Understanding Verifiable Parental Consent under India’s Digital Personal Data Protection Act (DPDPA), 2023 is essential for safeguarding children's data. The Act mandates lawful processing, purpose limitation, data minimization, and accountability, with a key provision requiring verifiable parental consent for processing minors' personal data.
This article, authored by Jeswin Sabu, explores the legal framework, challenges, and best practices for compliance. It has been reviewed by Neeru Walia, Director- Data Privacy at Nagarro, and Ambarish Kumar Singh, CISO at Godrej Enterprises Group (GEG), ensuring expert insights into this crucial aspect of data privacy.
Introduction
India’s Digital Personal Data Protection Act (DPDPA), enacted in 2023, establishes a comprehensive framework designed to safeguard personal data. The key principles include lawful processing, purpose limitation, data minimization, and accountability. A pivotal provision within the Act focuses on protecting children’s data, mandating verifiable parental consent for processing personal data of minors.
In today’s world where children’s online exposure significantly influences their growth, character development and wellbeing, and where they are particularly vulnerable to exploitation and data misuse, introducing an element of parental control over their digital exposure is a commendable step.
This article aims to analyse the legislative framework and practical implications of verifiable parental consent as introduced by the DPDPA.
Key Provisions on Children’s Data in the DPDPA
First, let’s try to understand the legislative framework of verifiable parental consent by analysing certain key provisions in the DPDPA.
Definition of a Child:
The act defines a “child” as an individual under the age of 18, aligning with India’s general age of majority. [Section 2(f)]. Notably, the age threshold for parental consent in India is kept higher than in the General Data Protection Regulation (GDPR) of Europe and Children’s Online Privacy Protection Act (COPPA) in the U.S.
Verifiable Parental Consent:
The Act mandates that Data Fiduciaries (entities processing data) obtain verifiable consent from the parent or the lawful guardian before processing data of a child or a person with disability. [Section 9(1)]
Prohibition on Harmful Practices:
The Act bars tracking, targeted advertising, or any processing likely to harm a child’s well-being. [Section 9(2), 9(3)]
Fines for non-compliance: Entities may face fines up to Rs 200 Crore for breaching these obligations concerning children's data.
These provisions underscore the importance of children's privacy and safety in digital spaces, with severe penalties for violations.
While the Act establishes the significance of obtaining Verifiable Parental Consent (VPC), it provides limited guidance on the practical implementation. The draft rules released by the Ministry of Electronics and Information Technology on January 3rd offer further clarification, placing specific obligations on Data Fiduciaries processing children’s data.
Obligations on Data Fiduciaries
The draft DPDP rules are currently in the stage of public consultation, but they certainly give a guidance for digital platforms to frame their privacy policies. Rule 10 places two key obligations on the Data Fiduciaries when they are processing the data of a child;
Adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before processing a child’s personal data.
Exercise due diligence to confirm that the person providing consent is the child’s parent or legal guardian, and that the parent or guardian is identifiable.
These obligations supplement the general consent requirements under the DPDPA. Keeping these obligations in mind, Let's envision how the process of obtaining parental consent will work in practice.
Practical Implications
According to the rules, to obtain a valid verifiable consent, Data Fiduciaries must first verify if the person accessing their services, is a child. If so, the identity and age of the child’s parent must be validated. Upon verification, a verifiable, traceable consent must be obtained from such parent.
This may necessitate the Data Fiduciaries to verify the age of each and every single user prior to processing of their personal data to verify whether they are children or not. Thus, the act implies a widened scale and scope of data collection. The more data is collected, the more is to be protected. Processing more parental data will increase the authenticity of the parental consent obtained, consequentially it also increases the responsibility of Data fiduciaries to ensure the security of such data collected.
The draft rules provide two methods for a Data Fiduciary to verify the age and identity of a parent -
Verification by reference to ‘reliable details’ available with the Data Fiduciaries (i.e., if the parent is a registered user of the Data Fiduciary’s services for which the child intends to register, the Data Fiduciary can use the age and identity details of the parent in its possession to verify the age and identity of such parent).
Verification by reference to voluntarily provided age and identity details or virtual tokens, which are issued by government authorised entities mapped to those details - for example, DigiLocker.
The illustration under Rule 10 provides cases or scenarios to better explain this provision. For example, C is a child and P is her parent. A social media user account of C is to be created by the Data Fiduciary (a platform), called DF, which requires the processing of C’s data. In a situation where C informs the DF that she is a child or P identifies herself as C’s parent,
If P is an existing user of the platform, DF can allow P to identify herself through the platform and inform DF that she is a registered user of the platform and has previously provided details on her identity and age to DF while creating her account. DF can then confirm the reliability of P’s age and identity through this information before processing C’s data.
If P is not a registered user on DF’s platform. Before processing C’s personal data for the creation of her user account, DF shall, by reference to identity and age details issued by an entity entrusted by law or the Government with maintenance of the said details or to a virtual token mapped to the same, check that P is an identifiable adult. P may voluntarily make such details available using the services of a Digital Locker service provider.
Similarly, in cases where the data fiduciary obtains consent from a lawful guardian for the processing of the data of a person with disability, the fiduciary is obligated to verify that such person was actually appointed as the lawful guardian by a court of law, authority designated under Section 15 of the Rights of Persons with Disabilities Act, 2016 or a local committee established under Section 13 of the National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999 in accordance with the relevant guardianship law.
Exemptions
Rule 11 also gives certain exceptions to the strict provisions related to children’s data. Schedule 4 lists certain classes of Data Fiduciaries and processing activities which are exempted from complying with the requirement of verifiable parental consent under Section 9(1) and the prohibition of behavioural tracking or targeted advertisements directed towards children under Section 9(3) of the DPDPA.
These exemptions aim to strike a balance between protecting children's personal data and enabling necessary activities for their health, education, and safety.
Class of Data Fiduciaries Exempted (4th Schedule – Part A)
The processing of children's personal data by following entities is permitted, but it is restricted to specific activities
Healthcare-related data fiduciaries: Clinical establishment, mental health establishment or healthcare professional are exempted provided that the processing of data by the data fiduciary is restricted to the provision of provision of health services to the child, to the extent necessary for the protection of her health. Additionally, data fiduciaries who is an allied healthcare professionals and process data only for the purpose of supporting the implementation of any necessary treatment or plan as prescribed by the healthcare professional are also exempted.
Educational institutions are exempted from the prohibition of processing of data for behavioural monitoring or tracking as long as they process such data solely for fulfilling the educational purposes of the institution and in the interest of the safety of the child enrolled there.
Crèches or Child Day Care Centres: Any individual data fiduciary who is entrusted with the care of an infant or child in a crèche or daycare centre is permitted to process children’s data, but is restricted to tracking and behavioural monitoring in the interests of safety of children entrusted.
Transport of Children in Crèches, Educational Institutions or Child Day Care Centres: Any individual data who has been engaged by a crèche, Educational Institution or Child Day Care Centre for the purpose of transporting children to and from such institutions is permitted to track the location of children during the course of their travel to and from the institutions to ensure their safety.
Data Processing Activities/ Purposes Exempted (4th Schedule – Part B)
The exemptions also apply to certain specific purposes. In these cases, processing is restricted to what is necessary to perform the function, service, or duty, with an emphasis on protecting the child’s best interests.
Exercise of powers or duties in the child’s interest: If the processing of data is restricted to what is necessary for the exercise of powers or fulfilment of certain duties or functions in the interest of the child as required by any law in force in India, such processing activity is exempted.
Provision of subsidies, benefits or services (legitimate use): The necessary processing of a child’s personal data for the purpose of providing any subsidy, benefit, service, certificate, license, permit or any other such service that is considered a legitimate use under Section 7 (b) of the DPDPA for the benefit of the child is exempted.
Creation of account: Processing of children’s data for the purpose of creating an email user account for communication is exempted.
Preventing access to information: Processing restricted to preventing access to information that is harmful or detrimental to the well-being of a child is exempted.
Age verification: Processing limited to confirming that the data principal is not a child in accordance with the due diligence requirement under Rule 10 is exempted.
It is important for exempted Data Fiduciaries who are processing Children’s data to make sure that such processing is restricted to specific prescribed activities.
For example, a Health Care Professional, can process a child’s data only to provide health services to the child, to the extent necessary for the protection of her health. She cannot process such data to advertise for a pharmacy she is opening.
Best Practices for Organizations
The DPDPA and Draft DPDP Rules impose key responsibilities on organizations to protect personal data, particularly for children and persons with disabilities. To ensure compliance, businesses should implement the following best practices:
Comprehensive Privacy Policy: Create a comprehensive privacy policy that is easy to understand, detailing how children’s data will be used and protected.
Verifiable Parental Consent Mechanism: Take proactive steps to implement a clear, user-friendly and comprehensive mechanism for obtaining verifiable parental consent in a manner that works best with the processing activities carried out by your organisation and ensures compliance with the law. Using reliable tools for verification.
Strong Security Measures: To counter the increased exposure to data breaches and misuse while collecting parental IDs (e.g., Aadhaar, PAN), strong security measures should be employed by the Data Fiduciaries. Use encryption and other security measures to protect stored data from unauthorized access.
User-Friendly Consent Mechanisms: Design intuitive consent forms that cater to parents, guardians, and individuals with disabilities. Avoid overwhelming technical jargons and make the process simple and clear. Make it easy for parents to withdraw their consent at any time and ensure that their data is promptly deleted.
Regular Audits and Updates: Regularly audit consent processes to ensure they remain compliant with evolving regulations. Update consent records when necessary and ensure that parents, guardians, and individuals with disabilities can easily update or revoke consent. Regular collaboration with and consulting experts plays a crucial role in ensuring compliance.
Training and Awareness: Educate staff about the importance of parental consent and the processes involved in obtaining and managing it.
Data Minimization: Collect only the minimum amount of data necessary to achieve the intended purpose, thereby reducing the risk associated with data breaches and misuse.
Data Anonymization: Where possible, anonymize data to protect children’s identities while still allowing for the necessary processing.
Monitoring and Incident Response Plan: Implement systems to monitor data access and detect unusual activity that could indicate a security breach. Develop and regularly test an incident response plan to ensure a quick and effective response to any data breaches.
Data Fiduciaries have to ensure that all age and parental consent verification systems adheres to proportionality, data minimisation and data accuracy and other requirements of DPDPA.
Age verification should align with purpose, audience, data, technology and risk, avoiding excessive use of facial recognition. Only necessary data for verification should be collected, and it must not be retained for other purposes, including commercial use.
Data Fiduciaries also have to bring in creative solutions to obtain consent and ensure compliance without disrupting the user experience. Startups and small entities should focus on bringing in necessary technological upgrades to ensure compliance without draining their resources.
By implementing these best practices and technological measures, Data Fiduciaries can not only ensure compliance with the DPDPA and Rules regarding parental consent but also foster consumer trust by demonstrating a strong commitment to protecting children’s privacy and personal data.
A Comparative Analysis
For Data Fiduciaries processing the data of children from different parts of the world, it is crucial to have knowledge on how laws in different countries treat the data of children and what obligations are placed by them on Data Fiduciaries. The table below gives a glimpse on how laws like General Data Protection Regulation (GDPR) of Europe, and Children’s Online Privacy Protection Act (COPPA) U.S handle Verifiable Parental Consent compared to India’s DPDPA.
Act | Application | Age Threshold | Parental Consent Mechanisms |
DPDPA (India) | All processing of personal data of children under 18(with certain exemptions) | Under 18 (fixed threshold) | Mandated VPC with prescribed methods (Rules) |
GDPR (Europe) | All processing of personal data of children below the set age. | 13 -16 (Varies by EU member state) | "Reasonable efforts" to verify parental consent. No prescribed methods, but must be "proportionate.". |
COPPA (US) | Online service directed to children or knowingly collecting data of children | Under 13 (fixed threshold) | VPC required through explicit methods: Signed forms, credit card verification, video calls, government ID check. |
Conclusion
The analysis of the DPDPA's provisions, combined with insights from the draft rules, highlights the multifaceted approach required for practical implementation. From adopting appropriate technical measures to verifying parental identities, Data Fiduciaries have to adhere to important compliance mandates. However, these obligations also present opportunities for innovation in privacy-enhancing technologies and age verification methods.
As India navigates this new regulatory landscape, fostering a culture of privacy awareness and responsibility among stakeholders will be paramount. Emphasizing the importance of child safety and privacy could foster consumer trust and encourage brands to prioritize data protection as a core value.
References:
https://www.idfy.com/blog/parental-consent-the-dpdp-act/
https://www.meity.gov.in/writereaddata/files/Explanatory-Note-DPDP-Rules-2025.pdf