Safeguarding Children in the Digital Age

TMT & Entertainment Law
Written By ARMA Admin
 

Authors

Authors
Filza Adwani
Filza Adwani

Of Counsel

Mikhail Sibbald
Mikhail Sibbald

Associate

Ninda Maghfira
Ninda Maghfira

Associate

In today’s digital era, the younger generation, raised in this environment, is often referred to as the “digital generation.” While many apps and platform are designed for educational or entertainment purposes, others not intended for children remain easily accessible, increasing the risk of misuse and exposure to harmful content. This underscores the urgent need for stronger safeguards to protect children online.

In Indonesia, Law No. 27 of 2022 concerning Personal Data Protection (“PDP Law”) acknowledges child’s data as a specific (sensitive) personal data which requires stricter protection. However, as of now, there has yet to be further regulation on the protection of child’s Data. Nevertheless, a significant development came with the issuance of Law No. 1 of 2024 concerning the Second Amendment to Law No. 11 of 2008 on Electronic Information and Transactions, particularly Articles 16A and 16B, which set out obligations for electronic system operators to provide protection for children and uphold their rights.

To implement the aforementioned provisions, the Government issued Government Regulation No. 17 of 2025 concerning the Governance of Electronic System Operations and Child Protection (“GR 17/2025”), also commonly known as PP Tunas.

This ARMA Update will delve into GR 17/2025, covering its scope of applicability and the technical obligations that Electronic System Operators (“ESO”) must meet for protection of children, including safeguarding children’s personal data.

Scope and Subject Matter of GR 17/2025

GR 17/2025 governs that both public and private ESOs are required to implement safety measures which protect a child’s utilization of their product, services and features, specifically electronic systems designed or might be accessed by children. [1] A child is defined as an individual under 18 (eighteen) years old. [2]

In this regard, the scope of products, services and features which is designed or might be accessed by children, which shall be subject to the provisions of GR 17/2025, is determined based on the following indicators: [3]

  1. The ESO’s terms, conditions, policies, or internal documents explicitly indicate that the products, services and features are intended for use or access by children;
  2. There is strong evidence that the regular users accessing the products, services and features are children;
  3. Advertisements related to the products, services and features are targeted at children;
  4. The design elements of the products, services and features are created or displayed in a way that is appealing for children to use or access; and/or
  5. The products, services and features are substantially similar or identical to those that have been proven to be used or accessed by children.

Further provisions on the indicators are expected to be regulated in a Ministerial Decree. [4]

Mandatory Self-Assessment of Programs’ Risk Level

GR 17/2025 obligates ESOs to conduct self-assessment on the following aspects from its products, services and features: [5]

  1. Contact with strangers (interaction with unknown individuals);
  2. Exposure to inappropriate content, including pornography, violent material, life-threatening content, and other materials unsuitable for children;
  3. Exploitation of children as consumers;
  4. Compromising the security of children's personal data;
  5. Risk of addiction;
  6. Potential psychological harm to children; and
  7. Potential physiological harm to children.

The result of the self-assessment shall be a risk level of either high or low risk profile. If the evaluation indicates a significant potential for any of the identified risks to occur, the service will be categorized as "high-risk”. Conversely, if none of the prescribed criteria indicate a high risk, the service will be classified as "low-risk." [6]

The assessment result must be reported to the Ministry of Communication and Digital Affairs (“MoCD”), which will then verify and determine the risk profile of the products, services, and features developed and/or operated by the ESO. [7] Further provisions on this procedure are expected to be regulated in a Ministerial Regulation.

ESO’s Role in Safeguarding Personal Data of Children

GR 17/2025 outlines several obligations that relevant ESOs must adhere to when providing products, services, and features to children. The following specific obligations are particularly relevant to safeguarding children’s personal data:

  1. Parental or Guardian Consent. In obtaining consent, two types of consent mechanisms are regulated: (i) opt-in, where the ESO must first obtain approval from a child’s parents or guardians before granting access to certain products, services, or features; [8] or (ii) opt-out, where ESOs providing products to children who are at least 17 years old may request consent directly from the children, followed by notifying the parent or guardian. [9] Such obtainment of consent shall be conducted within a reasonable amount of time as regulated under GR 17/2025. [10] For children under the age of 17, GR 17/2025 mandates that ESOs must actively obtain parental or guardian consent within 24 hours and are prohibited from granting any access to the service until such consent is received. During this 24-hour period, the child must not be allowed to access any part of the service. [11]

  2. Personal Data Protection Impact Assessment (“DPIA”). ESOs must conduct DPIA in alignment with PDP Law, as a child’s personal data is considered as specific (sensitive) personal data. This is also a part of risk management to protect children’s personal data.

  3. High Privacy Settings by Default. ESOs must automatically apply the highest privacy settings to their products, services, and features, ensuring that only the necessary personal data of children is collected. [12] This method requires that privacy protections be built into a service right from the outset of its design and development. It involves default settings that prioritize safety—such as minimizing data collection, disabling tracking features, deactivating location access, and ensuring children are not automatically included in profiling or similar activities.

  4. Clear and Accessible Information. To ensure that children understand the products, services, and features, all related information must be truthful, easily understood by children (i.e. in Indonesian, adapted to age level) and presented in a format and manner that is easily accessible or usable by children or their parents/guardians (e.g. pop-up notification). [13] The information shall include, amongst others, the terms of use, privacy and personal data protection policy, and community standard.

  5. Clear Communication of Age Restrictions and Verification of Age. GR 17/2025 mandates ESOs to adopt child protection measures from the outset, including the clear communication and enforcement of age restrictions for accessing their services. ESOs must define, implement, and inform users of the minimum age requirement applicable to their platforms. [14]

  6. Designation of Responsible Party for Child’s Personal Data Processing in the Provision of Internet-connected Toys or Devices. [15] When providing internet-connected toys or smart devices that collect, transmit, or store personal data of children, it is essential to explicitly identify and disclose which party is responsible for managing that data. The responsible party must be accountable for ensuring compliance with data protection obligations, including securing consent, applying proper safeguards, handling data subject rights, and ensuring that children's data is processed lawfully, transparently, and securely.

  7. Appointment of Data Protection Officer. [16] ESOs must appoint a dedicated officer to oversee personal data protection. This individual is responsible for ensuring compliance with data protection laws, especially in handling children’s data. They must monitor data practices, manage risks, and act as a point of contact for regulators and data subjects.

What’s Off-Limits for ESOs

Along with the obligations, GR 17/2025 also establishes several prohibitions applicable to ESOs:

  1. Deceptive or Manipulative Practices
    ESOs are prohibited from using hidden, deceptive, or non-transparent methods in developing or operating their products, services, and features that may prompt children to: [17]
    1. Provide or disclose personal data beyond what is necessary for using or accessing the products, services, and features;
    2. Disable or weaken privacy protection functions; or
    3. Engage in actions that the ESO knows or reasonably should know could harm physical health, mental health, or well-being of the children.

  2. Collection of Geolocation Data
    ESOs must not: [18]
    1. Collecting precise geolocation information from children by default, unless such collection is strictly necessary for the ESOs to provide the products, services, and features requested by the child, and only for a limited time; and/or
    2. Collecting precise geolocation information without providing clear notice to the children during collection that such information is being gathered.

  3. Profiling of Children
    ESOs are barred from: [19]
    1. Profiling through any means or methods (e.g., for product/service offerings or other purposes); or
    2. Profiling children by default through any means or methods.
However, an exception for the profiling prohibition applies should ESO be able to demonstrate compelling reasons that such profiling serves the children’s best interests and/or plays an essential component of providing its products with the child’s knowledge.

Setting Age Groups and Permitted Programs

GR 17/2025 requires ESOs to clearly state minimum age restrictions for children using their products, services, and features. The minimum age for a child to use ESOs’ products, services, and features is at 3 years old, with the age range grouped into the following: [20]

  1. 3 (three) – 5 (five) years old,
  2. 6 (six) – 9 (nine) years old,
  3. 10 (ten) – 12 (twelve) years old,
  4. 13 (thirteen) – 15 (fifteen) years old, and
  5. 16 (sixteen) – under 18 (eighteen) years old.

In regard to the minimum age restrictions and groups, the regulation mandates that ESOs must ensure their offerings align with these age groups, considering the children’s developmental needs. [21] Further, GR 17/2025 also stipulates that ESOs requiring user registration to access their products, services, and features must implement strict age-based access for user registration, as follows: [22]

Age Group

Restrictions

Child under 13

  • May only create accounts for products, services, and features specifically designed for or to be accessed by children.

  • The products, services, or features must carry a low-risk classification.

  • Parental consent is mandatory.

Ages 13–15

  • Account access is restricted to low-risk products, services, and features.

  • Parental consent remains obligatory.

Ages 16–17

May create accounts for products, services, and features even in the high-risk category, provided they have parental approval.

In order to ensure effective implementation of the age-based restrictions, it is mandatory for ESOs to implement technical and operational measures for the verification of the children’s age using or accessing their products, services, and features, in accordance with the aforementioned minimum age and age groups. [23]

Administrative Sanctions

In the event of non-compliance or violations of ESOs which fail to protect children who access their products, services and features, GR 17/2025 governs administrative sanctions including:

  1. Written warning;
  2. Administrative fine;
  3. Temporary suspension of operations; and/or
  4. Termination of access privileges.

Moreover, violations in the protection of children by ESOs may be subject to either a single sanction or multiple concurrent sanctions. In addition, although GR 17/2025 does not directly impose criminal sanctions, certain Indonesian laws—such as the Child Protection Law (Law No. 23 of 2002 and its amendment) regulate criminal sanctions for acts that harm children.

What’s Next

GR 17/2025 provides a two-year adjustment period until 27 March 2027, during which the MoCD will refrain from imposing administrative penalties for non-compliance. However, this transitional period does not limit the rights of third parties. Individuals such as parents, guardians, or organizations may still initiate private legal action, including civil lawsuits, if they believe that a digital service causes harm to children or fails to meet the GR 17/2025’s child protection requirements.

In light of the above discussions, compliance with GR 17/2025 is crucial for certain ESOs, particularly those providing products, services, or features intended for or accessible by children, such as social media platforms, online games, and/or interactive learning applications. It is advisable for relevant ESOs to begin aligning their operations with the provisions of GR 17/2025 as early as possible to avoid the potential risk of administrative sanctions once the deadline passes.

Early measures can be taken by conducting internal audits, updating terms of service and privacy policies to comply with GR 17/2025, implementing child safety features, conducting DPIA, appointing DPO, and establishing clear content moderation protocols. Starting early also allows ESOs to gradually address compliance requirements, identify operational gaps, and make incremental improvements—essentially giving ESOs the time and flexibility to implement child protection standards in a structured and sustainable manner, rather than rushing to meet the deadline under pressure.

  1. Article 3 of GR 17/2025. ↩︎

  2. Article 1 point 1 of GR 17/2025. ↩︎

  3. Article 4 (2) of GR 17/2025. ↩︎

  4. Article 4 (3) of GR 17/2025. ↩︎

  5. Article 5 (3) and (6) of GR 17/2025. ↩︎

  6. Article 5 (4) and (5) of GR 17/2025. ↩︎

  7. Article 5 (7) – (9) of GR 17/2025. ↩︎

  8. Article 9 (1) of GR 17/2025. ↩︎

  9. Article 9 (2) of GR 17/2025. ↩︎

  10. Article 9 (3) of GR 17/2025. ↩︎

  11. Elucidation of Article 9 (3) of GR 17/2025. ↩︎

  12. Article 10 (1) of GR 17/2025. ↩︎

  13. Article 11 of GR 17/2025. ↩︎

  14. Article 20 (1) of GR 17/2025. ↩︎

  15. Article 15 of GR 17/2025. ↩︎

  16. Article 7 (1) point j of GR 17/2025. ↩︎

  17. Article 17 of GR 17/2025. ↩︎

  18. Article 18 of GR 17/2025. ↩︎

  19. Article 19 of GR 17/2025. ↩︎

  20. Article 20 (2) of GR 17/2025. ↩︎

  21. Article 20 of GR 17/2025. ↩︎

  22. Article 21 (1) of GR 17/2025. ↩︎

  23. Article 22 of GR 17/2025. ↩︎

Disclaimer:
This client update is the property of ARMA Law and intended for providing general information and should not be treated as legal advice, nor shall it be relied upon by any party for any circumstance. ARMA Law has no intention to provide a specific legal advice with regard to this client update.

 
 

Related Updates

Latest Updates

Featured
arma updates, 2025
Understanding the Extraordinary General Meeting of Shareholders under Indonesian Company Law
arma updates, 2025

The key rules on EGMS under the Company Law, including the circumstances under which they are required, the parties authorized to convene them as well as its procedures and requirements.

arma updates, 2025
arma updates, 2025
Drafting a Civil Lawsuit
arma updates, 2025

Drafting a civil lawsuit demands not only a solid grasp of the dispute’s substance but also strict compliance with formal requirements under the Indonesian Civil Procedure Law.

arma updates, 2025
ARMA Admin
Previous

The Role of the Industrial Relations Court in Resolving Seafarer-Employer Disputes
Next

Key Updates in MEMR Regulation No. 6 of 2025 on Domestic Metal Mineral Refining Facilities