In March 2025, Indonesia introduced Government Regulation No. 17 of 2025 on Governance of Electronic System Implementation in Child Protection, a comprehensive child online safety law that places detailed obligations on electronic system operators (ESOs).

As a note upfront: these regulations are still subject to be tweaked with further guidance, and there’s a two-year transition period (with enforcement starting in 2027). Nevertheless, the requirements are highly specific, stricter than any other global law in many ways, and not easy to retrofit into live products. Designing for compliance now means avoiding costly rework down the line — and creating better experiences from day one.

In this article, we’ll explore how k-ID helps you prepare for this new law, using its infrastructure built for compliance, scalability, and user-first experiences.

Applicability

You’re likely subject to Indonesia’s regulation if your product, service, or feature is:

• Designed for children (anyone under 18), or

• Could reasonably be accessed by children.

The law uses a broad set of indicators — such as your terms of service, advertising, evidence of your user base composition, and interface design — to determine if your product falls under its scope. This means that even platforms not primarily aimed at minors (like social media, games, e-commerce or AI tools) may be covered if children are likely to be users. For the purposes of the rest of this article, we’ll assume you’re operating as an in-scope ESO.

Age Assurance

The law requires ESOs to verify a user’s age category at sign up using an age assurance method that:

• Protects the privacy of users

• Is proportionate to the risks involved

• Is limited strictly to age verification purposes

• Deletes verification data once verification is complete

To meet these conditions while juggling global compliance, k-ID offers a dynamic age assurance framework. We surface appropriate methods (including Face Scan, ID Scan, Credit Card Verification and Parental Attestation) based on legal requirements in each jurisdiction — and allow you to further customise your methods too.

Each age verification method is designed to balance privacy, security, reliability, and ease of use. For example, our Face Scan option runs entirely on-device — no biometric data ever leaves the user’s device. It’s privacy-preserving by design, similar to Apple’s Face ID, and avoids sharing sensitive personal data with external servers.

Age Categories

A key requirement of the Indonesian regulation is to tailor experiences based on five distinct child age categories:

• 3-5 years old

• 6-9 years old

• 10-12 years old

• 13-15 years old

• 16-18 years old

At k-ID, our infrastructure is purpose-built to support age-based personalisation at scale. Our /age-gate/check-age-category API enables you to classify users into age categories and deliver differentiated, age-appropriate experiences accordingly.

Today, this API supports classification into three default age bands — Digital Minor, Digital Youth and Legal Adult — which already power compliant and age-appropriate design across many markets. Indonesia’s new regulation introduces more granular segmentation, and our system is designed to evolve with regional requirements as they emerge.

For example, the Indonesian law is notable for classifying certain features as “high risk” versus “low risk”, with users aged 13-16 having access to only “low risk” features and users 16-18 only have access to “high risk” features with a parent's consent. As we get more guidance from the Indonesian regulators regarding the risk classification for certain features, we will update the Global Compliance Engine to make these age thresholds part of the default experience for Indonesian users.

Clear, Opt-in Parental Consent

Parental consent must be clear and opt-in before a child can register, access or interact with an ESO’s services. Implied consent is not allowed — meaning you cannot assume that consent has been provided if a parent doesn’t explicitly object.

With k-ID’s Family Portal, the consent process is both transparent and user-friendly. Parents are guided through a short verification flow that takes less than a minute, helping ESOs meet regulatory standards without adding unnecessary friction.

High Privacy by Default

The law also mandates that an ESO’s product’s settings be configured to the highest level of privacy by default. ESOs can easily manage their settings for 40+ permissions using the k-ID Developer Portal, as shown below.

You may choose to leverage our Global Compliance Engine, which automatically suggests default settings based on your compliance strategy, or configure your own:

• Always Off: The feature is always disabled for users under a specific age.

• Default Off, Managed by Parent: The feature is disabled by default for users under a specific age, and can only be enabled by a parent or guardian.

• Default Off, Managed by Teen: The feature is disabled by default, but teens above a certain age must enable it themselves. (This is important for Indonesia’s “High Privacy by Default” requirement.)

Location Tracking & Profiling

Precise location tracking for minors is prohibited unless it is absolutely necessary, and only for a limited time. Profiling is also banned unless it is in the child’s best interest or is essential to the service they’ve actively requested.

In the k-ID Developer Portal, both Precise Location Sharing and Profiling are pre-defined settings. These have been set as Prohibited for all users under 18 in Indonesia, in light of this requirement.

Final Thoughts

Indonesia’s regulation reflects a broader trend: regulators are raising the bar on how companies must protect children online. The obligations are complex — but with the right infrastructure, they’re completely manageable, and can even enhance the user experience.

At k-ID, we’ve designed our platform to give you everything you need to comply confidently and at scale — while delivering a high-quality experience for families.

👉 Want to get started? Contact us or explore our Developer Docs to get started.