Parental consent required for kids on social platforms.
On January 3, the Ministry of Electronics and Information Technology (MeitY) in India notified the draft rules under the Digital Personal Data Protection Act, 2023, inviting public comments. These new rules are designed to enhance the protection of personal data, particularly that of children, and introduce significant changes to the way data is handled by companies in sectors such as social media, e-commerce, and gaming.
One of the key provisions of the draft rules is the requirement for parental consent before any personal data of children can be processed by data-fiduciaries. Data-fiduciaries refer to entities like social media platforms, online gaming sites, e-commerce companies, and any other platforms that collect or process personal data. This provision aims to ensure that children’s privacy is better safeguarded, especially in the context of growing concerns about the exploitation of their data.
The rules emphasize that data-fiduciaries must take appropriate technical and organizational measures to ensure that the consent they obtain is verifiable. This means that before processing the personal data of children, platforms must verify that the person providing consent is indeed the child’s parent or guardian. The rules also stress the importance of checking that the individual claiming to be the parent is an adult and can be identified if required by law. This is intended to avoid any potential misuse of the consent mechanism.
The draft rules provide specific guidelines on how this parental consent process should work. For instance, if a child (referred to as “C” in the rules) informs a data-fiduciary (“DF”) that they are underage, the platform must enable the child’s parent to verify their identity. The parent would also need to confirm that they are a registered user of the platform and that they have previously provided their identity and age details.
Before the platform can create a user account for the child and begin processing their personal data, the data-fiduciary must check that it holds reliable identity and age information for the parent. This ensures that the platform complies with the law, protecting children from unauthorized access to their personal data while maintaining transparency about who is responsible for giving consent.
The implementation of this draft rule marks a significant step in addressing privacy concerns regarding children’s data in the digital era. As children are increasingly using digital platforms, from social media to online games, their data is being collected, shared, and analyzed by various companies. This heightened focus on obtaining parental consent reflects the growing importance of protecting children’s digital privacy.
The rules also align with international data protection standards, such as the European Union’s General Data Protection Regulation (GDPR), which similarly places restrictions on how children’s data can be processed. By mandating parental consent and verifying the identity of the parents, India is taking a more robust approach to securing children’s personal data in an increasingly connected world.
The draft rules are now open for public comments, allowing stakeholders, including tech companies, privacy advocates, and the general public, to provide feedback before the rules are finalized. This process will help ensure that the regulations are effective and practical, balancing the need for data protection with the realities of digital engagement. The Ministry of Electronics and Information Technology will review the feedback before moving forward with implementing the rules.