Child consent under DPDP Act

The Digital Personal Data Protection (DPDP) Act brings significant change in India’s data privacy regulations, focusing on enhancing individual control over personal data. It introduces the concept of verifiable consent, particularly emphasizing its importance for children and people with disabilities. 

This is critical for businesses, as non-compliance with the  DPDP Act can lead to penalties up to Rs. ₹200 Crores. The law mandates that personal data of children under 18 can only be processed with explicit parental consent. This consent must be verified. Organisations must ensure that they are not processing data of minors without verified parental consent.

What does DPDP Draft rules mean for child consent?

The DPDP Draft rules outline compliance measures for handling children’s data. 

• Adopt appropriate technical and organizational measures to ensure that verifiable consent of the parent is obtained 
• Exercise due diligence to verify that the individual identifying herself as the parent is an adult and identifiable. This verification can be done by reference to:
  
  • Reliable details of identity and age already available with the Data Fiduciary (e.g., if the parent is an existing registered user).
  • Voluntarily provided details of identity and age or a virtual token mapped to the same, which are issued by an entity entrusted by law or the Central/State Government with maintaining such details. This explicitly includes details or tokens verified and made available by a Digital Locker service provider.

What are the restrictions for processing children’s data?

The DPDP laws impose additional restrictions on the processing of children's data. 

• It prohibits data processing that could hurt a child's well-being, including exposure to inappropriate content or digital behaviors that could lead to harassment or identity theft.
• Draft rules also puts restrictions on tracking, monitoring, or targeting advertisements to children, ensuring a safer online environment. 
• While exceptions exist for certain data fiduciaries such as healthcare providers and educational institutions, these exemptions are limited to specific purposes, like child welfare or education.

What does this mean for businesses that deal with children’s data?

When it comes to compliance, businesses must focus on age verification and obtaining verifiable parental consent. The DPDP Draft Rules call for secure verification systems like DigiLocker’s Age Token and explore zero-knowledge proof methods, which safeguard personal data by only sharing necessary information. 

Despite challenges in finding a universally effective age verification solution, businesses are expected to implement robust mechanisms to comply with these laws. The penalties for non-compliance could go upto Rs. 200 crore. .

What comes next?

To navigate the complexities of children's data protection, businesses must invest in reliable age verification technologies and align their practices with regulatory frameworks. By prioritizing age verification and adhering to the DPDP Act, companies can protect children’s privacy while fostering a safe and innovative digital environment. 

Future regulatory updates will likely provide further clarity on exemptions and technologies, but the ongoing collaboration between government agencies and the private sector will be key to ensuring the protection of children’s digital rights.

Read more about childproofing consent collection on the blog written on what is child consent under dpdp act?