On January 3, 2025, the Central government unveiled the draft of the Digital Personal Data Protection Rules, 2025 (hereafter “Draft Rules”), aimed at implementing the provisions of the Digital Personal Data Protection Act, 2023 (“the Act”). Stakeholders have been invited to provide feedback on the Draft Rules until February 18, 2025. These rules outline compliance requirements for Data Fiduciaries, such as the format of consent notices, obtaining verifiable consent—especially concerning children’s data, and regulating cross-border data transfers, among other stipulations.
Child Data Protection: A Global Concern
In the digital age, protecting children’s personal data has become increasingly crucial. Due to their age and lack of awareness, children are particularly vulnerable to data exploitation. Even tech giants like Google and YouTube are currently facing class action lawsuits over alleged breaches of children’s data privacy. Various regions, like the European Union’s General Data Protection Regulation (GDPR) and the United States’ Children’s Online Privacy Protection Act (COPPA), have adopted stringent measures to safeguard children’s digital information. In line with this, the Act mandates verifiable parental consent and imposes restrictions on tracking and monitoring children’s behavior.
Understanding ‘Verifiable Consent’
Section 9 of the Act obligates Data Fiduciaries to secure verifiable consent from the parent of a child, defined as anyone under 18 years [Section 2(f) of the Act], before processing their data. Rule 10 of the Draft Rules further elaborates on what constitutes ‘verifiable consent’ and the process for obtaining it. Specifically, it requires Data Fiduciaries to use technical and organizational measures to ensure parental consent. This includes verifying the parent’s identity using available identity details or virtual tokens from government-authorized entities.
Challenges and Methods of Verification
Under Rule 10, Data Fiduciaries must confirm whether a user is a child and, if so, validate the parent’s identity and age. This additional requirement could burden Data Fiduciaries, as they may need to verify every user’s age before processing their data. The Rule’s applicability seems limited to users who openly identify themselves as children or parents, which may not always be reliable. Additionally, verifying the parent-child relationship remains unclear.
The Draft Rules suggest two methods for verifying a consenting parent’s age and identity: using reliable details from the Data Fiduciary’s records or virtual tokens issued by authorized entities like Digi Locker. However, the term “reliable details” lacks a clear definition, potentially leading to inconsistencies.
Exemptions and Comparisons
Rule 11 of the Draft Rules outlines exemptions where verifiable parental consent is not required, such as in healthcare or educational settings, provided the data processing serves specific purposes like health services. These exemptions are not absolute and must adhere to conditions listed in the Fourth Schedule of the Draft Rules. Data Fiduciaries claiming these exemptions are still required to comply with other obligations under the Act.
In comparison, COPPA in the U.S. offers various standards for obtaining verifiable consent, such as submitting a signed form, phone verification, and video conferencing. However, these methods might not be feasible in India due to digital literacy challenges.
Conclusion and Future Outlook
While the Draft Rules represent progress towards comprehensive data protection, gaps remain that need addressing to provide clarity for businesses. Verification of parental identity, relationship with the child, and criteria for exemptions require further refinement. Union Minister of Electronics and Information Technology, Mr. Ashwini Vaishnaw, assured that the Draft Rules would evolve to protect children from digital risks using advanced technologies like identity tokenization. As the landscape of children’s digital data privacy appears promising, businesses face the significant challenge of complying with these evolving laws effectively.
About the Authors: Namrata Dubey is a Senior Associate, and Jay Datta is an Associate at NovoJuris Legal. Sharda Balaji is the Managing Partner of the firm.
