Indonesia's PDP Law (UU PDP) for Cold Outreach: What Sales Teams Must Know

What Law 27/2022 covers

UU PDP is Indonesia's first comprehensive data protection statute, modelled in large part on the GDPR. It regulates personal data, meaning data about an identified or identifiable individual, and applies to controllers and processors across the private and public sectors. It was signed on 17 October 2022 and gave organisations a two-year transition to comply.

Its reach is extraterritorial: the law applies to processing inside Indonesia and to processing outside Indonesia that has legal consequences in Indonesia or affects Indonesian data subjects. A Singapore-based team building lists of Jakarta prospects and emailing them is squarely the kind of offshore processing the drafters had in mind.

There is no carve-out for business contact information. Unlike Singapore's PDPA, which exempts work emails and job titles from the consent obligations, UU PDP treats a named individual's business email address as ordinary personal data. Data about a company, such as a corporate info@ inbox, is not personal data, which preserves a narrow company-level channel for B2B messaging.

The consent-centric basis, and what it means for cold email

Article 20 of UU PDP lists the lawful bases for processing: valid explicit consent, contractual necessity, legal obligation, vital interests, public interest tasks, and legitimate interest balanced against the data subject's rights. On paper this mirrors the GDPR's menu, but the law's centre of gravity is consent, which must be explicit, informed, specific to the purpose, and recorded in written or electronic form.

For unsolicited B2B email, that design is the problem. By definition you have no consent from a cold prospect, so the only candidate basis is legitimate interest. Unlike in Europe, where regulators have published guidance treating B2B direct marketing as a potential legitimate interest, Indonesia has issued no equivalent guidance, and the implementing rules that would flesh out the bases remain incomplete. A legitimate interest argument for targeted, role-relevant B2B outreach is reasonable, but it is untested.

The pragmatic reading for sales teams: cold email to named individuals in Indonesia sits in a grey zone resting on an untested legitimate interest argument, while messaging aimed at companies through corporate addresses sits outside the law entirely. Keep volumes low, targeting tight, identification honest, and opt-outs instant, so that your conduct looks like the balanced processing a legitimate interest claim describes.

The grace period is over. Enforcement is still warming up

UU PDP's two-year transition period ended on 17 October 2024. Since that date the law has been fully in force, and there is no further grace period: every obligation, from lawful basis to breach notification, is live.

The enforcement machinery is another story. The law requires the President to establish a dedicated data protection agency, the Lembaga PDP, and as at this guide's review date that agency still does not exist. A draft Presidential Regulation to create it was made public in early 2026 and awaits approval, with the government targeting agency operations during 2026. In the meantime, oversight sits with the Ministry of Communication and Digital Affairs, known as Komdigi, whose enforcement attention has gone overwhelmingly to data breaches and leaks rather than to marketing practices.

Do not read the institutional lag as a free pass. The criminal provisions of UU PDP can be enforced through ordinary police and prosecutors without waiting for the agency, complaints are accumulating, and once the Lembaga PDP stands up it will inherit a backlog and a mandate to show results. Teams building Indonesian pipeline now should build habits that survive the agency's arrival.

Penalties: administrative and criminal

UU PDP carries two tracks of sanctions. The administrative track covers controllers that breach their processing obligations: written warnings, temporary suspension of processing, deletion of data, and administrative fines of up to 2 per cent of annual revenue or income. The fine calculation weighs the duration and impact of the violation and the organisation's scale and capacity to pay.

The criminal track targets deliberate misconduct with personal data. Unlawfully collecting personal data to benefit yourself or another carries up to five years' imprisonment or a fine of up to IDR 5 billion; unlawfully disclosing carries up to four years or IDR 4 billion; unlawfully using personal data carries up to five years or IDR 5 billion; and falsifying personal data carries up to six years or IDR 6 billion.

Corporations face multiplied exposure: fines of up to ten times the stated maximums, plus additional sanctions including seizure of proceeds, suspension or permanent closure of business activities, licence revocation, and dissolution. Buying scraped Indonesian consumer data is the scenario that maps most directly onto the unlawful collection offence, which is a strong reason to interrogate any data vendor's sourcing before you import a list.

Prospecting into Indonesia in practice

Indonesian business culture is formal and hierarchical, and outreach that ignores this fails before any legal question arises. Address prospects as Pak (for men) or Ibu (for women) followed by their first name, even in email: Pak Budi, Ibu Sari. Titles and seniority matter, decisions move upward, and a brusque, hyper-direct Western template reads as rude rather than efficient.

Language is a targeting decision. Senior executives at multinationals, banks, and tech companies in Jakarta generally read English comfortably, and English signals an international offer. For mid-market and regional companies, Bahasa Indonesia dramatically improves response rates and shows respect. The strongest pattern is a properly written Bahasa Indonesia email for local-market segments and English for multinational ones; machine-translated hybrids impress no one.

Channel norms differ too. WhatsApp dominates Indonesian business communication, but a cold WhatsApp message to a personal number is intrusive and, because a personal mobile number is personal data processed without consent, legally weaker than email. Use email or LinkedIn to open, and move to WhatsApp once the prospect offers their number. Expect relationship building to take longer than in Singapore, and budget your sequences accordingly.

A checklist for outreach into Indonesia

These habits keep an outbound programme aligned with UU PDP and with how Indonesian prospects actually buy.

• Target named individuals only where the message is tightly relevant to their role; that relevance is the spine of any legitimate interest argument.
• Prefer corporate addresses and company-level messaging where they exist; company data is outside the law.
• Identify your company honestly in every send and include a working, instant opt-out.
• Honour every opt-out permanently and organisation-wide; consent withdrawn or objection raised ends the processing.
• Never buy scraped consumer lists; unlawful collection is a criminal offence with fines up to IDR 5 billion, multiplied tenfold for corporations.
• Record the source and lawful basis for every Indonesian contact in your CRM.
• Use Pak and Ibu, match language to segment, and open on email rather than WhatsApp.
• Watch for the Lembaga PDP becoming operational; expect guidance and early enforcement to follow quickly once it does.