New Delhi:
In a significant move to enhance data privacy, the Indian government has released draft rules under the Digital Personal Data Protection Act, 2023, which require social media platforms and other online services to obtain verifiable parental consent before processing the personal data of children. This development, announced on Friday, sets a new standard for protecting the digital rights of minors in India.
The draft Digital Personal Data Protection Rules, 2025, emphasize the importance of parental consent for children under 18 who wish to open social media accounts or use other online services. Data Fiduciaries, entities responsible for determining the purpose and means of processing personal data, must adopt stringent measures to ensure that parents’ consent is obtained and verified.
To implement this, the draft rules outline several scenarios where a child (C) seeks to create a user account on an online platform operated by a Data Fiduciary (DF). For instance, if a child informs the Data Fiduciary that she is a minor, the DF must enable the parent (P) to identify herself through the platform. The parent’s identity and age details must be verified either through previously registered information on the platform or by referencing identity and age details issued by a government-authorized entity or a virtual token mapped to the same.
The rules also specify that Data Fiduciaries must ensure due diligence in verifying the parent’s identity. This can be done through various means, including using services from a Digital Locker service provider. The draft rules provide four detailed scenarios to guide Data Fiduciaries in obtaining and verifying parental consent, ensuring that the process is robust and compliant with the new regulations.
The public has been invited to provide feedback on these draft rules until February 18, 2025. This period allows stakeholders to comment and suggest improvements before the rules are finalized and implemented. The Ministry of Electronics and Information Technology (MeitY) has made the draft rules available on its website, along with explanatory notes to facilitate understanding and ease of feedback submission.
In addition to the parental consent requirements, the draft rules mandate other significant data protection measures. These include the deletion of inactive user data after three years and the reporting of data breaches within 72 hours. Data Fiduciaries must also inform users about data breaches in a clear and concise manner, providing details such as the nature, extent, and impact of the breach, as well as the remedial measures being taken.
The Digital Personal Data Protection Act, 2023, which received presidential assent on August 11, 2023, aims to provide comprehensive protection for personal data in India. The Act and its accompanying rules are designed to ensure that individuals’ rights are respected and that data processing activities are conducted in a transparent and secure manner.
