Notes

Parental consent: Uncertain over tech, MeitY reaches out to industry

Contact Counsellor

Last Updated19/07/2024

Unable to narrow down on a conclusive technological intervention to allow tech companies gathering parental consent before processing children’s personal data, the IT Ministry has reached out to the industry for inputs on how the requirement can be implemented under the upcoming data protection rules.
The Digital Personal Data Protection Act, 2023 requires tech companies to develop a consent framework to verify a child’s age (people below the age of 18) and gather their parents’ consent before they can use an online service.
While the data protection Act has largely been welcomed by the industry for its relatively easy compliance structure, the provision on gathering verifiable parental consent has been the final thorn in the bush which has divided the industry and the government.

Last year, as part of its internal deliberations on the data protection rules, the ministry was considering two ways to establish the relationship between children and their parents – one was to use parents’ DigiLocker app, which is based on their Aadhaar details, and the other is for the industry to create an electronic token system which will be allowed only if the government authorizes it.
However, the ministry no longer thinks these solutions could be implemented at scale and is understood to have dropped the idea.
The inability to arrive at a conclusive decision on how to proceed with the verifiable parental consent provision is the biggest reason behind the delay in releasing the data protection rules. Without the rules, the data protection Act can not be operationalised as it depends on at least 25 such provisions to implement the modalities of the Act.
As per the data protection Act, some entities can be exempted from obtaining verifiable parental consent and age gating requirements including healthcare and educational institutions.
It is also understood some entities can be exempted from the norms on a restricted basis, that is, depending on the specific purpose for which they need to process a child’s data.

Globally, privacy legislations have not prescribed a technology to gather verifiable parental consent, and have left it to data collectors to use relevant technology through which such consent can be gathered.
For instance, the United States’ Children’s Online Privacy Protection Act (COPPA) does not mandate the method a company must use to get parental consent. Instead, it says that an operator must choose a method “reasonably designed” in light of available technology to ensure that the person giving the consent is the child’s parent.
The European Union’s General Data Protection Regulation (GDPR) – considered to be among the strictest privacy laws globally – on the other hand, requires data collectors to make “reasonable efforts” using available technology to verify that consent provided on behalf of a child under the age of 13 has, in fact, been provided by the holder of parental responsibility for that child.
In the event of a complaint, the law will consider whether a data collector has made reasonable efforts to verify that the data subject is old enough to provide their own consent, taking into account the risks inherent in the processing and the available technology.