India has made a major step towards protecting individual privacy rights with the Presidential assent of the Digital Personal Data Protection Act, 2023, which has already passed both chambers of Parliament. The Puttaswamy Judgements of the Supreme Court provide the backbone of this historic piece of law, which sets out to establish the limits of the right to privacy in the digital age. Children’s privacy and consent are crucial issues in today’s rapidly developing digital world. This article delves into the nuance of protecting Children’s Data Protection under DPDPA and provides a global comparative perspective.
Consent and Minors
An earlier version of the consultable Digital Personal Data Protection Bill, 2022 established the age of majority as 18 and placed severe prohibitions on a variety of behaviours. This approach, however, became clear to need modification after receiving over 20,000 consultation submissions and numerous in-person talks.
Offering products and services geared towards younger consumers is no longer a luxury in today’s world of widespread youth use of digital technologies. Services in the fields of education, entertainment, and mental health have found it practicable and vital to focus on children. It is common practice in India to require parental or guardian permission for any connection involving a minor. The Act maintains this perspective, considering anyone younger than 18 to be a child.
Children’s Consent in the Act
In alignment with the Draft, the Act mandates verifiable consent from a parent or legal guardian for processing personal data related to a child. Notably, the Act goes further by requiring data fiduciaries to obtain verifiable consent from parents or guardians before processing personal data of persons with disabilities under the care of a guardian.
In a bid to introduce flexibility, the Act allows the government to:
- Provide exemptions for specific classes of data fiduciaries or purposes.
- Lower the age requirement for mandatory parental consent for certain safe processing.
A Balancing Act
The Act designates parents and legal guardians as “data principals” for their children, potentially replacing the child’s autonomy with that of the parent. While this is common for handling minor’s data, it introduces challenges when the interests of parents and children diverge.
While the Act prohibits processing that may detrimentally affect a child’s well-being, it refrains from explicitly defining harm. This cautious stance prompts data fiduciaries to act responsibly and anticipate potential detrimental effects of their processing activities.
Processing Limitations
The Act lacks a precise definition of injury, in contrast to the Draught. It mandates a fiduciary approach from data handlers and forbids processing that could compromise a child’s safety.
Targeted advertising to minors and the tracking or monitoring of their behaviour are also prohibited by the Act. However, these rules can be modified to allow for age-appropriate material and marketing.
The Way Forward
Taking into account industries that serve or sell to children, the Digital Personal Data Protection Act’s attitude on children’s data protection is a step in the right direction. The need to accommodate the young population is recognised by the provision of exemptions and safety dilution.
While the Act itself may not give all the answers that are needed, rulemaking, decisions by the Data Protection Board, and frequently asked questions (FAQs) may. Adherence to the guidelines will be critical for businesses and organisations navigating children’s data to ensure compliance and maintain data integrity.
In conclusion, India’s Digital Personal Data Protection Act is a major step forward in protecting the privacy and safety of children’s online activities. The Act’s multifaceted approach opens the stage for a more secure and accountable digital ecosystem in the years to come.
About Concur – Harmonizing Data Compliance
Concur is a technology company that provides a suite of enterprise solutions to help organizations manage their data compliance and other business operations. Our solutions include consent management, digital policy management, legacy customer notice guidelines, data principal rights solutions, and more. With a focus on innovation and the use of blockchain technology, Concur helps enterprises to stay compliant with various regulations such as DPDPB, while streamlining their operations and enhancing overall efficiency. Additionally, they offer dedicated support through their Support Center to ensure customers have the assistance they need to achieve their compliance goals.