GETPOST.ID, Jakarta – The advancement of digital technology presents unique challenges in protecting children in the online space. In response, the Indonesian government has enacted Government Regulation No. 17 of 2025 concerning the Governance of Electronic System Operation in Child Protection (“PP 17/2025”). This regulation governs the management of electronic system-based products, services, and features that are intended for or can be accessed by children under the age of 18. It imposes obligations on both public and private Electronic System Operators (“ESOs”) to implement child protection measures. Given the mandatory two-year adjustment period following the enactment of this regulation, ESOsare encouraged to begin internal preparations to align their policies, systems, and operations with the provisions set out in the regulation.
Parties Affected by Government Regulation No. 17 of 2025
The obligations outlined in PP 17/2025 apply to ESOs which refer to any individual, state administrator, business entity, or member of the public who provides, manages, and/or operates electronic systems—either independently or jointly—for their own use and/or for the use of others. ESOs are categorized into two scopes:
- Public: government agencies or institutions, or those appointed by government institutions.
- Private: parties that develop products, services, and features specifically designed for or potentially accessible by children.
The products, services, and features covered under this regulation include:
- Products, services, and features explicitly designed for use by children; and
- Products, services, and features that may be used or accessed by children, even if not explicitly intended for them.
The criteria for determining whether a product, service, or feature may be “accessible by children” have not yet been fully defined and will be further regulated through a Ministerial Decree, which is currently pending. However, preliminary indicators that can be used include:
- Terms or policies indicating that the product, service, or feature is intended for or accessible by children;
- User data showing that children represent a dominant or significant segment of the user base;
- Advertising materials that target children;
- Design elements (e.g., characters, colors, visuals, or interfaces) that explicitly appeal to children;
- Substantial similarity to other products that are known to be used or accessed by children.
ESOs Compliance with Child Protection in Digital Services
To comply with the regulation, ESOs must fulfill several key responsibilities to protect children’s rights and safety in digital spaces. The following section outlines these responsibilities in greater detail.
Parental or Guardian Consent
ESOs are required to obtain consent from a parent or guardian before a child can access the provided products, services, or features. However, if the child is at least 17 years old, the operator may obtain consent directly from the child, provided that the parent or guardian is also notified for confirmation purposes. If the parent or guardian does not give consent, any consent previously provided by the child becomes legally invalid.
Risk Assessment
ESOs are obligated to conduct a risk assessment for children who access their products, services, and features. This assessment must consider potential risks based on the following aspects:
- Contact with unknown individuals;
- Exposure to pornographic content, violent content, content dangerous to life safety, or other content inappropriate for children;
- Exploitation of children as consumers;
- Threats to the security of children’s personal data;
- Risk of addiction;
- Psychological health issues; and
- Physiological health issues.
The level of risk is classified into two categories: low risk and high risk. If a product, service, or feature exhibits high risk in one or more of the aspects above, it will be categorized as having a high-risk profile.
Provision of Minimum Age Limits and Account Registration Based on Child Age Categories
Children’s ages are categorized into three groups, each with specific requirements that ESOs must follow during the account registration or ownership process. For children under 13 years old, registration is allowed only with parental consent and is considered to carry a low-risk profile. Similarly, for those aged 13 to under 16 years old, a low-risk profile still applies and parental consent is also required. Meanwhile, children aged 16 to under 18 years old can register with parental consent, but there are no specific risk profile limitations applied to this age group.
ESOs are required to implement technical and operational measures to verify the age of children accessing their products, services, or features, in accordance with the age categories mentioned above. In doing so, providers must ensure the following:
- Protect the privacy and personal data of children,
- Tailor the verification mechanism to the child’s age,
- Secure the system and prevent data breaches,
- Use the data solely for age verification purposes and delete it once the objective is achieved (unless otherwise required by law),
- Provide a mechanism for objections in case the detected age is inaccurate,
- Be easily reachable and inclusive for all users.
High Privacy Settings Configuration
ESOs are required to configure their products, services, and features with high privacy settings by default in order to protect children as users. If a ESOs provides a feature that monitors a child’s activity, the provider must display a clear and easily recognizable notification—such as a symbol or signal—indicating that the child’s activity is being monitored or tracked.
In addition, ESOs are prohibited from using covert, manipulative, or non-transparent methods in designing or operating products, services, or features that could encourage children to:
- Disclose personal data beyond what is necessary,
- Disable or weaken privacy protection features, or
- Engage in activities that may harm their physical or mental health, or overall well-being.
Prohibition on Collecting Geolocation Data and Profiling Children
ESOs are prohibited from collecting geolocation data unless it is strictly necessary to provide a product, service, or feature requested by the child, and only for a limited time. Furthermore, collecting geolocation data is not allowed without a clear indication to the child that such data is being collected.
ESOs are also prohibited from profiling children, whether for commercial purposes or by default. Exceptions to this rule may be made only if there is a compelling reason to believe that the profiling serves the best interest of the child or is an essential part of the product.
Next Steps
ESOs are encouraged to begin internal preparations to align their policies, systems, and operations with the provisions of this regulation. This is crucial, considering the mandatory compliance period of two years from the date the regulation is enacted. Failure to comply may result in administrative sanctions, including written warnings, fines, temporary suspension of services, and even access termination.
