The question raised in this study is how personal data should be protected and can solely be used for the commercial interests of one party, which is closely related to consumer protection. Specifically, it focuses on how Indonesian laws protect the abuse of personal data exchange, especially in peer-to-peer (P2P) lending platforms and how these laws compare with Malaysia’s. The results show that in Indonesia, there are no clear regulations on personal data protection in P2P lending; it is regulated by unclear protective treatments and no strict sanction regarding personal data protection. EIT Law, GR 82, MOCI Regulation 20, and FSA 77/2016 cannot guarantee the validity and reliability of personal data protection. Indonesia should learn from Malaysia, mainly from its Personal Data Protection Act (PDPA) which not only protects personal data but also imposes sanctions and has been implemented since 2013. Therefore, P2P lending platforms operating in Indonesia must be required to comply with Indonesian laws and regulations that are relevant to their activities, location, and legal structure.