Indonesia’s Age verification law explained: what GR 17/2025 requires in 2026

On March 28, 2026, Indonesia began disabling social media and gaming accounts belonging to users under 16 on eight named platforms: YouTube, TikTok, Facebook, Instagram, Threads, X, Bigo Live, and Roblox. The action followed Ministerial Regulation No. 9 of 2026, issued March 6 by the Ministry of Communication and Digital Affairs, which set the deadline and named that first compliance cohort under Government Regulation No. 17 of 2025 (GR 17/2025), enacted roughly a year earlier.

The data behind the regulation is not ambiguous. A 2023 UNICEF baseline study on Indonesian children found that 50.3% had been exposed to sexual imagery on social media, and 42% reported feeling uncomfortable or frightened online. Indonesia is home to approximately 80 million children, one of the largest child populations in the world, and digital access among that group has outpaced the legal frameworks designed to protect them.

GR 17/2025 is the framework-level response. It creates a structured, age-tiered verification regime with parental consent obligations, data protection requirements, and administrative penalties reaching as far as termination of platform access for Indonesian users. Ministerial Regulation No. 9 of 2026 is the enforcement instrument that puts timelines and named platforms on those obligations.

For companies operating digital platforms accessible to Indonesian users, including foreign operators headquartered outside Indonesia, neither document can be treated as aspirational guidance.

What is GR 17/2025 and who does it cover?

GR 17/2025 formally titled Government Regulation No. 17 of 2025 on Governance of Electronic System Implementation in Child Protection, was enacted on March 27, 2025. It sits within Indonesia’s broader digital governance architecture alongside the Electronic Information and Transactions Law (ITE Law) and the Personal Data Protection Law, which entered the enforcement phase in October 2024.

The primary obligation falls on Electronic System Operators (ESOs): any entity that operates a digital platform, application, or electronic service in Indonesia. The keyword is “Indonesia”  not “incorporated in Indonesia.” A foreign platform accessible to Indonesian users that is reasonably used by children is an ESO under GR 17/2025. Jurisdiction follows the user population, not the corporate registration.

Scope not limited to children’s platforms

The regulation’s scope is deliberately broad. GR 17/2025 does not apply only to services explicitly marketed to under-18s. Any platform that, by its features, design, or target audience, is reasonably accessible to or likely to be used by children falls within scope. That includes social media, online gaming, video streaming, user-generated content platforms, AI chatbots with a public interface, digital marketplaces, and online communities, regardless of whether the operator considers its product a “children’s service.”

The breadth is intentional. Indonesian regulators documented that children accessed adult-facing platforms at a significant scale using self-declared ages above 17. The March 28, 2026, enforcement action targeted gaming and social platforms precisely because their Indonesian user bases included large numbers of minors who had bypassed registration age fields with no independent verification in place.

How does the regulation define “Child”?

GR 17/2025 defines a child as any person under 18 years of age. Within that definition, the regulation creates three distinct tiers under 13, ages 13 to 16, and age 17, each with different platform obligations. These tiers are not age bands for content classification. They are operational categories governing what a platform must do at the moment a user registers, and in the period immediately following. The differences between tiers are material; a platform that applies a single consent workflow across all three will be non-compliant on at least one of them.

How does Indonesia’s age-tiered consent system work?

GR 17/2025’s consent architecture is tiered rather than binary. The regulation does not create a single “under-18 requires parental consent” threshold and stop there. It creates obligations that vary in mechanism and timeline across three age bands and vary again based on whether the platform carries a high-risk or low-risk classification. The practical consequence: compliance requires both verified age determination and a consent flow that responds to the outcome of that determination.

Under 13, the strictest tier

Children under 13 are the most protected category in GR 17/2025. On high-risk platforms that allow social interaction with strangers, carry user-generated content, include advertising, or expose users to algorithmically curated material, under-13s are effectively barred from access unless the platform holds a low-risk classification and has been specifically designed for that age group.

For the narrow category of platforms permitted to accept under-13 users (low-risk, purpose-built children’s services), the consent requirement is absolute: parental or guardian consent must be received before any access is granted. The 24-hour window during which the platform is seeking consent is a hard blackout. There is no provisional access, no read-only mode, and no phased feature release pending consent. The service remains unavailable to the child until consent is confirmed.

Ages 13-16, active parental consent required

The 13–16 tier operates under the same mechanics as the under-13 tier on most high-risk platforms: parental or guardian consent must be obtained before access is granted, and the 24-hour window is a blackout period. A platform cannot grant provisional access to a 15-year-old on the assumption that consent will arrive after registration.

The failure mode regulators have flagged most consistently in this tier is the “sign up now, verify later” design pattern, in which a platform grants immediate access and then attempts to collect consent or verify age over a subsequent period. 

GR 17/2025 does not permit this sequencing. The consent must precede the access, and the platform bears the obligation of ensuring that a self-declared date of birth is checked against an independent signal before the consent flow is triggered. A date-of-birth field with no validation provides neither.

Age 17, self-consent with a notification window

At 17, a user may provide their own consent directly. The platform does not need to wait for parental approval before granting access. The obligation shifts: the platform must notify the parent or guardian immediately upon the 17-year-old’s registration and hold a six-hour window open for them to lodge an objection. If no objection arrives within six hours, the account proceeds. If an objection is received, the platform must pause access and work through a resolution process before the account can be activated.

The six-hour window creates a real-time notification infrastructure requirement. For platforms with large Indonesian user bases, this means running a continuous automated system that dispatches parental notifications, monitors for objections, and releases or holds accounts within a six-hour clock, at scale, without human review on each case.

What are GR 17/2025’s data protection requirements?

Age verification obligations and data protection obligations are paired in GR 17/2025. A platform that verifies age correctly but mishandles the data collected in doing so is non-compliant on a separate axis.

Data Minimization and Deletion

GR 17/2025 requires platforms to process personal data used in age verification for that purpose and that purpose only. Once the verification check is complete and the user’s age tier is established, the data used for verifying identity documents, biometric images, and age-inference outputs must be deleted. The regulation explicitly prohibits retention of verification data as part of the general user record, even with the user’s stated consent.

This creates a specific architectural requirement. The verification step must be designed as an isolated pipeline that feeds its output (the confirmed age tier) into the platform’s account management system, without persisting or passing through the underlying identity data. Platforms that store verification documents alongside user profiles, the default design pattern in most self-built age gate implementations, will need to rebuild that flow.

DPIA requirements and privacy by design

Processing children’s data triggers a mandatory Data Protection Impact Assessment (DPIA) under Indonesia’s Personal Data Protection Law, which GR 17/2025 sits alongside. Before deploying an age verification mechanism, ESOs must assess the risks of processing children’s personal data, the proportionality of data collected, the security measures in place, and the data flow from verification to deletion.

Platforms must also implement privacy-by-default settings for all children’s accounts. Location sharing, public profile visibility, direct messaging from non-connections, and content recommendation features should be disabled by default for accounts in any of GR 17/2025’s three age tiers. For under-16 accounts, these defaults can only be changed by the parent or guardian, not by the child. The regulation treats privacy-by-default as a mandatory technical configuration, not a product design choice.

What did Indonesia’s 2026 ministerial regulation add?

GR 17/2025 established the legal framework and the two-year transition clock. Ministerial Regulation No. 9 of 2026, issued March 6, 2026, by the Ministry of Communication and Digital Affairs, operationalized the first enforcement phase and introduced the risk assessment obligation that will shape subsequent waves.

The eight named platforms and the March 28 deadline

Ministerial Regulation No. 9 named YouTube, TikTok, Facebook, Instagram, Threads, X, Bigo Live, and Roblox as the first enforcement cohort. Each was required to disable accounts belonging to users under 16 where compliant verification and parental consent had not been established, effective March 28, 2026.

The named-platform approach signals how enforcement will proceed. The Ministry identified the platforms with the highest documented Indonesian child user exposure and the highest risk classification first. Ministerial Regulation No. 9 describes the named cohort explicitly as the first phase of a rolling strategy. Additional platforms will enter the enforcement scope based on risk assessment results and Ministry review. Absence from the initial eight-platform list is a timing difference, not a carve-out.

Risk assessment submissions and the June 2026 deadline

All in-scope ESOs must submit a documented risk self-assessment to the Ministry via a designated online portal within three months of Ministerial Regulation No. 9 entering into force, making the deadline approximately June 6, 2026. The assessment must cover children’s ability to interact with strangers on the platform, exposure to violent or sexual content, in-app purchase availability, the adequacy of existing parental controls, and the maturity of the platform’s content moderation infrastructure.

The Ministry will use submissions to rank platforms for subsequent enforcement priority. A platform that files a weak self-assessment or fails to file will be treated as a higher enforcement risk in the second and third compliance waves. Platforms outside the initial eight-platform cohort should not treat their absence as an exemption; the risk assessment filing is a mandatory obligation for all in-scope ESOs regardless of cohort status.

Penalties

GR 17/2025 establishes four escalating administrative sanctions: written reprimand, administrative fine, temporary suspension of platform access for Indonesian users, and termination of access. The ministry determines which level applies based on the severity and duration of the breach, the number of children affected, and the degree of cooperation from the ESO.

Termination of platform access in Indonesia has precedent. Indonesian regulators invoked similar enforcement powers against major platforms under the ITE Law and earlier Ministry regulations for repeated non-compliance. It is not a theoretical sanction at the top of the ladder; it is a tool the Ministry has used and will use again.

What does technical age verification compliance require?

GR 17/2025 mandates that age verification be built into the registration process and designed with children’s privacy in mind. The regulation does not prescribe a specific technical method, but the data minimization standard, the DPIA requirement, and the consent-first mandate collectively narrow the viable options.

The floor requirement is clear: a mechanism must verify age, not merely collect it. A self-declared date of birth with no independent validation is not a verification mechanism. The regulation requires a check against an independently validated signal. That signal must precede access for the under-13 and 13–16 tiers.

The mobile-first deployment challenge

Indonesia’s digital engagement is overwhelmingly mobile-first. Most users, including the child and teen users, GR 17/2025 is designed to protect access platforms through apps on Android devices rather than through desktop browsers. Age verification mechanisms must function within native app environments, on the range of Android hardware common across Indonesia’s provincial cities, and without introducing document-upload friction that defeats the product experience entirely.

A verification flow designed for desktop environments will behave differently on a mid-range Android device with an inconsistent camera or a slow mobile data connection. The failure mode is not a rejection; it is session abandonment before verification completes, which leaves the platform in a worse compliance position than a clean rejection would. Platforms that deploy a single verification approach without testing it against the hardware profile of their actual Indonesian user base will discover the gap through abandonment rates, not through their engineering review.

How does Shufti help platforms operating in Indonesia?

If your platform serves users in Indonesia, the gap between where most age gates sit today and what GR 17/2025 requires is a concrete compliance exposure. The consent-first model demands a verified age before access, not a self-declared date of birth checked after the fact.

Shufti’s age verification handles both document-based confirmation and biometric age estimation within a single API, including support for Indonesian national ID cards (KTP), passports, and family documents trained on Indonesian document types natively, not retrofitted. The architecture is built to the data minimization standard: verification data feeds the age-tier output, not the user record, and deletion is handled within the verification pipeline. For platforms that need regional data residency under Indonesia’s PDP Law or OJK requirements, Shufti’s Local Cloud deployment covers in-country processing without a separate integration.