Indonesia is moving from text to teeth. With its Personal Data Protection Law (UU PDP No. 27/2022) now fully in force after the October 2024 expiry of the two-year transition period, the Ministry of Communication and Digital Affairs (Komdigi) is finalising implementing regulations that would explicitly target so-called dark patterns — pre-ticked consent boxes, obscured opt-outs, friction-laden withdrawal flows, and other interface designs that nudge users into surrendering data they would not otherwise share.
It is a significant moment for Southeast Asia's largest internet market. Indonesia has more than 200 million internet users and a digital economy that the Google–Temasek–Bain e-Conomy SEA reports have repeatedly identified as the region's largest by gross merchandise value. How Komdigi draws the line between legitimate UX design and unlawful manipulation will shape product decisions far beyond Jakarta.
What the draft rules appear to cover
UU PDP already requires that consent be specific, informed, unambiguous, and freely given — language drawn closely from the EU's General Data Protection Regulation (GDPR). The draft implementing regulations, according to public statements from Komdigi officials and stakeholder consultations reported in Indonesian media, would operationalise these requirements by prohibiting several recognisable practices:
- Pre-ticked checkboxes for non-essential processing;
- Visually subordinated "reject" or "manage preferences" buttons relative to "accept all";
- Consent flows that require materially more clicks or screens to refuse than to accept;
- Misleading language framing data sharing as necessary when it is optional; and
- "Confirmshaming" — copy designed to make users feel guilty for declining.
These are not novel categories. The European Data Protection Board's Guidelines 03/2022 on Deceptive Design Patterns in Social Media Platform Interfaces catalogued essentially the same taxonomy, and Article 25 of the EU Digital Services Act now explicitly prohibits very large online platforms from designing interfaces that "deceive or manipulate" users. The US Federal Trade Commission's 2022 staff report Bringing Dark Patterns to Light and its enforcement actions against Epic Games and Amazon's Prime cancellation flow have built a parallel body of US practice.
The pro-innovation case for getting this right
From an open-internet perspective, the underlying instinct is sound. Consent that is engineered to be reflexive is not really consent. Markets where users genuinely choose what to share — and can withdraw without a treasure hunt — tend to produce more trustworthy services and more durable digital businesses. There is no serious tension between honest UX and a thriving platform economy; indeed, several of the world's most successful consumer products have made deliberate consent a brand asset rather than a compliance cost.
The risk lies in execution. Regulations that prescribe interface elements pixel-by-pixel, or that treat every persuasive design choice as suspect, can freeze product experimentation, raise compliance costs for Indonesian startups disproportionately to global platforms, and ultimately entrench incumbents. Indonesia's MSME-heavy digital economy — millions of small merchants on platforms like Tokopedia, Shopee, and Bukalapak — is particularly sensitive to compliance overhead that does not scale.
What proportionate regulation looks like
Komdigi has an opportunity to learn from both the strengths and the missteps of earlier regimes. Three design principles would keep the rules workable:
1. Outcome standards over interface mandates
The rules should articulate what manipulative design is — measured by effect on a reasonable user's ability to make a free choice — rather than dictate the exact placement, colour, or wording of buttons. Outcome-based drafting survives technological change; prescriptive UI rules do not.
2. Risk-tiered enforcement
UU PDP's administrative fine cap of 2% of annual revenue is meaningful. Applied indiscriminately to a small fintech with a clumsy onboarding flow, it is ruinous. A graduated approach — guidance and cure periods for first-time, low-harm violations; serious penalties reserved for systemic or repeat conduct on large platforms — would mirror how the EU's national supervisory authorities have largely operated in practice.
3. A real safe harbour for good-faith design testing
A/B testing is how digital products improve. Rules should explicitly carve out research conducted for usability and accessibility purposes, distinguishing it from experiments designed to suppress refusal rates. Singapore's Personal Data Protection Commission has done this reasonably well in its advisory guidelines; Indonesia could go further by codifying it.
The institutional question
The deeper challenge is structural. UU PDP envisions an independent data protection authority answerable to the President, but at the time of writing that body has not been fully stood up, and Komdigi continues to exercise interim authority. Dark-pattern rules will only be as good as the institution that interprets them. Indonesia's businesses and citizens both have an interest in seeing the independent regulator established quickly, professionally staffed, and given clear jurisdictional boundaries with sectoral regulators like OJK (financial services) and BI (the central bank).
The wider stakes
Indonesia is not regulating in a vacuum. Within ASEAN, Singapore, Thailand, Vietnam, and the Philippines have all moved on data protection in the last five years, with varying degrees of convergence on GDPR-style consent. India's Digital Personal Data Protection Act, 2023, takes a notably different — and arguably lighter — approach to consent UX. If Komdigi gets the dark-pattern rules right, Indonesia could anchor a pragmatic regional standard that protects users without exporting Europe's heavier compliance overhead wholesale. If it gets them wrong, the cost will fall hardest on the domestic founders the law was supposed to make competitive.
The principle — that consent should mean consent — is one we support without reservation. The work now is to write the rules in a way that vindicates the principle without strangling the experimentation that makes the open internet worth protecting.