Application of the Regulation

GR 17/2025 shall apply to all public and private PSEs which provide products, services and/or features that are intended for use by children and/or that can be accessible by children. Under GR 17/2025, “PSE” is defined as any individual, government body, business entity, or community that provides, manages, and/or operates an electronic system, either independently or in cooperation with others, for its own purposes or on behalf of others. Therefore, this regulation also applies to registered international PSEs (PSE asing). 

 

Age Requirement

GR 17/2025 provides a definition of a “Child” or “Children” as being any person under (who has not yet reached) the age of 18. Further, GR 17/2025 provides “Age Range Classifications” where PSEs are required to provide information on the minimum age required to use the products, services or features to ensure “age-appropriate” content is offered. The Age Range Classifications are as follows:

(i)        3 to 5 years;
(ii)      6 to 9 years;
(iii)      10 to 12 years;
(iv)      13 to 15 years;
(v)       16 to under 18 years.

All PSEs must also take appropriate steps to verify that users meet the respective platform’s age requirements, which includes to confirm that the child is above the minimum age (3 years) and falls within the appropriate Age Range Classification.

Further, when an account registration is required for the use of the respective platform, it may only be permitted with the following conditions:

(i)        for Children under 13 years old - they may create an account related to products, services or features that are specifically designed for Children and classified as low-risk with obtaining parental consent;
(ii)      for Children between 13 to 16 years old - they may create an account related to products, services or features classified as low-risk with obtaining parental consent; and
(iii)      for Children between 16 to 18 years old - they may create an account related to all products, services or features with obtaining parental consent.

GR 17/2025 emphasizes the requirement to obtain parental consent and requires PSEs to create an appropriate mechanism for the collection of such consent from a Child’s parent and/or legal guardian before granting access to Children. It further provides that PSEs shall provide a “reasonable” timeframe for the respective parental consent to be obtained, and refers to 24 hours’ indication. Specifically, for Children aged 17 years and above, the Child may provide initial consent, but then the PSE is required to notify the parent or guardian, and if no objection is received within 6 hours of such notification, the consent is deemed valid and the service can be provided.

If parental consent is not obtained, or if consent is only provided by the Child without the parental consent, the PSE must refrain from providing the service and must delete any data collected.

 

Assessment of Risk

One of the key requirements provided in GR 17/2025 is for PSEs to conduct a self-assessment to indicate whether it is high risk or low risk for Children, which shall be carried out based on the following aspects:

(i)        contact with unknown persons;
(ii)       exposure to pornographic content, violent content, content that is dangerous to life, and other content that is not suitable for Children;
(iii)      exploitation of Children as consumers;
(iv)      threatening the security of Children’s personal data;
(v)       causing addiction;
(vi)      disturbing the psychological health of Children; and
(vii)     causing physiological disorders of Children

If the assessment results in high value for one or more aspects above being covered, it shall be considered as high-risk.

 

Other obligations

The regulation explicitly sets out the obligations that shall be carried out by PSEs, which include:

(i)        obtaining consent from the Children’s parents or guardians;
(ii)       compiling an assessment on the impact of Personal Data Protection;
(iii)      configuring product, service, and feature settings that are specifically designed to be used or accessed by Children or that may be used or accessed by Children with a high level of privacy by default;
(iv)      providing complete, correct, accurate, and non-misleading information for users to understand the products, services, and features;
(v)       conducting education and empowerment of the digital ecosystem;
(vi)      providing notifications in the form of signs or signals in monitoring the activities or tracking the location of Children from products, services, and features;
(vii)     providing a choice of functions that are appropriate to the capacity and age of Children;
(viii)   firmly determining the party responsible for processing Children’s Personal Data in the provision of toys or devices that allow the toys or devices to be connected to the internet;
(ix)     ensuring that the party appointed or collaborating with the PSE meets the provisions on Child protection; and
(x)       determining the officials or officers who carry out the function of protecting Personal Data.

Sanctions

GR 17/2025 provides sanctions that can be imposed by the Ministry of Communications and Digital (“COMDIGI”) that has the authority to supervise the implementation of the regulation, including supervising all PSE activities, and when there is a suspected violation, administrative sanctions in the forms of the following may be imposed:

(i)       written warning;
(ii)       administrative fine;
(iii)      temporary suspension; and/or
(iv)      access termination.

 

Transitional Period

GR 17/2025 provides a two-year transitional period for all PSEs to adjust their system, policies and operational implementation for the compliance with the regulation. COMDIGI is expected to further outline a ministerial regulation for the further implementation of this regulation.

 

How does this affect Japanese companies?

Japanese companies that fall within the definition of being a PSE (domestic or foreign, public or private) should reassess their terms of use and privacy policy, to include the requirements as set out in GR 17/2025.

 

TMI Indonesia Practice Group