Legal Framework for Child Online Protection in Indonesia

I. Introduction

The rapid digital transformation has integrated children into the online world at a dizzying pace, through a variety of electronic products, services, and features, including smartphones, social media, and online games. While beneficial for economic growth, the digital space poses material risks to children who may not be able to defend against potential dangers like privacy violations, unsafe interactions, and exploitation. This article will discuss the new Indonesian law aimed at protecting “children” in the digital environment.

II. Legal Framework and Scope

Recognising the need for enhanced protection, the Indonesian government issued Government Regulation Number 17 of 2025 on the Governance of Child Protection in the Provision of Electronic Systems (Child Online Protection Regulation or “COPR”). COPR serves as an implementing regulation for Articles 16A and 16B of Law Number 11 of 2008 on Electronic Information and Transactions as lastly amended by Law 1 of 2024 (the “EIT Law”) that emphasise the responsibility of Electronic System Providers (“ESPs”) to create a safer digital environment to protect children’s rights and well-being.

COPR applies to all ESPs, including public entities (e.g. government agencies and government-appointed institutions) and private sector companies. A key aspect of COPR is that it does not merely apply to electronic products, services, or features (“PSF”) intentionally designed for children. Any PSF that could potentially be used by children under 18 falls under its regulations.

Because of this “potential use” standard, even providers of PSFs not aimed at minors (i.e. banking apps, ride-sharing services, or social network platforms) are subject to COPR if indicators point to likely use of PSF by children. Additionally, COPR reaches companies outside the typical tech sphere. For instance, a toy manufacturer making internet-connected devices that collect personal data from children falls withing the purview of COPR. Several likely factors to identify services potentially used by children include the following:

  • Whether the terms of service permit or mention use by children;
  • Significant evidence showing that children are currently using the service;
  • Marketing or advertising materials targeted towards children;
  • Design features specifically appealing to younger users; or
  • Similarity of the service to other online platforms known to be frequented by children.

Due to COPR’s broad application and widespread internet use by Indonesian children (which in turn increases the likelihood of children using PSFs not necessarily catered for children), organisations doing business in Indonesia, especially developers and operators of electronic PSF, need to proactively learn the regulation’s mandates and the potential penalties for failing to adhere to them.

III. Key Provisions of COPR

 A. Age of Majority

COPR is the first Indonesian cyber law that provides a clear definition of the age of majority for users of electronic systems, where those under 18 years of age are considered to be children. This definition is in line with that of Indonesia’s umbrella child protection regulation, Law Number 23 of 2002 on Child Protection as amended by Law Number 35 of 2014 (“Child Protection Law”), and provides an answer to the existing debate whether the age of majority in the cyberspace follows that of the Child Protection Law or the Indonesian Civil Code (which is set at 21 years old).

B. Parental Consent

COPR requires ESPs to obtain consent from a parent or guardian before a child user can use PSF. Consent under COPR must be done in an opt-in manner, meaning that ESPs must procure parental or guardian consent before children can use PSF. An exception is set for children aged 17, where the ESP is allowed to request consent directly from the child, but the ESP must notify the parent/guardian to obtain their confirmation on the child’s consent.

If the parent or guardian refuses to provide consent or confirmation on the child’s consent, the ESP is prohibited from offering PSF to the child without exception. Consequently, the child’s consent is deemed null and void by COPR, and the ESP is required to delete the child’s personal data from its systems.

C. Risk-Based Assessment

ESPs are required to conduct a self-assessment to determine the risk level (high or low) of their PSF to children. The risk level of the PSF that the ESP assesses will depend on several factors, including potential contact with strangers, exposure to inappropriate content (e.g. pornography, violence, etc.), economic exploitation, data privacy threats, addiction potential, and psychological/physiological harm. The results must be reported to the Minister of Communications and Digital Affairs (“MCDA”), who will verify and determine the final risk profile of the relevant PSF.

D. Age Verification

ESPS must implement technical and operational measures to verify the age of child users according to defined age brackets (i.e. 3-5, 6-9, 10-12, 13-15, 16- under 18). This verification is done so that ESPs can ensure that child PSF users belong within the appropriate age bracket for which the PSF is designed.

In undertaking the verification process, ESPs must implement robust measures when conducting age verification, particularly limiting the collected personal data that is relevant only for age verification, delete data immediately after verification is concluded unless legally required, and provide redress mechanisms if the verification process determined a discrepancy between the child user’s claimed age and the identified age. If robust verification measures are not feasible for the ESP, they must apply child-protective privacy measures to all child PSF users.

E. Child Data Protection

Child data protection is a central theme of COPR. While COPR is not an implementing regulation of Law Number 27 of 2022 on Personal Data Protection (“PDP Law”) per se, adherence to the PDP Law is important to ensure compliance with COPR’s child data protection requirement since the latter has adopted many concepts that were outlined in the PDP Law.

As children’s personal data is considered specific personal data, its processing poses a potential high risk for the affected data subjects, hence necessitating data controllers (in this case, the ESPs) to implement additional, more secure data protection measures than when processing general personal data. Key child data protection requirements of COPR include the following:

  • Conducting a Data Protection Impact Assessment (DPIA) before processing children’s personal data;
  • High privacy settings are set by default for PSF used by children. Updates must maintain prior settings or reset to high privacy;
  • Appointment of a Data Protection Officer;
  • Prohibition for the collection of precise geolocation data from children by default, except when strictly necessary for a service and for a limited time, and always with clear notification;
  • Prohibition of children’s profiling by default, except if proven to be in the child’s best interest or is an essential part of the service actively requested by the child;
  • Prohibition of deceptive techniques (“dark patterns”) that push children to give up more data or lower privacy settings; and
  • Clearly define the parties responsible for processing personal data when internet-connected toys or devices process children’s personal data.

F. Content and Design

While not explicitly “content moderation” in the typical sense, ESPs are prohibited from implementing dark patterns that could manipulate children to provide or disclose personal data beyond what is needed by the child to use the PSF, and relinquish or reduce privacy protection functions of the PSF. ESPs are also prohibited from compelling children to undertake actions that the ESP knows or ought to know pose a danger to children’s health and well-being.

ESPs are also obliged to provide digital ecosystem education and empowerment activities for child users and their parents or guardians, which ESPs must annually report to the Minister of Communications and Digital Affairs (“MCDA”).

G. Sanctions

Failure to comply with COPR’s obligations can result in administrative sanctions imposed by the MCDA. These sanctions are cumulative-alternative (meaning they may not be sequential, and multiple can apply) and include:

  • Written reprimands;
  • Administrative fines;
  • Temporary suspension of the PSF; or
  • Access termination (blocking/removal from the market).

The determination of sanction severity under COPR involves evaluating multiple factors, including the violation’s gravity and duration, the scale of impact on children, the degree of cooperation shown by the ESP during investigation, and other relevant mitigating or aggravating circumstances. Unlike other implementing regulations of the EIT Law, COPR introduces a provision allowing ESPs to appeal sanctions administered by the MCDA.

Nevertheless, specific breaches related to COPR’s child data protection requirements are explicitly carved out from this sanction structure. Such violations are instead addressed under the enforcement framework of the PDP Law. Therefore, non-compliance with COPR’s stipulations on child data protection could lead to the imposition of administrative sanctions as defined by the PDP Law, which include potential fines calculated as a percentage (reportedly up to 2%) of the data controller’s annual turnover.

IV. Recommendations for ESPs

Since its promulgation on 27 March 2025, COPR has provided all ESPs with a two-year grace period. The grace period means that while COPR is already effective, the MCDA gives ESPs time to adjust their electronic systems to comply with its myriad requirements. The MCDA will not enforce COPR violations against ESPs until the end of the grace period.

While more technical requirements will need further guidance under an MCDA regulation, ESPs should at the very least gradually implement some critical requirements under the COPR. The first one would be parental consent mechanisms, which should be steadily rolled out to cover all applicable platforms and user interactions involving children.

Next, ESPs should ensure their compliance with child data protection requirements. While many organisations will have already complied with the PDP Law to a certain degree, it is good practice to reassess whether specific data protection measures for child personal data have already been implemented or not. For instance, if an ESP processes children’s data, DPIAs should be immediately conducted so ESPs can comply with the requirements of both the PDP Law and COPR, and also gain a better understanding whether their child data processing activities poses risks to the rights and safety of children and subsequently implement necessary technical and operational measures to mitigate those risks effectively before launching or modifying PSFs. Additionally, ESPs should apply high privacy settings to their PSFs for their child users, particularly by disabling profiling and child geolocation data collection.

All in all, it would be better for ESPs to begin implementing these foundational changes proactively rather than waiting for further detailed regulations or guidance from MCDA. Earlier compliance efforts would ensure smoother integration of child online protection measures into ESPs’ systems and therefore reduce the risk of non-compliance by the end of the grace period.

V. Conclusion

COPR represents a significant legal advancement responding to the growing need to protect children navigating the digital world. Its extensive reach, which goes beyond services specifically created for kids to include any platform that might be used by minors under the age of 18, demands that all ESPs operating in Indonesia must give it careful consideration.

Proactive compliance is crucial for ESPs because of the meticulous requirements and possible severe penalties under the PDP Law and COPR for data protection violations. Even though there is a two-year grace period, and more MCDA guidance is anticipated, organisations are encouraged to prioritise comprehending and implementing foundational changes sooner rather than later. In addition to reducing legal and reputational risks, adopting these steps early on will significantly improve the safety and reliability of Indonesian children’s online experiences.