Indonesia PDP Law and analytics
Indonesia's Personal Data Protection Law (Law No. 27 of 2022) is the country's first comprehensive data-protection statute. It defines lawful bases including consent, contractual necessity, legal obligation, vital and legitimate interests, distinguishes general from specific personal data, and assigns controller and processor duties. It can apply extraterritorially. A transition period applied after enactment. Analytics on Indonesian visitors can be in scope. This is educational, not legal advice.
What this means
Law No. 27/2022 protects personal data of identifiable individuals and lists lawful bases similar to the GDPR's: consent, contract, legal obligation, vital interests, public task, and legitimate interests. It separates 'general' personal data from 'specific' personal data (such as health, biometrics, and financial data), the latter carrying stricter handling. Controllers and processors have defined obligations, and the law can reach processing outside Indonesia that affects people there.
Why it touches analytics
Analytics capturing IP addresses, device identifiers, or behaviour about identifiable Indonesian visitors processes personal data. Choose and document a lawful basis; where consent is used it should be specific and informed. Implementing regulations and an oversight body have been developing since enactment, so the operational detail continues to firm up. Collecting less and anonymising IPs reduces the footprint the law governs.
Check current implementing rules before relying on a particular basis.
- GDPR-style lawful bases, including legitimate interests
- General vs specific personal data, with stricter rules for the latter
- Extraterritorial reach for processing affecting Indonesians
How it appears in analytics and logs
If your analytics stores identifiers from Indonesian visitors, the PDP Law may apply: rely on a lawful basis and meet controller duties, with stricter rules for specific data.
Diagnostic use case
Assess whether analytics processes personal data of people in Indonesia, since the PDP Law ties processing to consent or another lawful basis.
What WebmasterID can help detect
WebmasterID minimises personal data and anonymises IPs at ingest, shrinking what Indonesia's PDP Law lawful-basis and controller duties would otherwise reach.
Common mistakes
- Assuming the PDP Law only binds Indonesian companies.
- Treating 'specific' personal data like ordinary data.
- Relying on consent without making it specific and informed.
Privacy and accuracy notes
This page is educational, not legal advice. Minimised, aggregated measurement reduces how much personal data the PDP Law's bases govern.
Related pages
- Lawful basis for analytics processing
The GDPR requires a lawful basis for processing personal data. For analytics the realistic candidates are consent and legitimate interests, each with conditions: consent must be valid and is often required where ePrivacy applies to cookies, while legitimate interests demands a balancing test and grants the visitor a right to object. Picking and documenting the basis is the operator's job. This is educational, not legal advice.
- Sensitive data categories and analytics
The GDPR designates 'special categories' of personal data — racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic and biometric data, health, sex life, and sexual orientation — that warrant heightened protection and generally require an explicit lawful condition. Analytics can accidentally collect or infer such data via URLs, search terms, or profiling, which is a serious risk to avoid. This is educational, not legal advice.
- Controller vs processor
The GDPR assigns different duties to a controller — who determines the purposes and means of processing — and a processor, who processes personal data on the controller's behalf. Whether your analytics vendor is a processor or a joint controller changes the contracts and liabilities involved. This page explains the distinction and how it applies to analytics.
- Privacy-first analytics
Minimised data narrows the PDP Law's lawful-basis scope.
Sources and verification notes
- Republic of Indonesia — Law No. 27 of 2022 on Personal Data ProtectionOfficial statute record. Educational, not legal advice.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.