GR 17/2025 Age Compliance Checklist: A Full Guide To Getting Your Platform Ready

On 28 March 2026, Indonesia began restricting the accounts of users under 16 across eight named platforms, including YouTube, TikTok, Instagram, and Roblox, after the Ministry of Communication and Digital Affairs (Komdigi) issued the implementing rule for its child protection regulation. That action was the first enforcement phase of Government Regulation No. 17 of 2025, known as PP Tunas. If your platform is reachable by Indonesian children, the question is no longer whether age verification applies to you. It is whether you can prove compliance before the grace period closes. This GR 17/2025 compliance checklist walks through who is in scope, what the regulation requires, and the steps to get audit-ready.

Who must comply with GR 17/2025?

GR 17/2025 binds Electronic System Providers, both public and private, whenever their service is reasonably accessible to or likely to be used by children, not only when it is built for them (Hogan Lovells). That accessibility test pulls in far more than child-directed apps. A general consumer platform with open sign-up sits in scope by default.

The regulation reaches across consumer internet categories that allow user registration, including:

• Social media platforms, where the first enforcement wave has already landed.
• Online gaming and gaming platforms, including livestreaming and in-game social features.
• Fintech and digital wallets, where minor onboarding and access need controls.
• E-commerce platforms that let users create accounts.
• Streaming and content platforms serving video, audio, or user-generated media.
• Any consumer internet service with user registration that children can reach.

What does GR 17/2025 require?

GR 17/2025 sets four operational duties that work together, and a platform passes only when all four hold in the same flow (SSEK). Our full Indonesia age verification law explainer breaks each one down in depth. In short, the regulation requires:

• Age verification proportionate to risk. Checks align to the age ranges of 3 to 5, 6 to 9, 10 to 12, 13 to 15, and 16 to 17, with assurance scaled to the risk a product poses, and Komdigi validating each product’s risk classification.
• A completed DPIA. Providers finish a Data Protection Impact Assessment (DPIA) before children access a feature and keep it current while the feature stays live (Hogan Lovells).
• Tiered parental consent. A 24-hour parental consent window applies for under-17 users, with an opt-out path for 17-year-olds (Baker McKenzie).
• Data minimisation. No verification data may sit in the general user record, and the underlying identity data is deleted once its purpose is met.

This Indonesia age verification checklist turns the four duties into the steps you can evidence to a regulator.

The complete GR 17/2025 compliance checklist

Work through the six phases of this PP Tunas compliance checklist in order. Each maps to a duty in the regulation, lists the concrete checks to clear, and names the evidence a regulator or a parent’s lawyer could later ask you to produce. Treat a product as compliant only once every box in every phase is ticked.

Phase 1. Confirm whether GR 17/2025 applies to you

Scope is the phase platforms skip and then regret. The accessibility test catches general-audience services, not only apps built for children, so decide on it deliberately and record the reasoning.

• Check whether children can realistically reach your service, given open sign-up, the absence of a hard age gate, or known under-18 usage.
• Inventory every product, feature, and surface a child could access, not only the headline app.
• Decide whether each one is reasonably accessible to or likely to be used by children (Hogan Lovells).
• Record the scoping decision and the reasoning behind it.

Evidence to keep. A written scoping assessment for each product or feature, with the in-scope or out-of-scope decision and its rationale.

Phase 2. Classify product risk and get Komdigi validation

The age assurance you owe depends on a risk classification that Komdigi validates, not one you assign yourself. Self-assess first, then submit for review.

• Run the internal risk self-assessment for each in-scope product or feature.
• Assess the risk it poses to children across data, contact, content, and commercial pressure.
• Submit the self-assessment to Komdigi for review.
• Record the validated risk classification Komdigi returns.
• Re-submit when a feature materially changes its risk profile.

Evidence to keep. The Komdigi submission and the validated classification record for each product.

Phase 3. Complete and maintain a Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) is mandatory before children touch a feature, and it stays a living document for as long as that feature is live.

• Complete the DPIA before any child accesses the feature.
• Document the processing activities and the provider’s interests.
• Assess the necessity and proportionality of the processing.
• Include a child-specific risk assessment and a mitigation plan.
• Resolve identified risks before you market the product.
• Keep the DPIA current for as long as the feature remains accessible to children.

Evidence to keep. A maintained DPIA per child-accessible feature, with dated revisions.

Phase 4. Deploy age verification proportionate to risk

Age assurance has to align to the regulation’s five age bands and scale with the validated risk tier. Over-collecting identity data is its own breach, so match the method to the risk.

• Map each feature to the relevant age band of 3 to 5, 6 to 9, 10 to 12, 13 to 15, or 16 to 17.
• Match the strength of verification to the validated risk tier.
• Apply stronger assurance to high-risk features and lighter age signals to low-risk ones.
• Confirm you are not collecting government ID where a lighter signal will do.
• Restrict under-16 access on high-risk products where the rules require it.

Evidence to keep. An age-assurance design that maps each feature to its band and risk tier. See how Shufti’s age verification returns an age result without retaining the underlying ID.

Phase 5. Build the tiered parental-consent flow

Consent is age-tiered, not one-size-fits-all, and it has to be logged. The window and the mechanism differ for under-17s and for 17-year-olds.

• Implement the 24-hour parental or guardian consent window for users under 17.
• Withhold access until consent is captured for under-17 users.
• Implement the opt-out path for 17-year-olds, granting provisional access and notifying the guardian.
• Log when consent was sought, granted, or refused.
• Give guardians a route to withdraw consent later.

Evidence to keep. A consent audit log tied to each minor account.

Phase 6. Minimise verification data, then monitor and re-assess

The regulation tells you to verify age and then not keep what you collected. Treat the age check as a throwaway pipeline, and revisit the whole assessment as your product changes.

• Run the age check as an isolated pipeline that passes only its result downstream.
• Keep no verification data inside the general user record.
• Delete the underlying identity data once its purpose is met, unless retention is legally required.
• Re-run the self-assessment and DPIA when features or risks change.
• Keep records ready for a Komdigi compliance review or regulator request through the grace period and beyond.

Evidence to keep. A data minimization and retention policy, plus deletion logs.

Age and consent rules at a glance

Use this quick reference alongside the phases above. It maps the age and platform situation to the requirements the checklist has to satisfy.

Where do platforms fail the GR 17/2025 checklist?

Most failures cluster around four traps, and the grace period to 27 March 2027 does not make any of them safe (DFDL).

• Treating age verification as a one-time gate. The regulation expects controls that hold across the user lifecycle, not a single check at sign-up.
• Retaining identity data after the check. Keeping the ID converts an age-assurance step into a data-minimisation breach.
• Skipping the Komdigi self-assessment. Assuming a low-risk classification leaves the platform applying weaker assurance than its validated tier requires.
• Treating the grace period as a pause. The window to 27 March 2027 suspends administrative penalties, not the private legal action a parent or guardian can bring.

Sanctions for getting this wrong escalate from written warnings to temporary suspension and, ultimately, a full access block within Indonesia.

How Shufti helps platforms meet Indonesia’s age-assurance rules

If Indonesian children can reach your platform, the hard part of GR 17/2025 is not deciding to check age. It is checking it without building a second identity store the regulation then tells you to delete. Shufti’s age verification runs document-based age confirmation and, where the rules allow, biometric age estimation, returning a clear age signal without forcing your platform to retain the underlying ID. That design fits the data-minimization duty at the center of PP Tunas. For platforms onboarding across Indonesia and the wider region, Shufti’s models were trained on local documents from the start rather than retrofitted, so age checks hold up on the IDs your users actually carry, in one of the markets where coverage usually thins out.