Navigating Children’s Privacy and Parental Consent Under The DPDP Act 2023

Navigating Children’s Privacy and Parental Consent Under The DPDP Act 2023

Towards a safe and enabling ecosystem for India’s young digital nagriks. 

Authors: Aparajita Bharti, Nikhil Iyer, Rhydhi Gupta, & Sidharth Deb

Published: November 2023

In August 2023, the Indian government enacted the landmark Digital Personal Data Protection Act, 2023 (“DPDP Act”) after six years of consultation. Section 9 of the DPDP Act is one of the act’s most notable provisions, and outlines a mechanism through which data fiduciaries (platforms, browsers, OS providers, etc.) can process the personal data of “children”. It requires all data fiduciaries to obtain ‘verifiable parental consent’ if they process data of users aged below 18 years. Any mechanism to fulfil this legal requirement must look to satisfy three elements:

– Verify the user’s age with reasonable accuracy,
– Ascertain the legitimacy of the relationship between the user and the parent or guardian, and
– Record evidence of their consent.

This paper delves into pathways via which Indian authorities can implement the required provision. It provides a summary of the global regulatory and technical experience with age verification, while drawing on insights from the ‘YLAC Digital Champions’ program that runs in schools across the country. Run by TQH’s citizen engagement arm Young Leaders for Active Citizenship (YLAC), the Digital Champions program engages with young adults between the ages of 13 and 18 around various facets of online safety, risks and potential threats on the internet, conscious consumption of information, and fostering a healthy and meaningful relationship with technology.

Both age verification and parental consent has been discussed extensively in other jurisdictions. It has been acknowledged widely that any regulation to safeguard children’s privacy requires balancing children and adolescent’s safety, whilst contending with the limitations and tradeoffs associated with available technical methods. Our research shows that hard verification mechanisms (i.e. based on documentary evidence using government IDs) which have been proposed across countries, encounter concerns and criticisms that they create inequity in internet access, inadvertently cause privacy concerns, and impose costs and other practical barriers to children’s access to online services and platforms. In India implementation will also have to navigate concerns around circumvention by children and the feasibility of verifying parental consent at scale. Further complications may arise owing to our gender digital divide, low digital literacy, linguistic heterogeneity, and shared device usage in low-income households.

Keeping this digital reality and our digital inclusion goals in mind, our recommendations propose that the Ministry of Electronics and Information Technology (MeitY) should avoid a prescriptive one-size-fits-all mandate of hard verification across all digital products and services. Instead, we urge authorities to suggest a list of methods that adequately fulfil the underlying objective of parental consent for most data fiduciaries. To give effect to this approach, we recommend that the Government of India pass rules which help develop a code of practice for age assurance that prescribes a range of mechanisms, corresponding to the level of risk involved in data processed by a particular data fiduciary. We envisage that this approach will enable India’s youth to meaningfully engage with the growing digital economy while keeping them safe online. Our proposals envisage a vital role for civil society, organisations working with children, academia and media in getting this regulatory framework right.

Relevant links:
1. Full research study
2. Presentation highlighting key issues
3. Short video introduction to the YLAC Digital Champions Program
4. Digital usage patterns – Findings from a children’s survey