<![CDATA[The digitalization of education, healthcare, and commercial platforms has intensified the collection of children's personal data, exposing vulnerabilities inadequately addressed by Indonesia's legal framework. This study critically analyzes the legal position of children's sensitive data under Law No. 27 of 2022 on Personal Data Protection, examining normative gaps, rights recovery mechanisms, and synchronization with international standards. Employing a normative legal research design, the study integrates statutory, conceptual, and functional comparative approaches, utilizing systematic-teleological interpretation, hierarchical synchronization analysis, and principle-based evaluation centered on the best interests of the child. The findings reveal that the Personal Data Protection Law constructs children's data protection generically, lacking a differentiated legal category, explicit digital consent age limits, and child-specific impact assessment obligations. Consequently, rights recovery mechanisms remain overly reliant on parental representation, which frequently fails to account for children's psychosocial vulnerabilities, and do not incorporate child-friendly breach notification or restorative rehabilitation protocols. Substantive misalignments persist with Article 16 of the Convention on the Rights of the Child and Article 8 of the GDPR, particularly regarding commercial profiling restrictions and privacy-by-design mandates. The study recommends derivative regulations establishing a digital consent age of 13–15 years, encrypted parental consent verification, mandatory Child Data Protection Impact Assessments, and a specialized supervisory directorate. Theoretically, this research reconstructs the doctrine of vulnerable data subjects; practically, it provides a policy roadmap for harmonizing regulations in EdTech, digital health, and public information system.]]>
