consent.
For children aged 17, ESPs may request consent directly from the child, provided the child’s parents or guardians are notified and do not submit an objection within six hours of the notification.
ESPs are prohibited from offering PSFs to children whose parents or guardians refuse to give consent. Consent given directly by the child in such cases is void by operation of law, and ESPs must delete the child’s personal data.
Minor accounts
If ESPs require children to register or create an account to access PSFs, they must comply with the following minimum age requirements:
- Under 13: Children may have low-risk, child-specific PSF accounts with parental consent (e.g. school-learning platforms).
- Ages 13 to under 16: Children may have low-risk PSF accounts with parental consent.
- Ages 16 to under 18: Children may have any PSF account with parental consent.
ESPs must provide technologies and functions that enable parents to supervise their children’s use of PSFs via their accounts. Parental controls are one example of such features.
Clear and accessible information
ESPs must provide users with complete, accurate, and non-misleading information about their PSFs. This information must be written in a language that children, parents, and guardians can easily understand, and it must be presented in an accessible, user-friendly format.
Key prohibitions
ESPs are prohibited from using hidden or non-transparent methods, techniques, or practices when developing or implementing PSFs. This includes encouraging children to disclose more personal data than is necessary to use or access PSFs, as well as persuading them to disable or weaken privacy protection features.
ESPs are also prohibited from collecting precise geolocation data from children unless it is strictly necessary to provide the requested PSFs and is limited to a specific period.
Additionally, profiling children by analysing their content selection based on their access history over time - such as for the purpose of offering products and services - is prohibited. However, this prohibition does not apply if it can be demonstrated that the profiling is in the best interests of the child.
Sanctions
The Minister may impose administrative sanctions if ESPs violate Regulation 17. These sanctions include:
- written warnings;
- administrative fines;
- suspension; and/or
- termination of access.
Suspension involves ordering the ESP to temporarily stop providing PSFs through its electronic system. Termination of access involves ordering the ESP to withdraw the PSFs from the market.
An ESP may face one or more of these sanctions for a violation. The Minister may notify the public of the sanctions imposed on ESPs through the Ministry’s official website. Imposing administrative sanctions does not eliminate criminal and/or civil liability.
