Indonesia's PDP Law and How It Applies to Cookies
Indonesia enacted Law No. 27 of 2022 on Personal Data Protection (commonly called the PDP Law or UU PDP) on 17 October 2022. The law gave data controllers a two-year transition period that ended on 17 October 2024, meaning full compliance is now mandatory.
The PDP Law does not mention cookies by name. It regulates the processing of personal data in general, and cookies that collect or store personal data fall squarely within its scope. If your website sets tracking cookies such as _ga, _fbp, or similar identifiers on visitors located in Indonesia, you are processing personal data under this law.
The law follows a consent-based model similar to the GDPR, though with some differences in enforcement structure and implementation timelines. Neighbouring Malaysia has its own framework under the PDPA 2010, making Southeast Asia an increasingly regulated region for website operators.
The Data Protection Authority: Still Taking Shape
The PDP Law mandates the creation of a dedicated Personal Data Protection Authority (Lembaga Pelindungan Data Pribadi, or Lembaga PDP). This body will handle policy formulation, supervision, enforcement, and dispute resolution.
As of early 2026, the Lembaga PDP has not yet been formally established. A draft Presidential Regulation outlining its structure was made public at the end of February 2026, nearly four years after the law's enactment. In the interim, the Ministry of Communication and Digitals (Kementerian Komunikasi dan Digital, or Komdigi) oversees personal data protection through its General Directorate of Digital Space Supervision, as set out in MOCD Regulation No. 1 of 2025.
The implementing regulation (known as RPP PDP or Government Regulation on PDP) is also still pending. It completed its fourth harmonisation process in early 2025 and has been passed to the State Secretary for presidential approval.
Consent Requirements Under the PDP Law
Article 20 of the PDP Law lists six lawful bases for processing personal data, closely mirroring Article 6 of the GDPR. These include consent, contractual necessity, legal obligation, vital interests, public interest, and legitimate interest.
When consent is the lawful basis, the requirements are strict. Consent must be:
Explicit - a clear affirmative act, not silence or inactivity
Informed - accompanied by information about the purpose, type of data, retention period, and data subject rights (Article 21)
Specific - tied to a defined processing purpose
Recorded - the controller must retain proof of consent (Article 24)
In writing - whether electronic or non-electronic, and in Bahasa Indonesia
Pre-ticked boxes do not satisfy these requirements. Scroll-as-consent or implied consent mechanisms are also insufficient, as the PDP Law does not recognise acceptance by silence.
Data subjects have the right to withdraw consent at any time. Once withdrawn, the data controller and any processors must stop processing within 72 hours and delete the personal data collected.
What This Means for Cookies on Your Website
Because tracking and analytics cookies process personal data, you need a valid lawful basis before setting them. For most cookie banner scenarios, that basis is consent.
Strictly necessary cookies - those required for basic website functionality, such as PHPSESSID or cart session cookies - may fall under a different lawful basis (contractual necessity or legitimate interest). The PDP Law does not carve out a specific exemption for these, but their processing purpose is inherently tied to the service the visitor requested.
Analytics cookies like _ga, advertising cookies like _fbp, and any third-party tracking scripts require prior opt-in consent from the visitor before activation. A cookie consent banner that blocks non-essential cookies until the visitor actively agrees is the safest approach.
Granular Consent by Category
The PDP Law requires consent to be specific to a stated purpose. This means bundling all cookies into a single "accept all" option without offering category-level choices is risky. Providing granular consent options - separating analytics, marketing, and functional cookies - aligns more closely with the law's purpose-limitation principle.
Penalties and Enforcement
The PDP Law includes both administrative and criminal penalties.
| Penalty Type | Maximum Sanction | Details |
|---|---|---|
| Administrative fine | 2% of annual revenue | Calculated based on duration, impact, business scale, and ability to pay |
| Criminal fine (individual) | IDR 6 billion (approx. USD 400,000) | For severe violations such as illegal processing or intentional breaches |
| Criminal imprisonment | Up to 6 years | For unlawful collection, use, or disclosure of personal data |
| Corporate fine | Up to 10x the individual maximum | Where offences are committed by a corporation |
| Other administrative sanctions | Varies | Warning letters, suspension of data processing, data deletion orders |
No formal PDP Authority-led administrative penalties have been issued to date, primarily because the Lembaga PDP does not yet exist. Criminal enforcement under the PDP Law has been active, with several court decisions handed down. The absence of a dedicated regulator does not mean the law is unenforced - it means enforcement is currently handled through existing government channels and the criminal justice system.
Once the Lembaga PDP is operational and the implementing regulation is finalised, enforcement is expected to intensify significantly.
How Indonesia's PDP Law Compares to the GDPR
The PDP Law borrows heavily from the GDPR, but several differences stand out.
| Aspect | Indonesia PDP Law | EU GDPR |
|---|---|---|
| Lawful bases for processing | Six bases (Article 20), similar to GDPR | Six bases (Article 6) |
| Cookie-specific rules | No cookie-specific provision; general data processing rules apply | ePrivacy Directive provides cookie-specific rules alongside GDPR |
| Consent withdrawal timeline | Processing must stop within 72 hours; data must be deleted | No fixed timeline; must be as easy to withdraw as to give |
| Language requirement | Consent must be in Bahasa Indonesia | No specific language mandate (must be understandable) |
| Supervisory authority | Lembaga PDP (not yet established as of early 2026) | Independent DPAs in each member state |
| Maximum administrative fine | 2% of annual revenue | Up to 4% of global annual turnover or EUR 20 million |
| Criminal penalties | Yes, up to 6 years imprisonment | Left to member states; GDPR itself has no criminal sanctions |
The 72-hour deadline for acting on consent withdrawal is notably stricter than the GDPR's approach. The Bahasa Indonesia language requirement for consent also adds a localisation step that websites targeting Indonesian visitors should account for.
Practical Compliance Checklist
If your website receives visitors from Indonesia, these steps will help you align with the PDP Law.
Audit your cookies - run a cookie scan to identify every cookie your site sets, including those from third-party scripts
Classify cookies by purpose - separate strictly necessary, analytics, functional, and marketing cookies into distinct categories
Implement a consent banner - display a banner that blocks non-essential cookies until the visitor gives explicit opt-in consent
Offer granular choices - allow visitors to accept or reject cookies by category rather than forcing an all-or-nothing decision
Provide information in Bahasa Indonesia - the PDP Law requires consent to be given in Bahasa Indonesia, so consider localising your banner for Indonesian visitors using geo-detection
Record consent - maintain logs of when and how each visitor consented, as Article 24 requires proof of consent
Enable easy withdrawal - visitors must be able to change their cookie preferences at any time, and your site must stop processing within 72 hours of withdrawal
Update your privacy policy - include the information required by Article 21: lawful basis, processing purposes, data types, retention period, and data subject rights
Frequently Asked Questions
Does Indonesia require cookie consent?
The PDP Law does not mention cookies specifically, but it requires explicit consent before processing personal data. Since tracking and analytics cookies process personal data, opt-in consent is needed before setting them on visitors in Indonesia.
What is the PDP Law in Indonesia?
The PDP Law (Law No. 27 of 2022 on Personal Data Protection, or UU PDP) is Indonesia's comprehensive data protection legislation. It regulates how personal data is collected, stored, processed, and shared, with requirements for consent, transparency, and data subject rights.
What are the fines for violating the PDP Law?
Administrative fines can reach 2% of annual revenue. Criminal penalties include imprisonment of up to 6 years and fines of up to IDR 6 billion (approximately USD 400,000). Corporations face fines up to 10 times the individual maximum.
Is Indonesia's PDP Law the same as GDPR?
The PDP Law shares structural similarities with the GDPR, including six lawful bases for processing and requirements for explicit consent. Key differences include the 72-hour consent withdrawal deadline, the Bahasa Indonesia language requirement, and the absence of a separate cookie-specific regulation like the ePrivacy Directive.
Do I need a cookie banner for Indonesian visitors?
Yes, if your website sets non-essential cookies that process personal data. The PDP Law requires explicit, informed consent before processing, making an opt-in cookie banner the most practical compliance mechanism for websites targeting visitors in Indonesia.
Who enforces the PDP Law in Indonesia?
The Ministry of Communication and Digitals (Komdigi) currently handles data protection supervision. A dedicated authority, the Lembaga PDP, is mandated by the law but has not yet been formally established as of early 2026.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - with geo-detection to serve the right banner to visitors in Indonesia and every other jurisdiction your site reaches.
