By Astha Bhumish Shah 

The enactment of the Digital Personal Data Protection Act, 2023 (DPDPA) has brought about a much-needed change to the Digital landscape of the country. Amongst several compliances, a significant compliance that needs to be undertaken relates to governance of personal data of children and persons with disabilities. The DPDPA describes ‘child’ as an individual who has not completed the age of 18 years. Section 9 of the DPDPA prescribes added responsibilities for processing personal data of children or persons with disabilities. The data fiduciaries processing personal data relating to children or persons with disabilities shall have to obtain 

verifiable consent of the parent/guardian of such data principal in the manner prescribed. Any processing that is likely to cause any detrimental effect on the well-being of the child is prohibited. Further, tracking, behavioral monitoring and advertisements targeted on children is also restricted under the DPDPA. However, the government is empowered to exempt certain categories of data fiduciaries or classify certain specified purposes that will be exempt from the requirement of obtaining verifiable parental consent. The government can also exempt entities from the restrictions on tracking, behavioral monitoring and targeted advertising towards children, by way of notification. Further, the Central Government can, on a case-by-case basis, determine if the processing activity of a data fiduciary is ‘verifiably safe’, and exempt such fiduciary from the consent, targeting, behavioral monitoring and targeted advertising of children. 

However, these changes bring with itself a whole new set of complexities with respect to its implementation owing to the nature of harm that could be caused to children due to processing of their data. The following are some of the challenges that have been identified –  

• Companies often encounter the challenge of meeting the threshold for obtaining verifiable parental consent while balancing the risks involved in such processing. Assessing the risk involved in processing children’s personal data, which requires higher verification and compliance standards, is a complex task due to the broad nature of the prescribed restrictions. 

• Companies are further perplexed about filtering their users based on age or disabilities. This becomes more problematic because monitoring children is not allowed under the provisions of the DPDPA. Without monitoring, it becomes difficult for fiduciaries to profile these children and filter content that is appropriate for them. 

• The level of diligence required for fiduciaries to confirm whether their users are children or persons with disabilities adds an extra burden for companies that do not regularly handle child personal data but incidentally process it, such as e-commerce platforms. Conversely, entities that frequently deal with child personal data, such as those in gaming, ed-tech, and healthcare, face higher compliance costs and greater risks for non-compliance. 

• Since many jurisdictions categorize data relating to children as sensitive in nature, it is possible for the government to classify entities that primarily deal in children’s personal data to be categorized as “significant data fiduciaries”. This would entail higher compliance mandates for such fiduciaries. 

• Section 9 of the DPDPA requires fiduciaries to obtain parental consent before processing any personal data of children or persons with disabilities. This implies that all forms of data processing involving children need parental consent. Stakeholders might be confused about relying on ‘legitimate use’ grounds, as this could defeat its purpose, especially when parental consent is impractical for legal obligations, disaster management, court orders, or medical emergencies. Therefore, fiduciaries must carefully determine the grounds for processing child personal data. 

• A major issue for data fiduciaries is verifying an authentic guardianship relationship before obtaining consent to process a child’s personal data, especially given varying guardianship laws. Additional proof of guardianship complicates compliance with the data minimization principle. Balancing data minimization with lawful data protection becomes challenging due to the excess authorizations and documentation required for verifiable parental consent. 

The requirement of obtaining verifiable parental consent spans across multiple jurisdictions that have data protection laws in place. Practices followed by them can, therefore, act as a guidance for data fiduciaries in India. The General Data Protection Regulations, 2016 (GDPR) requires controllers to make reasonable efforts to verify parental consent using available technology. The level of verification should correspond to the risk involved in processing children’s personal data. For low-risk cases, email verification may suffice, while high-risk cases may require additional proof, such as government IDs or a €0.01 authentication via the parent’s bank account. Alternatives should be provided to avoid discrimination against those without bank accounts. Companies might also use multi-factor authentication for higher-risk situations. Controllers must justify their reasonable efforts to obtain valid parental consent, acknowledging the challenges in doing so. Additionally, consent renewal may be needed when the child reaches the age of majority. 

In South Korea, personal information controllers must obtain and verify consent from a child’s legal representative. This can be done by confirming consent via a mobile text message, receiving the legal representative’s credit or debit card information, verifying their identity through their mobile phone, sending a consent form via email or fax and having the representative sign or respond with consent, or obtaining consent through a phone call, specified email, or web address. The Singapore Personal Data Protection Act (PDPA), 2012, lacks specific provisions for processing child personal data but requires that data collection, use, or disclosure be for purposes considered appropriate by a reasonable person or based on consent. The Personal Data Protection Commission (PDPC) views child personal data as sensitive and has issued guidelines categorizing children into two groups: under 13 years and 13 to 17 years. The latter can consent if privacy policies are understandable. The PDPC supports age assurance methods and profile creation to determine age, provided this adheres to data minimization principles and is limited to specified purposes. 

Entities have faced significant penalties for non-compliance with children’s data processing requirements. For instance, TikTok was fined €750,000 by the Dutch Data Protection Authority, €14,500,000 by the English authority, and €345,000,000 by the Irish authority for failing to meet these requirements. In Sweden, the Secondary Education Board of Skelleftea Municipality was fined SEK 200,000 for misusing facial recognition technology to track children’s attendance. Under the DPDPA in India, non-compliance with children’s data processing obligations can result in penalties of up to 200 crores (~$24 million USD). For multinational companies, this means potential penalties in multiple jurisdictions if non-compliance is discovered. Therefore, it is crucial for entities to either comply with children’s data processing regulations or ensure they do not process such data. 

Click here to read more.