Cookie consent in Indonesia
Consent and privacy law in Indonesia
Personal Data Protection Law No. 27 of 2022, with a transition period to 2024
id
Who must comply
Public and private data controllers and processors that process personal data of individuals in Indonesia, including those abroad with effects on people in Indonesia.
Penalties
Administrative fines up to 2 percent of annual revenue, plus criminal penalties
Key obligations
- Obtain valid, explicit and recorded consent where it is the basis
- Provide clear notice of purpose and retention
- Honor access, correction, erasure and objection rights
- Appoint a data protection officer for certain processing
- Notify breaches to the authority and affected individuals within the required time
Local guidance
- Comply with Law No. 27 of 2022 after the 2024 transition
- Use explicit, recorded consent
- Notify breaches within 72 hours
- Provide notices in Bahasa Indonesia
How ConsentX helps
- Explicit, recorded opt-in consent capture
- Clear purpose and retention notice
- Rights request workflow with evidence
- Consent receipts for audit
- Region rule engine tuned for Indonesia
We value your privacy
We ask for your consent before any non-essential cookie, with the rules that apply in your region.
This page is a plain-English summary for general information and is not legal advice. Confirm your obligations with qualified local counsel.
How to comply with Indonesia using ConsentX
- 1
Scan your website
Run a free scan to find every cookie and tracker on your site, so you know exactly what needs consent under Indonesia.
- 2
Show a geo-aware consent banner
Add the ConsentX banner. It detects each visitor region and shows the consent experience that Indonesia requires, automatically.
- 3
Block trackers until consent
Keep non-essential cookies and trackers blocked until the visitor agrees, so nothing fires before consent.
- 4
Record tamper-evident proof
Every choice is stored as a tamper-evident consent receipt you can produce in a Indonesia audit.
- 5
Handle data requests on time
Use the built-in DSAR workflow with SLA timers to answer access, deletion and opt-out requests within the legal deadline.
Frequently asked questions
When did Indonesia's PDP Law take full effect?+
Law No. 27 of 2022 had a two year transition period that ended in late 2024, by which organisations were expected to comply, while a dedicated supervisory agency is being established.
Are there criminal penalties under Indonesia's PDP Law?+
Yes. Beyond administrative fines up to 2 percent of annual revenue, the law includes criminal penalties for unlawful collection, disclosure, or use of personal data.