I. Introduction
India’s Digital Personal Data Protection Act, 2023 (“DPDPA”) imposes enhanced obligations on businesses that process children’s personal data. This article provides an overview of these considerations.
II. Verifiable Parental Consent
A data fiduciary, defined as any person that determines the purpose and means of processing of personal data, may process any personal data of a child (an individual below 18 years of age) only upon obtaining prior verifiable consent of the parent or the lawful guardian of such child. The law does not presently clarify how such consent is to be verified. The central government is expected to provide such guidance upon the implementation of the DPDP Act 2023.
In the interim, businesses may adopt global best practices. In the European Union, the General Data Protection Regulation imposes a similar verification requirement and recommends a proportionate approach based on an assessment of risk associated with the processing, such as verification of parental responsibility via a parent’s email in low-risk cases and through phone or video calls in high-risk cases.
In the United States, the Federal Trade Commission has recognised certain methods for the verification of parental consent under the Children’s Online Privacy Protection Act, including requiring parents to a consent form, calling a toll-free number staffed by trained personnel, and answering a series of knowledge-based challenge questions that would be difficult for someone other than the parent to answer.
III. Additional Obligations for Children’s Data
Processing that is likely to cause any detrimental effect on the well-being of a child is prohibited under the new data protection law in India. Data fiduciaries may not undertake tracking or behavioural monitoring of children, or targeted advertising directed at children in line with privacy laws in India.
IV. Exemptions
Certain classes of data fiduciaries or processing for certain purposes may be exempted from the obligation of obtaining verifiable parental consent and the restriction on undertaking tracking, behavioural monitoring, or targeted advertising towards children.
Additionally, with respect to compliance with these two requirements, the age threshold may be lowered for certain data fiduciaries where the data processing is ‘verifiably safe’. We expect the central government to provide further clarity on the applicable standards.
V. Concerns
Under the DPDPA 2023, a child and their parents or guardians are each considered data principals with respect to the child’s personal data. This raises the practical question of whether the child may exercise their data principal rights independent of the authorisation or involvement of their parent or guardian.
Additionally, businesses may face practical hurdles in determining whether they are collecting data from a child where they do not rely on consent for processing. We recommend that user journeys feature a separate avenue for children when collecting personal data, regardless of the ground of processing.
Lastly, there is ambiguity regarding the scope of “targeted advertising”, which the Indian Data Protection Law differentiates from “behavioural monitoring”. Since these terms are undefined, the restriction on targeted advertising could also apply to processing of children’s personal data for purposes other than behavioural monitoring of children, and may cover all advertising targeted at children including via television and newsprint.
VI. Conclusion
Non-compliance with the requirements for the processing of children’s personal data may attract fines as high as INR 200 crores. In the absence of official guidelines, we recommend that businesses evaluate their consent journeys and processing purposes, and implement global best practices to ensure compliance with the data protection law in India.
