Indonesia PDP Law

Law No. 27 of 2022 on Personal Data Protection

Flag of ID
IndonesiaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
October 17, 2022
Enacted
October 17, 2022
Enforcing Authority
Indonesian DPA (not yet established as of early 2026). MOCD is de facto oversight body.
Consent Model
Opt-in
Applies To
Any legal or natural person processing personal data in or affecting Indonesia (extraterritorial)

Overview

Indonesia's PDP Law is the country's first comprehensive data protection law, enacted October 2022. It requires explicit, informed, specific consent for data processing. However, the Indonesian DPA has not yet been established despite the two-year transitional period ending October 2024, creating a current enforcement gap.

What This Means for Your Website

  • Explicit, informed, and specific consent is required for processing personal data of Indonesian visitors
  • Special provisions apply for children's and disabled persons' data
  • Criminal penalties include up to 6 years imprisonment and IDR 6 billion fines
  • Corporate entities may face asset forfeiture, business suspension, or dissolution
  • The enforcement gap (no DPA yet) is expected to close once the authority is established

Key Requirements

The MOCD (formerly Kominfo) currently serves as the de facto oversight body while the DPA is being established. Criminal penalties are significant: up to IDR 6 billion and 6 years for falsifying personal data. Breach notification must occur within 72 hours. DPIAs are required for high-risk processing.

How ConsentStack Handles This

ConsentStack applies explicit consent for Indonesian visitors, positioning websites for compliance as the DPA becomes operational.

Penalties

Unlawful collection: up to IDR 5B and/or 5 years. Unlawful disclosure: up to IDR 4B and/or 4 years. Falsifying data: up to IDR 6B and/or 6 years.

Maximum Fine
IDR 6,000,000,000 per violation

Key Requirements

  • Explicit, informed, specific consent for data processing
  • Special provisions for children and disabled persons
  • Data subject rights: access, correction, deletion, objection, portability
  • Mandatory breach notification within 72 hours
  • Data Protection Impact Assessment for high-risk processing
  • Cross-border transfers with adequate protection levels

Notable Provisions

  • DPA not yet established despite transitional period ending October 2024
  • Criminal penalties including up to 6 years imprisonment
  • Corporate entities may face asset forfeiture or dissolution
  • First comprehensive DP law for Indonesia

Other Asia Pacific Regulations

PIPLChina
China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Thailand PDPAThailand
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
South Korea PIPASouth Korea
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
APPIJapan
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
Singapore PDPASingapore
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
Australian Privacy ActAustralia
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.

Frequently Asked Questions

Is Indonesia's data protection law enforced?

The DPA has not yet been established despite the transitional period ending October 2024. The MOCD is the de facto oversight body. Stricter enforcement is expected once the DPA is operational.

What are Indonesia's privacy penalties?

Up to IDR 6 billion and 6 years imprisonment for falsifying data. Corporate entities may face asset forfeiture or dissolution.

Does Indonesia's law apply extraterritorially?

Yes. The PDP Law applies to processing in Indonesia and processing outside Indonesia that has legal consequences in Indonesia or affects Indonesian data subjects.

Stay compliant with Indonesia PDP Law

ConsentStack helps you implement Opt-in consent for Indonesia automatically.

Get started free