Indonesia: Government Regulation Number 17 of 2025 concerning Governance of Electronic System Implementation in Child Protection including design requirement entered into force with grace period

On 27 March 2025, the Government of Indonesia Regulation Number 17 of 2025 concerning Governance of Electronic System Implementation in Child Protection entered into force with a grace period. According to Article 49, all relevant parties must adjust their operations to comply with the regulation within two years of its enactment. The regulation imposes specific design requirements on Electronic System Operators (ESOs) providing products, services, or features accessed by children under 18. ESOs must apply technical and operational safeguards from development to deployment. The regulation requires high-privacy default settings, parental consent mechanisms, Data Protection Impact Assessments (DPIAs), accessible information, child-specific functionality, and designated data protection officers. The regulation defines age groups (3–5, 6–9, 10–12, 13–15, 16–17) and requires alignment with age-appropriate content and controls. Age verification mechanisms must be proportionate to risk and ensure minimal data processing and secure deletion. ESOs must also provide clear abuse reporting tools. Prohibited design elements include dark patterns, covert geolocation tracking, and default profiling of children. Risk assessments based on exposure to harmful content, personal data threats, addiction, and psychological impact are mandatory, with high-risk classifications requiring ministerial verification. The design must prioritise child protection over commercial interest and ensure compliance across public and private ESOs.