Child Protection by Design: Indonesia’s new compliance standards for digital platforms

Minimum age limits and age groupings

MOCD Reg. 9/2026 requires the ESPs to specify the minimum age at which children may access their products, services, and features. The minimum age is set at 3 years, with mandatory age groupings of 3–5, 6–9, 10–12, 13–15, and 16 to under 18 years.

ESPs must ensure that their features are appropriate for the relevant age group, considering children's developmental stages, and are expressly prohibited from targeting features to children under 3 years old. Information on age limits must be clearly communicated, updated in advance if changed, and properly documented, including where features are offered in cooperation with other ESPs.

Self‑assessment on age suitability, child protection needs, and risk

ESPs are required to conduct and document a self‑assessment to ensure that their products, services, and features comply with the applicable minimum age and age groupings. The self‑assessment must consider, among others, children's needs, risks arising from the operation of the products, services, and features, and input from relevant internal and external stakeholders.

The assessment must be adopted before children can access the products, services, and features, updated when material changes occur, and retained in accordance with applicable requirements. This obligation operationalises the risk assessment framework under GR 17/2025.

Risk profiling of features

MOCD Reg. 9/2026 implements a risk profiling regime under which products, services, and features are classified as high risk or low risk based on factors such as interaction with unknown parties, exposure to harmful content, economic exploitation, protection of children's personal data, addiction, and psychological or physiological impacts.

If a feature is assessed as high risk in any category, it is classified as high risk overall. ESPs must submit their self‑assessment to the MOCD for verification, with the final risk profile determined by the MOCD.

Parental supervision, child accounts, and access controls

Where access to products, services, and features requires user accounts, ESPs must provide technical mechanisms enabling parental consent and supervision of children's accounts. Access rights are determined by the child's age and the feature's risk profile.

ESPs must also implement reliable age verification mechanisms, either internally or through third parties, in compliance with child protection and technology reliability standards.

For social media and networking services, features are treated as high risk by default, and ESPs are required to deactivate accounts of children under 16 to comply with minimum age restrictions.

Privacy by design and children's personal data

MOCD Reg. 9/2026 operationalises the child‑protection framework under GR 17/2025 by embedding ‘safety by design' and ‘privacy by design'. ESPs must integrate data‑protection and privacy safeguards into the design and operation of products, services, and features accessible to children, and must evaluate and adjust these design safeguards as part of their initial and ongoing risk assessments and re‑assessments.

This requirement is operationalised through the self‑assessment and risk‑profiling process. Where there is a change in risk level, ESPs must re‑evaluate whether safety‑by‑design and privacy‑by‑design safeguards have been adequately embedded in the products, services, and features, including in the way children's personal data is collected, processed, stored, and displayed.

Our team is well‑placed to support you in navigating this evolving regulatory landscape and in maintaining robust, future‑proof compliance strategies. Please feel free to contact any of the authors or your usual Hogan Lovells contact should you require assistance in responding to these requirements.

Authored by Chalid Heyder, Teguh Darmawan, and Andera Rabbani.