In August this year, India replaced its decade-old set of data security rules with a new Digital Personal Data Protection Act, 2023 (“DPDP”). The erstwhile regulatory framework governing data protection in India was fairly archaic, with laws primarily outlining basic data security requirements. These rules did not, in particular, prescribe for any special treatment for processing children’s data.
DPDP Schema for Children’s Data
Unlike its predecessor, Section 9 of the DPDP is specifically devoted to the processing of children’s’ data. The first thing that (non-Indian) readers should note that a ‘child’ under DPDP, as under Indian law, is anyone below the age of 18 years. Unlike certain European and US regulations dealing with online safety, the age threshold in India is higher.
Section 9 itself requires a few compliances of a ‘data fiduciary’ dealing with children’s’ data:
before processing any personal data of a child, the data fiduciary should obtain verifiable consent of the parent or lawful guardian,
not undertake such processing of personal data that is likely to cause any detrimental effect on the well-being of a child, and
not undertake tracking or behavioural monitoring of children or targeted advertising directed at children.
As with a number of items in the DPDP, the ‘where and how’ of compliance with Section 9 is not specified in any detail. It is expected that rules framed under the DPDP will provide clarity and guidance on how to comply. In the meantime, there remains a lack of clarity about what shape these requirements will take, and ultimately what impact these regulations will have on data fiduciaries and data processors’ businesses in India.
Age Gating – A Tech Conundrum
The debate around prohibiting children from accessing certain online resources is an old one, including in India. Leaving aside considerations of freedom of speech and education, from a service provider’s perspective there are considerable difficulties in implementing onerous age-gating requirements. Especially since the DPDP requires the determination of the age of a user before any data is collected, verifying the identity of users becomes a universal concern. This is important, since one of the larger monetary fines that can be levied under the DPDP is for breaching Section 9; this can lead to fines up to INR 200 crores (or USD 24 million).
Jurisprudence aside, age-gating is a thorny technical issue that is still awaiting the right solution. There are a few current approaches in the market that are worth going into:
Self-declaration: A checkbox or clickthrough is the current standard, though it is also very easily bypassed!
Biometrics: A number of mobile and portable computing devices have biometric sign-in capabilities, though their use for age-gating is not widespread.
Government Identity Cards/Databases: This method works by collecting an ID card issued by a 3rd party, usually a Government agency or department, to verify current age. The source can be (the picture of) a physical card, or even an online database that can be queried.
Age Verification Services: Service Providers as Allpasstrust and Jumio provide (paid or free) services to verify an users age, typically by accessing online databases of Government IDs or similar databases.
Facial Recognition Algorithms: Digital majors such as Facebook use facial recognition technology to determine if a user is under 18 years of age, for applications such as online dating or similar pursuits.
Browsing History Tracking: More experimentally, certain proposed age-gating systems would track a users’ online browsing history to infer their age, by using technology similar to cookies and tokens.
Each of these methods have their drawbacks, whether in terms of cost, scalability for a market like India (where ‘children’ will number in the hundreds of millions!), and even privacy concerns around tracking children using online means. Similarly, establishing a national database of children’s’ information that can be used for authentication comes with obvious drawbacks.
Lessons From Around the World
Predictably, the European Union is at the forefront of regulations around age gating, stemming from the need to protect children from harmful content. France has adopted the ‘Children Online Protection Lab Charter’ in 2022, aimed at addressing themes relevant to the improvement of digital environment for children such as appropriate age for accessing content. The United Kingdom’s Online Safety Bill requires the use of age verification or age estimation to prevent children accessing pornographic content. As a block, the EU Parliament has called for a robust age-gating framework, and has backed the EUConsent project aiming for pan-European, open-system, secure and certified interoperable age verification.
A US Congress Research Report on online age verification speaks of similar legislative efforts, including the proposed Kids Online Safety Act, as also state level efforts that target service providers providing pornographic content with liability (for example in Louisiana and Utah). But despite the plethora of legislations, most obligations are generic in the nature of requiring “reasonable age verification” procedures are put in place, without spelling out what these procedures will look like!
What’s Next
In summary, then, the world is still waiting for a technical solution for age-gating that works.
The DPDP may already have an idea up its sleeve, in the concept of a ‘Consent Manager’. Under Section 6 (7) through (9) of the DPDP, a Consent Manager is denoted as an intermediary through whom a data principal can give, manage, review, or withdraw her consent. The Consent Manager is to be regulated by the Government, under rules to be issued. This may be an opportune use-case for the Government to designate a Consent Manager (may be similar to a Allpasstrust), and subject to prescribed rules and procedures, to be the gatekeeper for children’s’ data.
The next few months will see a number of subordinate rules and regulations under the DPDP being formulated, and specified portions of the DPDP will be made operational in phases. It would be interesting to see how and when the age-gating provisions of the DPDP are brought into effect, and what mechanisms are put in place to ensure compliance.