Parental Consent Needed For Children To Join Social Media, Gaming Platforms : Proposal In Draft Digital Personal Protection Rules

The Ministry of Electronics and Information Technology on Friday (January 3) notified the draft rules under the Digital Personal Data Protection Act 2023 for public comments.

The draft, among others, proposes to mandate parental consent for data-fiduciaries to process the personal data of children. Data-fiduciaries include social media intermediaries, e-commerce companies, gaming platforms etc.

The rules state : 

"A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child and shall observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable if required in connection with compliance with any law for the time being in force in India, by reference to—

(a) reliable details of identity and age available with the Data Fiduciary; or

(b) voluntarily provided details of identity and age or a virtual token mapped to the same, which is issued by an entity entrusted by law or the Central Government or a State Government with the maintenance of such details or a person appointed or permitted by such entity for such issuance, and includes such details or token verified and made available by a Digital Locker service provider."

The rules give out the following illustrations:

C is a child, P is her parent, and DF is a Data Fiduciary. A user account of C is sought to be created on the online platform of DF, by processing the personal data of C.

Case 1: C informs DF that she is a child. DF shall enable C's parent to identify herself through its website, app or other appropriate means. P identifies herself as the parent and informs DF that she is a registered user on DF's platform and has previously made available her identity and age details to DF. Before processing C's personal data for the creation of her user account, DF shall check to confirm that it holds reliable identity and age details of P.

Case 2: C informs DF that she is a child. DF shall enable C's parent to identify herself through its website, app or other appropriate means. P identifies herself as the parent and informs DF that she herself is not a registered user on DF's platform. Before processing C's personal data for the creation of her user account, DF shall, by reference to identity and age details issued by an entity entrusted by law or the Government with maintenance of the said details or to a virtual token mapped to the same, check that P is an identifiable adult. P may voluntarily make such details available using the services of a Digital Locker service provider.

Case 3: P identifies herself as C's parent and informs DF that she is a registered user on DF's platform and has previously made available her identity and age details to DF. Before processing C's personal data for the creation of her user account, DF shall check to confirm that it holds reliable identity and age details of P.

Case 4: P identifies herself as C's parent and informs DF that she herself is not a registered user on DF's platform. Before processing C's personal data for the creation of her user account, DF shall, by reference to identity and age details issued by an entity entrusted by law or the Government with maintenance of the said details or to a virtual token mapped to the same, check that P is an identifiable adult. P may voluntarily make such details available using the services of a Digital Locker service provider.

A Data Fiduciary, while obtaining verifiable consent from an individual identifying herself as the lawful guardian of a person with disability, shall observe due diligence to verify that such guardian is appointed by a court of law, a designated authority or a local level committee, under the law applicable to guardianship.

However, the mandate on parental consent are not applicable to data fiduciaries, who are health professionals, mental health professionals, or engaged by educational institutions.

Notice for consent

The rules also specify the contents of the notice to be given by data fiduciaries to obtain the informed consent of users(data principals) to process their personal data.   The notice should give, in clear and plain language, a fair account of the details necessary to enable the Data Principal to give specific and informed consent for the processing of her personal data, which shall include, at the minimum,—

(i) an itemised description of such personal data; and

(ii) the specified purpose of, and an itemised description of the goods or services to be provided or uses to be enabled by, such processing.

A communication link to withdraw consent should also be given.

Every Data Fiduciary shall prominently publish on its website or app, and mention in every response to a communication for the exercise of the rights of a Data Principal under the Act, the business contact information of the Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary the questions of the Data Principal about the processing of her personal data.

 Every Data Fiduciary and Consent Manager shall publish on its website or app, or both, as the case may be, the period under its grievance redressal system for responding to the grievances of Data Principals

Processing of personal data outside India subject to restrictions imposed by Govt

Transfer to any country or territory outside India of personal data processed by a Data Fiduciary—

(a) within the territory of India; or

(b) outside the territory of India in connection with any activity related to offering of goods or services to Data Principals within the territory of India, is subject to the restriction that the Data Fiduciary shall meet such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State.

Objections and suggestions to the draft rules can be submitted on the website of MyGov (https://mygov.in) by February 18.

Click here to read the draft