What the UU PDP Covers and Who Is Caught

The UU PDP is Indonesia's first comprehensive personal data protection statute. Before its enactment, data protection rules in Indonesia were scattered across sectoral regulations — banking, telecoms, e-commerce, electronic systems. The UU PDP consolidates these into a single horizontal regime that applies to any controller or processor handling the personal data of Indonesian data subjects, regardless of where the controller is established.

This extraterritorial reach is the most important fact for foreign publishers. A US, EU, or Singapore-based publisher serving content to users physically located in Indonesia is caught by the UU PDP. The presence test is functional, not formal: if the controller targets Indonesian users — through Bahasa Indonesia content, Indonesian payment options, or geo-targeted advertising — the UU PDP applies in full.

The Consent Standard Under Article 22

Article 22 of the UU PDP defines consent and is the cornerstone of any cookie banner targeted at Indonesian traffic. The Article requires consent to be:

• Explicit — silence, pre-ticked boxes, and continued site use do not constitute consent. The user must take a positive action.
• Specific — consent must be tied to a defined processing purpose. A single Accept-All button covering ten different purposes is highly vulnerable.
• Informed — the data subject must receive, before consenting, the controller identity, the data categories, the purposes, the retention period, the recipients, and their rights.
• Documented in writing or recorded electronically — Article 22(3) requires the controller to be able to prove consent. A timestamped consent log mapped to a hashed user identifier satisfies this requirement; a vague claim that the user clicked Accept does not.
• Revocable on equivalent terms — withdrawal must be as easy as the original grant. A reject path that takes three clicks while accept takes one is not compliant.

Practitioners will recognize these requirements: they map almost one-to-one to the GDPR's Article 7. The differences are in scope and enforcement, not in concept.

Lawful Bases Beyond Consent

Like the GDPR, the UU PDP recognizes lawful bases other than consent for some processing. Article 20 lists six legal bases: consent, contract performance, legal obligation, vital interest, public task, and legitimate interest. For most cookie and tracking activity, however, only consent is realistically available, because the strict-necessity carve-out for cookies that are essential to provide a service the user requested is narrow and does not extend to advertising or analytics.

The strict-necessity carve-out

Session cookies, login cookies, language preference cookies, and shopping cart cookies fall under contract performance or legitimate interest with very low risk. They do not require explicit consent, though their categories must still be disclosed in the privacy notice. Everything else — analytics, advertising, retargeting, third-party pixels, fingerprinting — requires Article 22 consent.

Children's data

Article 25 requires parental consent for any processing of data subjects under 18. This is stricter than the GDPR's age-of-digital-consent default of 16 (which member states can lower to 13). A publisher running children-oriented content in Bahasa Indonesia should treat the threshold as 18 and configure a parental verification flow, not a self-declaration checkbox.

Cross-Border Data Transfers

Article 56 governs the transfer of personal data outside Indonesia. A controller may transfer data to another country only if at least one of three conditions is met: the destination country has an adequate level of personal data protection comparable to the UU PDP, there are appropriate safeguards in place, or the data subject has given explicit consent to the transfer.

The Indonesian Ministry of Communication and Informatics (Kominfo) has not yet published an adequacy list. In practice, publishers transferring data to GDPR jurisdictions, to the United States, to Singapore, or to Australia rely on appropriate safeguards — typically standard contractual clauses adapted to UU PDP, with a binding clause that downstream sub-processors honor UU PDP rights. For ad-tech vendors that operate from multiple regions, your data processing agreement must specify which regions handle Indonesian user data and what safeguards apply at each hop.

Data Subject Rights and the 72-Hour Window

The UU PDP grants Indonesian data subjects rights closely resembling the GDPR's: access, correction, deletion, objection to processing, data portability, and the right to challenge automated decisions. Two specifics matter for publishers.

First, Article 30 requires that the controller respond to a rights request within a reasonable time, which the implementing regulation has set at three working days for acknowledgment and a maximum of fourteen working days for substantive response. This is faster than the GDPR's one-month default.

Second, Article 46 requires notification of a personal data breach to the affected data subjects and to the Personal Data Protection Authority within 3 x 24 hours — that is, 72 hours from the controller becoming aware of the breach. The clock starts when the controller has confirmed the breach, not when it could have detected it.

Penalties and Recent Enforcement

The UU PDP penalty regime has more teeth than many publishers initially recognized. Article 57 provides for administrative sanctions up to 2% of annual revenue. Article 67 to 73 provide for criminal sanctions of up to six years' imprisonment and fines up to 6 billion rupiah for the most serious violations, including unlawful collection of personal data and unlawful disclosure.

Through 2025 enforcement was in a soft-launch phase, with Kominfo issuing warning letters and corrective orders rather than fines. That phase ended in early 2026. The first major administrative penalty under the UU PDP — issued to a domestic e-commerce operator in March 2026 for inadequate breach notification and missing parental consent on a minor-targeted product line — set a clear marker that enforcement is now active.

What a Compliant Publisher Banner Looks Like

For a publisher serving Indonesian traffic in 2026, the practical configuration is:

Localize the banner to Bahasa Indonesia

Article 22's informed-consent requirement is not satisfied by an English-language banner shown to a Bahasa-speaking user. The CMP must detect Indonesian users — by geolocation, IP, or Accept-Language header — and serve the banner, the privacy notice, and the granular controls in Bahasa Indonesia.

Treat consent as opt-in only

No tracking, advertising, or analytics scripts may fire before the user has explicitly accepted. Pre-ticked categories, implied consent from continued browsing, and "by using this site you agree" notices are all non-compliant.

Maintain documented consent logs

Article 22(3) is explicit: the controller must be able to produce evidence. A consent log that maps a user identifier to a timestamp, the version of the banner shown, and the choices made is the document Kominfo will request in any audit or complaint investigation.

Make withdrawal genuinely equivalent

A persistent floating consent icon, a one-click reject in the privacy preferences page, or a clear unsubscribe in any data-collecting email — each is a reasonable implementation. A buried link in a 4000-word privacy policy is not.

Bringing It Together

The UU PDP is not a GDPR clone, but it is close enough that publishers with mature European compliance programs can extend their existing consent infrastructure to Indonesia with targeted adjustments: Bahasa localization, an 18-year age threshold for parental consent, the 72-hour breach notification, and standard contractual clauses that explicitly cover UU PDP. Publishers without that infrastructure should treat the UU PDP as the trigger to build it. Indonesian enforcement is now active, and the cost of remediation after a Kominfo investigation begins is uniformly higher than the cost of getting the banner right before launch.