(Vikram Jeet Singh & Arushi Mukherji)
MeitY notified the Draft Digital Personal Data Protection Rules, 2025 on January 3, 2025 (“Draft Rules”). While this may sound like a belated new years’ present from the Ministry to lawyers, compliance professionals, and privacy law enthusiasts (like the author herself!), this development will trigger far reaching changes.
For one, India’s new privacy law will change the way children in India interact with the online world.
You can read here our prior piece on ‘age-gating’ under the Digital Personal Data Protection Act, 2023 (“DPDPA”). With the notification of the Draft Rules, we now get additional insights into the regulators approach to this issue.
A Quick DPDPA Refresher
The DPDPA requires ‘data fiduciaries’ to undertake certain compliances for processing children’s (individuals under the age of 18) personal data. These include (i) obtaining verifiable consent from parents or lawful guardians; (ii) not undertake processing likely to cause any detrimental effect on the well-being of a child; and (iii) not undertake tracking or behavioural monitoring of children or targeted advertising directed at children.
4 Learnings on Age-Gating
#1 The ‘How’ of Verifiable Consent
The Draft Rules note that data fiduciaries must adopt ‘appropriate technical and organisational measures’ to ensure that ‘verifiable’ consent is obtained from a parent or lawful guardian of a child prior to processing the latter’s personal data. They are also required to carry out due diligence to confirm such parent or guardian’s identity. That said, there is no method or mechanism prescribed for age-gating, even under these Draft Rules. This suggests that the MeitY is likely leaning towards a technology-agnostic approach, where data fiduciaries can opt for any viable method to enable verification of a particular user’s age-status.
#2 Some Hints on (Reasonably) Verifying Age
The Draft Rules provide certain ‘illustrations’ for guidance when a user is a minor. A couple of these illustrations envision a child voluntarily declaring to the data fiduciary that they are a minor, and the data fiduciary subsequently undertaking due diligence to verify the identity and consent of that child’s parent. In another illustration, the parent of a child discloses the latter’s minority to the data fiduciary prior to processing the child’s personal data. In practice, then, it may transpire that data fiduciaries can take some ‘reasonable’ steps to verify the age of a user; for example, requiring a user to disclose their age at the time of creating a user account, accessing certain content, etc. that said, it is unclear how to account for instances where a child does not from disclose their age-status.
#3 Verifying the Identity of a Parent or Guardian
In addition to obtaining verifiable consent, the Draft Rules also require data fiduciaries to undertake due diligence to ensure that the individual identifying themselves as a particular child’s parent / guardian is an adult. Much like the consent mechanism, the steps for carrying out due diligence are not mandated. The Draft Rules suggest that, for such due diligence, reference can be made via (i) reliable details of age and identity already available with a data fiduciary; (ii) details of age and identity provided voluntarily; or (iii) reliance on a virtual token indicating age and identity issued by an entity entrusted by law or the Government (this can include tokens verified and made available by a digital locker service provider).
#4 Exemptions to Processing Children’s Personal Data
The Draft Rules provide some notable exemptions when it comes to obtaining verifiable consent for the processing of children’s personal data. For one, certain categories of data fiduciaries such as clinical, mental health, and educational establishments, allied healthcare professionals, creches and day care facilities are exempt from these obligations. For this, the processing of a child’s data is to be strictly limited to healthcare, education, and safety uses that are essential for the child’s well-being and protection. This may hint at more exemptions possible in the future, based on purpose.
What Comes Next
The Draft Rules, like their parent law, take a less prescriptive approach to privacy compliances. MeitY has noted that the Draft Rules may undergo further refinement based on feedback and learnings from their implementation, particularly with respect to children’s personal data. It will be interesting to see the regulator’s response to such ‘growing pains’, and how the DPDPA Rules will finally look.
Bottom line, the one thing that is certain – is that the Internet is changing for children, and businesses must catch up.
The Draft Rules are open for public consultation until February 18, 2025.