In March 2025, Indonesia introduced Government Regulation No. 17 of 2025 on Governance of Electronic System Implementation in Child Protection (PP Tunas), a comprehensive child online safety law that places detailed obligations on electronic system operators (ESOs). In March 2026, Indonesia also released Ministerial Regulation No. 9 of 2026, which serves as the implementing regulations for PP Tunas.

These laws are unique in the world for many reasons, in particular because (1) they require all online services to perform mandatory age checks (regardless of the service’s intended audience), and (2) they require all covered companies to submit a self-assessment to the Ministry of Communication and Digital Affairs and receive a confirmation of their online service’s risk level (High Risk, Low Risk or Low Risk but specifically designed for use by children).

In this article, we’ll introduce how you can easily use k-ID’s AgeKit+ and Compliance Developer Kit (CDK) to help you apply the minimum age limits required under PP Tunas based on your risk assessment outcomes, facilitate obtaining parental consent where needed, and implement age assurance measures, all at once.

Overview

PP Tunas implements a series of concurrent compliance requirements for online services: 

Firstly, there is an overarching obligation to conduct mandatory age checks for all users and to filter underage users (i.e. below the age of 18) into a mandatory five-tier age grouping system. 

The regulator has indicated that a minister-approved list of technologies for age checks will subsequently be issued. At present, however, the method used for age checks should be reliable and privacy-preserving in nature. The good news there is that k-ID orchestrates a wide variety of approved age assurance methods, such as facial age estimation (both on-device or server based), ID verification, credit card, and reusable AgeKeys: all of these methods and more are accessible for all AgeKit+ customers.

Secondly, for all users below the age of 18, verifiable parental consent (“VPC”)  is required prior to allowing access to online services and/or the processing of personal data of minors.

PP Tunas also requires VPC on an opt-in basis before minors under the age of 18 are allowed access to online services. The VPC must be obtained within 24 hours of the minor’s request for access and any VPC obtained after the 24 hour time limit will not be valid. 

k-ID’s Compliance Development Kit (CDK) automatically adjusts for these requirements  by default, and this works in tandem with all other settings (i.e. for Mandatory Age Checks and the High/Low risk restrictions). 

Lastly, Electronic System Organisers (ESOs) who require registration or an account to use or access its services must conduct a mandatory risk self-assessment that will be reviewed and confirmed by the Ministry of Communication and Digital Affairs.  

When assessing your service’s risk level, these mandatory factors must be assessed to determine if the minor’s usage of the service creates or increases the risk of:

I.  Interaction between the minor and unknown persons

II.  Exposure to harmful content such as violence or sexual content

III.  Financial exploitation of a minor (e.g. inducing unnecessary in-app spending)   

IV.  Inability to protect the minor’s personal data 

V. Minors getting addicted to the service(s)

VI. Psychological harm caused to the minor 

VII. Physiological harm caused to the minor

Should any single factor above be assessed as a high risk, the entire service will be a high risk service. Online social media services are classified as High Risk by default. 

Depending on the risk level, you will be required to restrict access for the different age group as follows: 

Below, we’ll outline the process for complying with these rules. Even if you haven’t submitted or received the results of your self-assessment, if you feel confident of your likely risk outcome, you can pre-configure your product per the instructions below to save time later.

Configuring k-ID for your Online Service 

Complying with PP Tunas can be made easier with k-ID. For any online service, you’ll need to do the following: 

1. Implement a minimum access age of 16/13/3 (depending on your risk level)

2. Require parental consent for users age 16 - 18

3. Implement reliable age assurance checks for all users during the registration / account sign up process

Below we explain how you can achieve this with k-ID.

Steps 1 and 2: Implement a minimum access age of 16/13/3 and require parental consent for users age 16 - 18

In the k-ID Compliance Studio, under Product Access, select “Add Market Specific Rules”. Select “Indonesia” as the jurisdiction and create a Custom Minimum Age of 16 (for High Risk Services), 13 (for Low Risk Services) or 3 (for Low Risk Services designed for children). Note that you do not need to do anything to trigger the parental consent feature for users below the age of 18: that happens automatically. 

Step 3: Implement reliable age assurance checks for all users during the registration / account sign up process

Under “Age Assurance”, select the age assurance methods you wish to use based on what you considered in your self-assessment. By default, Facial Age Estimation Scan, ID Scan and AgeKeys are selected, but you can customize the methods used if you like.

Once you’ve completed the steps above, your configuration should look like this:

Push to Live, link up your web hooks and API keys, and you’re all set!

Conclusion

k-ID’s AgeKit+ and CDK provides an easy way for you to conduct age checks, obtain parental consent where required and to restrict access based on risk levels concurrently via one single API key with minimal fuss. Contact us if you would like to learn more about how we can power your compliance needs.

👉 Ready to get started? Contact us or explore our k-ID Developer Hub to get started.