Introduction

The rapid growth of digital platforms has created new opportunities for children to learn, play, and connect. At the same time, it has introduced significant risks, including exposure to harmful content, exploitation, and misuse of personal data. Recognizing these challenges, the Government of Indonesia issued PP No. 17 Tahun 2025 as a legal framework for child protection in electronic systems, followed by Permen Komunikasi & Digital No. 9 Tahun 2026 to provide detailed technical guidance for implementation. Together, these regulations establish a comprehensive governance model to safeguard children in the digital environment.

PP No. 17 Tahun 2025 – The Legal Framework

This regulation sets out the principles and obligations for all electronic system providers (Penyelenggara Sistem Elektronik, or PSE).

Key Provisions:

1. Definition of Children: Any individual under 18 years old.
2. Age Limits: Children must be at least 3 years old to use digital products, grouped into age ranges (3–5, 6–9, 10–12, 13–15, 16–17).
3. Parental Consent: Parents or guardians must approve before children can access services. Children aged 17 may give consent themselves, but parents must confirm.
4. Privacy Protections: Systems must default to high privacy settings. Practices such as hidden data collection, precise geolocation tracking, and profiling are prohibited unless clearly in the child’s best interest.
5. Risk Assessment: Products must be categorized as high or low risk based on exposure to strangers, harmful content, exploitation, misuse of data, addiction, and health impacts.
6. Reporting & Oversight: PSEs must conduct self‑assessments and report results to the Ministry, which verifies and assigns a risk profile.
7. Additional Duties: PSEs must provide clear information, educate children and parents, empower digital literacy, and ensure that third‑party partners comply with child protection standards.

Permen Komunikasi & Digital No. 9 Tahun 2026 – The Technical Implementation

This ministerial regulation translates the broad obligations of PP No. 17/2025 into practical steps and compliance procedures.

Key Provisions:

1. Clear Communication: Age limits must be explained in simple language, accessible to both children and parents.
2. Self‑Assessment: Companies must document risks and needs before products are made available to children, including considerations of developmental stages.
3. Child‑Safe Design: Products must include protection features so that content matches the child’s age group and complies with laws.
4. Verification Systems: Companies must use reliable technology to verify children’s ages, either developed internally or through third parties.
5. Detailed Risk Indicators: The regulation specifies indicators for each risk area (contact with strangers, harmful content, exploitation, data misuse, addiction, psychological and physical harm).
6. Reporting & Verification: Results of self‑assessments must be reported to the Ministry. The Directorate General verifies the reports, requests clarifications if needed, and sets the official risk profile.
7. Accountability: False or misleading reports can trigger administrative sanctions or legal action.

Relationship Between the Two Regulations

• PP No. 17/2025 provides the legal foundation and establishes the principles of child protection in digital systems.
• Permen No. 9/2026 provides the technical details, procedures, and compliance mechanisms to ensure that the principles are applied consistently in practice.

How PSE Must Be Ready

To comply with these new regulations, PSEs must prepare across governance, technical, and operational dimensions:

1. Governance & Compliance

• Form an internal compliance team dedicated to child protection.
• Integrate obligations into corporate governance and vendor contracts.
• Conduct gap analyses against PP No. 17/2025 and Permen No. 9/2026.

2. Age Verification & Consent

• Deploy reliable age verification systems.
• Embed parental consent workflows in onboarding processes.
• Ensure clear communication of consent requirements.

3. Privacy & Data Protection

• Default child accounts to high privacy settings.
• Prohibit hidden data collection, geolocation tracking, and profiling.
• Conduct regular audits of child‑related data practices.

4. Risk Assessment & Reporting

• Classify products/services as high or low risk.
• Perform self‑assessments before product launch.
• Submit reports to the Ministry and prepare for verification.

5. Child‑Safe Design & Education

• Adapt content to age‑appropriate categories.
• Embed digital literacy tools for children and parents.
• Ensure third‑party partners comply with child protection standards.

Potential issues and challenges could arise in practice when implementing child protection in digital systems:

Legal & Governance Issues

• Ambiguity in parental consent: PP 17/2025, Article on Age Limits & Consent, defines children under 18, sets minimum age The requirement that 17-year-olds can consent but parents must confirm could create confusion and disputes.
• Cross-border compliance: PP 17/2025, General Obligations for PSE Global platforms may struggle to align Indonesian rules with international standards, leading to conflicts in enforcement.

Privacy & Data Protection

• Technical feasibility: PP 17/2025, Privacy Protection, Prohibiting hidden data collection and profiling is clear in principle, but many platforms rely on these mechanisms for personalization. Balancing compliance with business models may be difficult.
• Audit burden: PP 17/2025, Additional Duties, Regular audits of child-related data practices could be resource-intensive, especially for smaller providers.

Age Verification & Consent

• Reliability of verification systems: PP 17/2025, Age Limits & Consent, Age verification technology is notoriously hard to implement without risking privacy breaches or excluding legitimate users.
• Parental involvement: PP 17/2025, Clear Information Duties, Embedding parental consent workflows may slow down onboarding and frustrate users, reducing adoption.

Risk Assessment & Reporting

• Subjectivity in self-assessment: PP 17/2025, Risk Assessment, Companies may underreport risks to avoid sanctions, while the Ministry’s verification process could be overwhelmed by volume.
• Administrative sanctions: PP 17/2025, Reporting & Oversight, The threat of penalties for false reporting may discourage innovation or lead to overly cautious compliance.

Child-Safe Design & Education

• Content adaptation challenges: PP 17/2025, Age Limits, Categorizing content into strict age ranges (3–5, 6–9, etc.) may be difficult for platforms with diverse user bases.
• Third-party compliance: PP 17/2025, Additional Duties, Ensuring that partners and vendors follow the same standards adds complexity to supply chain governance.

Implementation Timeline

• Resource strain: PP 17/2025, Governance & Compliance Duties, Smaller PSEs may struggle to meet the immediate (0–3 months) requirements like gap analysis and privacy defaults.
• Continuous monitoring: PP 17/2025, Continuous Oversight, Ongoing obligations could create compliance fatigue, especially if regulations evolve quickly.

In short, while the framework is comprehensive, practical enforcement, technological feasibility, and balancing innovation with compliance are the main issues that may arise.

Conclusion

The introduction of PP No. 17/2025 and Permen No. 9/2026 is a positive step to safeguard children in the digital environment, recognizing that unchecked digital influence can erode childhood and stressing cooperation between parents and digital platforms. The main challenge lies in the readiness of platforms to meet obligations such as governance, age verification, privacy protections, and child‑safe design — without genuine preparation, the regulations risk being aspirational. Is Indonesia ready? The answer is no choice but to be ready, but gradually: full preparedness will depend on platforms embedding compliance, parents strengthening digital literacy, and government enforcing oversight, may realistically be achieved.