Font size:
Print
Parental Consent in Digital Personal Data Protection Act, 2023
Context:
The industry has welcomed the DPDP Act for its easy compliance structure, but the provision for gathering verifiable parental consent has created a divide between the industry and the government.
Digital Personal Data Protection Act, 2023 (DPDP Act):
- It is India’s legal framework to protect individuals’ personal data and ensure data sharing only with consent.
- It regulates digital data processing and outlines provisions to safeguard privacy in the digital age.
- It is based on seven principles:
-
-
- Consented, lawful, and transparent use of personal data.
- Purpose limitation (using data only for the specified purpose).
- Data minimization (collecting only necessary data).
- Data accuracy (ensuring data is correct and updated).
- Storage limitation (storing data only as long as needed).
- Reasonable security safeguards.
- Accountability (adjudicating breaches and imposing penalties).
-
- It applies to processing of digital personal data within India, whether collected online or offline and digitised later.
-
- It also covers data processing outside India if it involves offering goods or services within India.
-
- The act provides that a data fiduciary (determining purpose and means of processing personal data) may process a child’s (under 18) data only with prior verifiable consent from the parent or guardian.
- Exemptions:
-
-
- Certain entities like healthcare and educational institutions may be exempt from obtaining verifiable parental consent.
- Other entities might be exempt on a restricted basis, depending on the specific purpose of processing a child’s data.
-
Challenges in Implementing Verifiable Parental Consent:
- The Act requires tech companies to verify a child’s age (people below the age of 18) and obtain parental consent before processing their personal data.
- However, the Act does not suggest ways for platforms to perform age-gating and reliably establish the relationship between a child and their parents.
- This became a challenge for the Ministry of Electronics and Information Technology, as it has been unable to narrow down on a conclusive technological intervention to implement this requirement.
- The ministry considered using parents’ DigiLocker app (based on Aadhaar details) or an industry-created electronic token system for this purpose.
- However, the ministry no longer believes these solutions can be implemented at scale and has dropped the ideas.
Way Forward:
- Justice B.N. The Srikrishna Committee on a Data Protection Framework for India stated that consent is a pre-condition for processing personal data.
- For vulnerable groups like children and for sensitive personal data, law should provide adequate protection, requiring explicit consent for sensitive information.
- Economic Survey 2018-19 emphasised the importance of data as a critical resource in the modern economy, comparing it to oil in the digital age.
- It recommends utilising technological advances to eliminate all privacy concerns.
Global Approaches to Verifiable Parental Consent
- The U.S. Children’s Online Privacy Protection Act (COPPA) provides a list of acceptable methods, such as signed consent forms, online payment systems, and facial recognition.
- The EU’s General Data Protection Regulation (GDPR) requires data collectors to make “reasonable efforts” using available technology to verify parental consent, considering the risks and available technology.