Child’s Personal Data and Privacy: Analysing the Draft DPDP Rules, 2025

Introduction

On 3rd January 2025, the Central Government notified the draft of the long-awaited Digital Personal Data Protection Rules, 2025 (hereafter “Draft Rules”) which will enforce the provisions of the Digital Personal Data Protection Act, 2023 (hereafter “the Act”). The Central Government has invited all stakeholders to provide comments on the draft rules until 18th February 2025. The Draft Rules specify the compliances requirements for Data Fiduciaries, including the manner of consent notice detailing the nature, purpose, and scope of collection of personal data; need for obtaining verifiable consent, especially for processing children's personal data; registration of consent managers and their obligations; and restrictions on cross-border data transfers, among others.

In today’s digital world, safeguarding a child’s personal data has become a critical concern worldwide. Children, due to their age and lack of awareness, are particularly vulnerable to exploitation and misuse of their data online. Currently, even Google and YouTube are facing class action suits regarding the violation of their users’ data privacy, particularly children’s.[1]

Various jurisdictions, including the European Union’s General Data Protection Regulation (“GDPR”) and the United States’ Children’s Online Privacy Protection Act (“COPPA”), have also implemented strict compliance measures to ensure additional protections for children’s digital data. In view of this, the Act has introduced the aspect of verifiable consent from parents and imposes restrictions with respect to tracking and behavioural monitoring of children. However, these provisions have been operationalised by the notification of the Draft Rules. Key aspects related to the processing of children's personal data, particularly regarding the requirement for prior verifiable parental consent and the exemptions, have been further clarified in the Draft Rules and are discussed below.

The ‘Verifiable Consent’

Section 9 of the Act requires Data Fiduciaries to obtain verifiable consent of the parent of the child (defined as an individual who has not attained the age of 18 years[1]) before processing any personal data of such child. Corresponding to this section, Rule 10 of the Draft Rules provides further guidance on what constitutes ‘verifiable consent’ and the manner in which it shall be obtained. Specifically, the Rule states that Data Fiduciaries shall adopt appropriate technical and organisational measures to obtain such verifiable consent of the parent. The said Rule also requires Data Fiduciaries to exercise due diligence in verifying the identity of the parent and if they are identifiable, by reference to details of identity and age available such Data Fiduciary or virtual tokens issued by government-authorized entities like digital locker service provider.

Under this Rule, to obtain a valid verifiable consent, Data Fiduciaries must first verify if the person accessing their services, is a child. If so, the identity and age of the child’s parent must be validated. Upon verification, a verifiable, traceable consent must be obtained from such parent. It is crucial to note that this requirement under Rule 10 of the Draft Rules is in addition to the general consent obligations under Section 6 of the Act and Rule 3 of the Draft Rules.

The obligation under this Rule may prove to be overbearing on Data Fiduciaries, as this may require them to verify the age of every single user prior to processing their personal data. Additionally, the Rule's applicability is unclear as it appears limited to cases where users actively declare themselves as children or parents and any such self-declaration may not reliable. Further, the manner in which Data Fiduciaries can verify the authenticity of the relationship between parent and child remains ambiguous.

What are the appropriate technical and organisational measures to obtain a ‘verifiable consent’?

The Draft Rules provide for two methods by which the Data Fiduciaries can verify the age and identity of a parent who is consenting on behalf of the child. The intent behind verifying a parent’s age and identity is to ensure that the consent is being given by a responsible adult.[1] Without this verification, a child could misrepresent themselves as a parent through a mere self-declaration to access a particular platform.

Now going into the two methods of verify the age and identity of a parent, firstly, verification by reference to ‘reliable details’ available with the Data Fiduciaries (i.e., if the parent is a registered user of the data fiduciary’s services for which the child intends to register, the Data Fiduciary can use the age and identity details of the parent in its possession to verify the age and identity of such parent). Secondly, verification by reference to voluntarily provided age and identity details or virtual token, which is issued by government authorised entities, mapped to those details, for example Digi Locker.  

Rule 10 (b) suggests use of virtual tokens issued by an entity entrusted by law or Government. This perhaps is the first time in the world which is privacy protective way of handling the movement of personal data. However, the drafting of Rule 10(b) is quite unclear, since it suggests that the Data Principal is supposed to provide identity and age proof to the Data Fiduciary. We do hope and pray that the Government owned databases are secure and access controlled.[1] 

While verification through a virtual token issued by Digi-Locker service provider or similar platforms seems dependable, the term “reliable details”, which has not been clearly defined, could lead to ambiguities and inconsistencies. One of the illustrations in the Draft Rules indicate that the details provided by a parent during their own account registration to be “reliable details”. However, these details can often be inaccurate or false, as platforms typically require only an email address for registration, which does not ensure accuracy.

Comparatively, the United States’ COPPA sets out various standards through which a verifiable consent may be obtain by the Data Fiduciary, which include:

• requesting the parents to fill a form and submit a copy of it.
• requesting the parents to call a tollfree number to verify their identity with trained personnel.
• connecting with the parents via video conference with trained personnel to confirm consent and verify identity.
• requesting a photo of the parent and comparing it with the ID submitted by them using technology.
• verification of identity of the parents against a government database.
• by making a nominal amount transaction using a credit card, debit card, or other online payment system of the parent;
• asking a series of knowledge-based questions that only the parent would be able to answer.

These methods, however, may not be effectively implemented in the Indian ecosystem due to factors such as a lack of digital literacy and additional compliance burdens related to financial information etc. Nonetheless, inspiration can be drawn from COPPA to develop explicit standards that provide businesses with clarity on compliance requirements.

Additionally, regulating the processing of a child's personal data could have been more efficient if it were based on an assessment of whether a platform is specifically designed for children's use, with appropriate age-gating mechanisms, rather than mandating age verification for virtually all online businesses which may have significant financial and operational implications on such Data Fiduciaries. Notably, COPPA adopts a platform-centric approach, ensuring that only services or platforms directed toward children are subjected to strict compliance burdens, a model that Draft Rules could consider for a more balanced regulatory framework.[1]

Exemptions from ‘verifiable consent’

Rule 11 of the Draft Rules provides for instances where processing of personal data of a child by certain classes of Data Fiduciaries or for certain purposes is exempted from the obligation to obtain verifiable parental consent, as well as from the restrictions on tracking, behavioural monitoring, and targeted advertising directed at children.

These exemptions are not absolute and are subject to the condition set out in Fourth Schedule to the Draft Rules such as a clinical establishment or a mental health establishment or healthcare professional are exempted provided that the processing of a child’s personal data is restricted to provision of health services to the child. Further, an educational institution, day care centre or a caretaker a child is exempted from the requirement provided the tracking and behavioural monitoring and tracking the location of such children is in the interests or safety of children.

Further, as per the Draft Rules processing of child’s personal data without verifiable consent is permitted for the performance of any function or discharge of any duties in the interests of a child, under any law and for creation of a user account which is used for communicating by email. The tracking, monitoring behaviour of child can be done for ensuring that information likely to cause any detrimental effect on the wellbeing of a child is not accessible to such a child and for confirmation that the user is not a child and observance of due diligence as provided under Rule 10. As mentioned earlier, these exemptions are only limited to the extent of that respective specific purpose, to prevent misuse, maintaining safeguards to protect the child’s privacy and avoiding activities would be detrimental[1] to the child.

However, it is pertinent to note that the Data Fiduciaries claiming any of these exemptions remain fully liable to comply with all other obligations related to the processing of personal data as provided under the Act and the Draft Rules.

NovoJuris’ Observations:

While the notification of the Draft Rules is a positive step towards a comprehensive data protection framework, several gaps remain that needs to be addressed to provide further clarity to various businesses. Key aspects such as verifying a parent's identity and age and the parent-child relationship, and defining the criteria for claiming exemptions require further refining to avoid any ambiguities.

On a positive note, Minister of Electronics and Information Technology, Mr. Ashwini Vaishnaw, stated during a press conference on 7th January, 2025, that the Draft Rules will continue to evolve to enable the children to access various platforms, safely while protecting them from digital harms and risks by using evolving technologies including identity tokenization.[1] While the future of digital data privacy of children seems promising, the compliance remains a significant challenge for businesses handling children's data.