Big tech platforms are expected to engage with the government over the requirement of parental consent for processing children’s data under the Digital Personal Data Protection Act, 2023.
Sources indicate that this provision has given rise to serious concerns regarding potential “unintended consequences” affecting digital inclusion, privacy, and children’s safety.
Last week, the central government notified the law, mandating platforms to secure “verifiable consent” from a parent or legal guardian before processing personal data for users below the age of 18 years. This aspect of the legislation became one of the most debated subjects during the public consultations on the bill.
With the enactment of this clause, tech giants are planning to lobby for relaxations within the government’s rulebook, including guidance on implementation and potential exceptions.
A senior industry executive, speaking anonymously, expressed that “verifiable parental consent is one of the most worrying obligations. It might place the child and parent at significant risk. Requiring Indian users to submit identification documents to multiple apps, each with different security practices, is onerous. It’s an odd solution to the issue of safety and is an instance of overregulation.”
The law’s section that deals with children’s personal data also bans tracking or behavioural monitoring and targeted advertising aimed at children. The executive suggested that these restrictions might inadvertently hinder some child safety functions.
For example, certain social media platforms use behavioural data and AI models to prevent unknown adults from messaging children, thereby protecting minors from potential predators. An executive warned that a sweeping ban on monitoring could neutralize this safeguard. Moreover, he argued that blocking targeted advertising might expose children to irrelevant or inappropriate adverts.
He further commented, “Hundreds of millions of teenagers instruct their parents in computer usage. Restricting young people in this way is ill-conceived, particularly for girls who often face unequal access to Information Communication Technologies (ICTs). Overall, verifiable parental consent is an unsuitable method of regulating the internet.”
Another industry source raised concerns about the data collection required for parental consent: “It means accumulating vast amounts of personal data like ID proofs to confirm users’ ages and the parent-child relationship. This contradicts the fundamental goal of privacy laws, which is to minimise data.”
Google, Meta, and Amazon did not respond to email inquiries.
Aditi Jha, Director & Country Lead for Legal, Public Policy, and Economic Graph at LinkedIn India, stated, “We are committed to keeping our platform trusted and professional, and we respect the laws that govern us in the countries where we operate. Like any new legislation, we are assessing it to understand the impact on our members and business.”
During public consultations, several stakeholders called for reducing the minimum age for data processing consent to 16 years, aligning with regulations in other countries like the USA and UK, where individuals over 13 can provide consent. The government’s final bill included a clause potentially exempting certain platforms from this consent requirement.
However, Rajeev Chandrasekhar, Union Minister of State for Electronics and Information Technology, clarified that social media platforms would not be eligible for such an exemption.
The minister told Business Standard, “We have said if there are platforms that are focused on creating child-safe zones on the internet. None of the social media platforms will qualify for it because they don’t carry out any KYC; they don’t know who’s using their apps, and anonymous use is rampant.”
Concerns on children’s data clause:
Verification maximises data collection, risks for privacy
Likely to reduce digital access of girl children
Ban on monitoring may disable child safety functions
Children could be exposed to inappropriate ads
