Effective on 27 March 2025, the Indonesian Government officially enacted the Government Regulation No. 17 of 2025 on the Governance of Electronic System for Children (“GR 17/2025”). This regulation significantly raises the bar for children’s digital privacy and safety, mandating default privacy settings, comprehensive risk assessments, and Data Protection Impact Assessments (“DPIAs”), for all electronic services accessed by children, to ensure that privacy and safety are meaningfully integrated into the design in accordance with data protection principles.
Who Is Subject to This Regulation?
All Electronic System Operators (“ESO”), whether public or private, are subject to this regulation. Specifically discussing private ESOs, not all of them will be subject to the new obligations specified herein, only private ESOs that develop or operate products, services, or features that are:
- specifically intended and designed for children under 18 years of age; or
- likely to be accessed or used by children, based on factors like design, user demographics, advertisements, or past usage patterns.
GR 17/2025 is also intended to cover platforms such as educational apps, games, streaming services, marketplaces, and social media that may not be primarily targeted at children but are likely to be accessed by them based on certain indicators or evidence.
Risk-Based Obligations: Profiling Risk Exposure
ESOs must perform a Self-Assessment to determine the risk level of their products and services to children, considering exposure to:
- Harmful content (violence, pornography);
- Exploitation as consumers;
- Addiction and psychological impact;
- Data privacy threats; and
- Physiological health risks.
Products and services will be classified into the following risk level:
- High-Risk – If any risk area scores high; and
- Low-Risk – If all areas score low.
The Minister of Communication and Digital Affairs (“MoCD”) will verify and confirm these classifications and further determine the risk profile of Products, Services, and Features developed and/or operated by ESOs. The resulting risk profile may subsequently affect the specific obligations imposed on each ESO.
Mandatory DPIA
A mandatory DPIA applies to ESOs whose services fall under the definitions above. The DPIA must systematically assess risks to children’s personal data and inform decisions on appropriate privacy settings. Have you clearly identified the risk level, and the types of children’s data involved in your DPIA?
Default to High Privacy
ESOs must configure default privacy settings to “high” for any digital product or service that is designed for children or may be accessed by children. This includes restrictions on tracking, profiling, and location collection, unless proven necessary and in the child’s best interest. Any updates to ESOs’ Products, Services, and Features must retain user privacy settings or reset to high privacy by default.
Age-Based Access Rules
Age segmentation is enforced through the following five categories, which also affect the obligations of ESOs and the design of their services:
- 3–5 years;
- 6–9 years;
- 10–12 years;
- 13–15 years; and
- 16–17 years.
For instance, users under 17 years old, parental or guardian consent is mandatory, and access to the Product, Service, or Feature must be withheld until consent is received. However, for 17-year-old users, ESOs may request the user’s own consent but must notify the parent or guardian and provide a shorter time window for objection. Access must be restricted until this period expires without any objection.
What to Do Next?
- To conduct a DPIA and classify all your digital services’ risk profiles.
- To carry out audit of your products for features that could attract children unintentionally.
- To apply high default privacy settings where child access is possible.
- To set up age verification and parental consent mechanisms.
Should you have any inquiries related to this regulation or wish to ascertain its impact on your business or personal interests, please feel free to contact us.
©2025. Bagus Enrico. All Rights Reserved.
