021-7997973 | Hotline 08111211504

The Legality of Cookie Tracking in Indonesia

30 June 2026inNEWS
Share
Legality of Cookie Tracking in Indonesia

When accessing a website, users are often presented with a notification requesting consent to use cookies. Some people may immediately click the “agree” button without understanding the function or consequences of the data being collected. Behind this activity, there is actually a digital tracking mechanism that records various pieces of information about user behavior while browsing the internet.

In today’s digital economy, the use of tracking cookies has become a common practice among businesses to improve service effectiveness, understand consumer preferences, and support digital marketing strategies. Nevertheless, the use of this technology must, of course, comply with applicable laws and regulations, as it is closely related to the protection of an individual’s personal data. The question is: what is the legal status of tracking cookies in Indonesia?

 

Understanding Tracking Cookies

 

A cookie is a small text file stored on a user’s device when they visit a website. As demand for analyzing user behavior when accessing digital services has grown, the use of tracking cookies has become a mechanism widely adopted by website operators. 

Tracking cookies are a type of cookie used to collect, store, and monitor user activity while browsing the internet, whether on a single site or across multiple different sites. The information collected includes browsing history, pages visited, user preferences, location, and interactions with displayed ads. This data is then processed by the website owner or a third party to build a profile of the user’s behavior. Generally, there are four types of cookies used, including:

  1. Session cookies, which are active only while the user is accessing the website and are automatically deleted once the browser is closed.
  2. Persistent cookies, which remain stored on the user’s device for a certain period of time.
  3. First-party cookies, which are created directly by the website the user is visiting.
  4. Third-party cookies, which are created by third parties, such as digital advertising services and data analytics providers.

Each type of cookie has different functions and characteristics that support website operations. However, the use of cookies can also have a significant impact on the user experience and pose certain risks to security and the protection of personal data, raising the question: How do cookies affect the user experience and data security?

Read also : Legalitas Cookie Tracking di Indonesia

 

The Impact of Cookies on User Experience and Data Security

 

For internet users, cookies can provide a more convenient experience when browsing websites. For example, users do not need to repeatedly enter their account information when accessing the same website. Moreover, websites can also display recommendations for products, articles, or services tailored to users’ needs. 

Although they offer tangible benefits, the use of tracking cookies also poses several risks to personal data. The more data that is collected, the greater the potential for misuse of information if it is not managed responsibly. These risks include data breaches, digital identity theft, user profiling without consent, and the use of data for commercial purposes unknown to the data subject. 

In addition, third-party cookies that allow other parties to track user activity across various websites also warrant attention, as they can increase the risk of privacy violations, especially if the collection and use of user data are not accompanied by adequate transparency.

Given these considerations, the principle of transparency is essential in the use of cookies. In this regard, users must be provided with clear information regarding the types of data collected, the purposes of data processing, the retention period, and the parties receiving the data. Therefore, an understanding of the limits on cookie usage and its legal consequences is necessary to ensure that the processing of personal data remains transparent, secure, and in compliance with Indonesian law.

Read also : Doxing in the Digital Age: Types, Impacts, and Legal Consequences

 

Limitations on the Use of Tracking Cookies and Legal Consequences for Personal Data Protection

 

In Indonesia, there are still no specific regulations that explicitly govern tracking cookies. However, the legality of cookie use can be analyzed through several provisions governing personal data protection and the operation of electronic systems.

When browsing a website, cookies generally request prior consent from users by offering a choice: whether to allow the use of cookies or to reject them. When a user agrees, the website will collect and process the necessary information; however, the opposite also applies, meaning that if a user refuses data collection, the website is obligated to respect that decision and limit data collection.

Essentially, an individual’s personal data is of critical importance and is protected by Indonesian laws and regulations, particularly under Law No. 27 of 2022 on Personal Data Protection (“PDP Law”). Article 1(1) of the PDP Law states that:

“Personal Data is data about an individual who is identified or can be identified, either individually or in combination with other information, either directly or indirectly, through electronic or non-electronic systems.” 

Furthermore, the PDP Law classifies personal data into specific and general categories. Essentially, device information, browsing activity, and user preferences, including personal data combined to identify an individual, fall under the category of general personal data. 

In addition to being regulated under the PDP Law, regulations regarding the consent of the data subject for the use of tracking cookies are also outlined in Law No. 11 of 2008 on Electronic Information and Transactions, as last amended by Law No. 1 of 2024 (“ITE Law”), specifically through Article 26(1), which states that:

“Unless otherwise provided by laws and regulations, the use of any information via electronic media concerning an individual’s personal data must be carried out with the consent of the individual concerned.” 

This means that the collection of a person’s personal data must be carried out with the consent of the person concerned. Otherwise, such an act constitutes a violation of the law and may result in criminal penalties of up to 6 years’ imprisonment and/or a fine of up to Rp1 billion, as stipulated in Article 45(1) of the ITE Law. 

Furthermore, Article 15(1) of the ITE Law also provides for the obligations of electronic system operators, including website administrators who use tracking cookies, to ensure that the systems they use operate securely, reliably, and responsibly, including in collecting, storing, and protecting user data from the risk of misuse or unauthorized access. Therefore, the use of tracking cookies must be accompanied by the application of the principles of transparency, user consent, and personal data protection to ensure that everyone’s right to privacy is upheld.

Tracking cookies are a legal practice in Indonesia as long as they are used in accordance with applicable laws and regulations, specifically the PDP Law and ITE Law. Although technology could enhance the user experience and help businesses to develop their digital services, its use must obey the principles of transparency, valid consent, and personal data security. Thus, striking a balance between technological innovation and the protection of the public’s privacy rights is a critical factor in creating a safe and responsible digital ecosystem.***

 

Regulations:

  • Undang-Undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi (“UU PDP”).
  • Undang-Undang Nomor 11 Tahun 2008 tentang Informasi dan Transaksi Elektronik sebagaimana diubah terakhir dengan Undang-Undang Nomor 1 Tahun 2024 (“UU ITE”).

 

References:

  • What Are Tracking Cookies? How They Work & How to Block. CookieYes. (Diakses pada 17 Juni 2026 Pukul 14.40 WIB).
  • Cookie Types Explained: Session vs Persistent Storage Methods. ComplyDog. (Diakses pada 17 Juni 2026 Pukul 15.12 WIB).
  • Understanding Tracking Cookies: What They Are and How to Manage Them. IUBendabyTeamblue. (Diakses pada 17 Juni 2026 Pukul 15.39 WIB).
  • Hermawan, S. D. (2025). Cookies dan Privasi: Seberapa Aman Data Pengguna Ditangan Website?. Researchgate.net [Online]. (Diakses pada 17 Juni 2026 Pukul 16.07 WIB).

About Author

Akmal

Akmal

Written by Akmal, part of the SIP Law Firm team delivering insights and updates on the latest legal developments.

Read Profile →

More on this category

We are here to help

Get in touch now to let us know how we can help you. Connect with our LinkedIn and subscribe to our newsletter to stay updated with our latest updates.

Contact Us
Connect on LinkedIn