A new Indonesian government regulation introduces a structured governance framework intended to strengthen online protection for children. This regulation applies to a broad range of electronic systems operators (ESOs), including businesses that manage websites, social media platforms, game consoles, and IoT-enabled devices.
Introduction
In response to the increasing risks children face in the digital space, the Indonesian government has issued Government Regulation No. 17 of 2025 on the Governance of Electronic System Implementation in Child Protection (GR 17/2025). This new regulation is an implementing regulation of Law No. 11 of 2008 on Electronic Information and Transactions (as amended).
GR 17/2025 introduces structured governance for ESOs to help ensure the online safety of anyone under 18 years old (Children). Drawing from global best practices, including the Age-appropriate Design Code, the regulation aims to put the best interests of children at the forefront.
While GR 17/2025 allows for a two-year transition period, ESOs are encouraged to immediately begin assessing how its various new obligations can be implemented in their existing business operations.
Key points to consider
Key points to note from GR 17/2025 include the following:
Scope of the regulation
GR 17/2025 applies to certain public ESOs and private ESOs that develop and/or operate internet-connected products, services, and features (collectively, Products) which:
- are specifically designed for Children's use or access; or
- could be used or accessed by Children based on certain indicators (eg internal documentation showing that the Products are intended for Children, or strong evidence that a significant portion of regular users are Children).
ESOs encompass individuals, state administrators, business entities, and communities that provide, manage or operate electronic systems. Electronic systems are defined broadly to include a series of electronic devices and procedures that handle electronic information including its collection, processing, storage, and transmission, such as websites, digital platforms, and IoT-enabled devices. Given the broad definition of ESOs and noting point b above, many parties are likely to be subject to the obligations under GR 17/2025.
Who are considered Children?
GR 17/2025 defines Children as anyone under 18 years of age. However, different age thresholds for children are recognised under Indonesian law. For example, the Indonesian Civil Code states that individuals who either have reached the age of 21 or are married are considered adults.
Risk-based approach
ESOs must conduct a self-assessment to determine whether their Products pose a high or low risk to Children. This assessment is based on aspects such as interaction with unknown individuals or exposure to harmful content. This self-assessment must then be reported to the Ministry of Communications and Digital Affairs (MOCD), which will verify it and determine the risk profile. GR 17/2025 envisages the issuance of further implementing regulations on the mechanism and procedure for this self-assessment.
Age-appropriate applications
ESOs must establish a minimum age limit for Children using their Products. The lowest age limit is set at 3 years old, with the age range divided into five groups: 3 to 5 years old, 6 to 9 years old, 10 to 12 years old, 13 to 15 years old, and 16 to under 18 years old. ESOs are required to ensure that their Products are appropriate for and aligned with these minimum age limits and age group classifications.
Product usage requirements
ESOs must comply with the following consent requirements before allowing Children to use their Products, depending on the Children's age:
- for Children under 17 years old, the ESOs must obtain parental opt-in consent, allowing a 24-hour window for parents or guardians to provide consent. Until consent is provided, the Children cannot be given access to the relevant Products; and
- for Children who are at least 17 years old, the ESOs may request consent directly from the Children, but must also send an opt-out notification to the Children's parents or guardians to request confirmation, allowing a 6-hour window for any objections. Children can only be given access to the relevant Products once that 6-hour window has passed without any objections.
Account registration
ESOs that require account registration must follow the minimum age limits for Children set out in the accompanying table:
| Children's age | Usage and Accessibility to Products | Risk profile | Consent required |
| < 13 years old | Only for Products specifically designed for Children's use or access | Low-risk profile | Parental consent |
| ≥ 13 and < 16 years old | All Products | Low-risk profile | Parental consent |
| ≥ 16 and < 18 years old | All Products | All risk profiles | Parental consent, except for Children aged 17 years old and above (see Product usage requirements above) |
ESOs must also provide effective technological and operational measures that allow parents to monitor their Children's use of Products – for example, through parental control features embedded in their Children's accounts.
Age verification mechanism
ESOs must implement technical and operational measures to verify the age of Children using or accessing their Products, to ensure compliance with the minimum age limits and age group classifications.
Tracking notification
ESOs are prohibited from collecting precise geolocation information from Children. This includes prohibiting:
- collection of precise geolocation information from Children by default, unless such collection is strictly necessary to provide the Products requested by the Children and is only for a limited period; and/or
- collection of precise geolocation information from Children who use or access Products, unless the ESOs clearly indicate to the Children at the time of collection that their geolocation information is being collected.
If an ESO offers Products that allow parents, guardians or other users to monitor Children's activities or track their location, the ESO must notify the Children by displaying a sign or signal whenever they are being monitored or tracked.
Privacy and restriction on profiling
For any Products specifically designed to be used or accessed by Children, or that may potentially be used or accessed by Children, the ESO must configure the settings at a high privacy level by default. This will ensure that their personal data is processed only through limited and specific means. There is also a prohibition against profiling Children. This prohibition on profiling can be exempted under certain circumstances, including if the ESO can demonstrate that the profiling is in the best interests of the Children concerned.
Transparency
ESOs must provide specific information in the Indonesian language, using a format that is understandable and accessible. This includes information on the minimum age limit and age ranges for Children, safe usage guidelines for the Products, and community standards. For instance, an ESO may use pop-ups to display the minimum age limit and age ranges for Children.
Educational role
ESOs must engage in educational and digital ecosystem empowerment initiatives that promote the protection of Children's rights. As part of this responsibility, ESOs must submit reports to the MOCD at least annually detailing the implementation of these efforts.
Supervision and administrative sanctions
The MOCD oversees the implementation of GR 17/2025 to ensure compliance. Failure to comply with certain provisions may result in administrative sanctions in the form of a written warning, administrative fine, temporary suspension, and/or termination of access. The MOCD may also publish on its website any administrative sanctions imposed. Various factors will be taken into account by the MOCD in determining the appropriate sanctions to impose, including the length of the breach, the number of Children affected, and the degree of cooperation by the ESO concerned.
Conclusion
ESOs and other relevant parties have two years from the enactment date of GR 17/2025 to comply with the regulation, ie until 27 March 2027. They should therefore proactively begin aligning their operations to ensure full compliance by the time this transitional period ends.
Noting that some of the requirements will be regulated in future implementing regulations, ESOs should also monitor regulatory developments in this space.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
