含羞草社区

The comprehensive regime to protect personal data, including those of children, introduced by 含羞草社区 new data protection law, the , but not yet in force, has sparked fervent debate and discussion among industry stakeholders. The legislation requires data fiduciaries, being those who determine the means and manner in which personal data is processed, to obtain verifiable consent from a parent or guardian before handling a child’s data.

The DPDPA prohibits data fiduciaries from undertaking any processing that is likely to have a detrimental effect on a child. It forbids tracking, behavioural monitoring and targeted advertising directed at children. The DPDPA allows the government to exempt certain classes of data fiduciaries from these requirements for specific purposes. The government could also possibly lower the age of consent if data fiduciaries are seen to process data in a verifiably safe manner.

Requirements under the DPDPA for the processing of children’s personal data apply to all organisations, irrespective of whether they actively process children’s data. Therefore, even an organisation that has no intention of processing or inadvertently processes a child’s data will have to comply with the arguably vague standards applicable to the protection of children’s data.

The standards of and means for obtaining verifiable consent are not currently defined. In the absence of guidance, organisations are likely to interpret and adopt verifiable consent standards that do not incur significant costs and do not necessitate major changes to their UI, UX and user journeys. Companies that choose to follow a higher standard of verifiable consent may need to get written confirmation of a parent’s or guardian’s consent. They may also need to authenticate the relationship between the user and the parent or guardian through, for instance, a penny drop method.

Recommendations suggested by industry stakeholders have included using , or one-time electronic tokens to verify age and establish the parent-child relationship. However, these methods may pose operational challenges and have significant limitations. Identifying the appropriate parent or guardian to whom consent requests should be sent is sometimes impractical because of the often outdated and incomplete nature of existing identification records that frequently include only the father’s details.

The prohibition on tracking and monitoring the behaviour of children also presents significant challenges. Without the ability to gather data on user behaviour, companies may struggle to tailor their services and products effectively, undermining their marketing strategies. This could result in a loss of revenue and may reduce engagement with younger audiences.

Another peculiar aspect of this law is that organisations will necessarily have to process children’s data even during the stage of verifying whether the user is a child. However, the only way by which a child’s data may be processed under this law is through consent. The government will have to provide clarity or provide an exception for verification of the user’s age.

Further, the interaction between the DPDPA and established principles of contract law concerning minors remains to be seen. As minors lack the legal capacity to enter into contracts in India, any government decision to notify or lower the age of consent under the DPDPA could raise significant questions about the validity of consent given by minors.

The lack of clarity surrounding verifiable consent, coupled with restrictions and impositions on data processing, will likely hinder businesses’ ability to effectively engage with younger users. As the government faces the practical challenges arising from these complexities, it will need to provide clear guidelines and pragmatic solutions that balance the need for child protection with the commercial realities of the digital economy.

Ada Shaharbanu is a senior associate and Sean McDonald is an associate at Spice Route Legal.