In an increasingly digital world, society today is growing around technology that tends to collect and process a large amount of data. As the younger section of society grows up around such technology, the vulnerabilities associated with the collection and processing of personal data of children or persons with a disability have become a matter of concern. Recognising these vulnerabilities and the need to ensure responsible and beneficial processing of data, the Digital Data Protection Act, 2023 (DPDPA) establishes strict regulations for responsible processing of such data. A key component of these regulations is the requirement for verifiable parental consent before processing children’s data, along with the prohibition of behavioural monitoring and tracking, subject to certain exemptions.
The DPDPAenacted in August 2023 is the cornerstone of India’s evolving data privacy and protection landscape. Following its enactment, on January 3rd 2025, to supplement and provide clarity to the DPDPA, the Ministry of Electronics and Information Technology (MeiTY) released the Draft Digital Personal Data Protection Rules, 2025 (Draft DPDP Rules) for public feedback, open until February 18th 2025 on the MyGov Portal. The DPDPA and DPDP Rules, together establish a comprehensive framework for data governance and data protection in India.
In this blog, we will explore the concept of verifiable parental consent and exemptions provided under the DPDP framework with specific reference to the recently rolled-out Draft DPDP Rules.
Understanding Verifiable Parental Consent
The requirement for obtaining verifiable parental consent before processing the personal data of a child or person with a disability is mandated under Section 9(1) of the DPDPA. Verifiable parental consent in this case includes the consent of any lawful guardian (when applicable) of the concerned data principal.
Rule 10 of the Draft DPDP Rules imposes an obligation on the data fiduciary to adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent or lawful guardian is obtained before any personal data of a child is processed. Due diligence must be observed to verify the identity and age of the person consenting on behalf of the child as a parent or guardian. It is necessary for the person giving consent to be an adult (a person over the age of 18 years) and identifiable. Rule 10 further states that this verification or due diligence can be done by referring to any of the following:
- Details of age and identity that are already available with the data fiduciary and are reliable
- Details of identity and age that is voluntarily provided by the person identifying as the parent. This also includes a virtual token, mapped to the individual’s details, that has been issued by the central or state government or any legally authorised entity. The Rule specifically refers to details or tokens verified and provided by an authorised Digital Locker service provider.
The illustration under Rule 10 provides cases or scenarios to better explain this provision. For example, C is a child and P is her parent. A social media user account of C is to be created by the Data Fiduciary (a platform), called DF, which requires the processing of C’s data. In such a situation, if P is an existing user of the platform, DF can allow P to identify herself through the platform and inform DF that she is a registered user of the platform and has previously provided details on her identity and age to DF while creating her account. DF can then confirm the reliability of P’s age and identity through this information before processing C’s data.
Similarly, in cases where the data fiduciary obtains consent from a lawful guardian for the processing of the data of a person with disability, the fiduciary is obligated to verify that such person was actually appointed as the lawful guardian by a court of law, authority designated under Section 15 of the Rights of Persons with Disabilities Act, 2016 or a local committee established under Section 13 of the National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999 in accordance with the relevant guardianship law.
Exemptions
Rule 11 of the Draft DPDP Rules, read with the Fourth Schedule exempts certain classes of Data Fiduciaries and processing activities from complying with the requirement of verifiable parental consent under Section 9(1) and the prohibition of behavioural tracking or targeted advertisements directed towards children under Section 9(3) of the DPDPA. Let’s decode the Fourth Schedule below-
Class of Data Fiduciaries Exempted (4th Schedule – Part A)
- Healthcare-related data fiduciaries: Any data fiduciary that is a clinical establishment, mental health establishment or healthcare professional is exempted provided that the processing of data by the data fiduciary is restricted to the provision of necessary health-related services to the child.
Additionally, data fiduciaries who are allied with healthcare professionals and process data only for the purpose of supporting the implementation of any necessary treatment or plan as prescribed by the healthcare professional are also exempted.
- Educational Institutions: Educational institutions are exempted from the prohibition of processing of data for behavioural monitoring or tracking as long as they process such data solely for fulfilling the educational purposes of the institution and in the interest of the safety of the child.
- Crèches or Child Day Care Centres: Any individual data fiduciary who is entrusted with the care of an infant or child in a crèche or daycare centre is permitted to process data for behavioural monitoring if it is absolutely necessary for the safety of the infant or child.
- Transport of Children in Crèches, Educational Institutions or Child Day Care Centres: Any individual data who has been engaged by a crèche, Educational Institution or Child Day Care Centre for the purpose of transporting children to and from such institutions is permitted to track the location of children during the course of their travel to and from the institutions to ensure their safety.
Data Processing Activities/ Purposes Exempted (4th Schedule – Part B)
- Exercise of powers or duties in the child’s interest: If the processing of data is restricted to what is necessary for the exercise of powers or fulfilment of certain duties or functions in the interest of the child as required by any law in force in India, such processing activity is exempted.
- Provision of subsidies, benefits or services (legitimate use): The necessary processing of a child’s personal data for the purpose of providing any subsidy, benefit, service, certificate, license, permit or any other such service that is considered a legitimate use under Section 7 (b) of the DPDPA for the benefit of the child is exempted.
- Creation of Account: Processing of children’s data for the purpose of creating an email user account for communication is exempted.
- Protecting Well-being of Child: Processing restricted to preventing access to information that is harmful or detrimental to the well-being of a child is exempted.
- Age Verification: Processing limited to confirming that the data principal is not a child in accordance with the due diligence requirement under Rule 10 is exempted.
Practical Implications and Best Practices
The DPDPA and Draft DPDP Rules impose key responsibilities on organizations to protect personal data, particularly for children and persons with disabilities. To ensure compliance, businesses should implement the following best practices:
- Verifiable Parental Consent Mechanism: Take proactive steps to implement a clear, user-friendly and comprehensive mechanism for obtaining verifiable parental consent in a manner that works best with the processing activities carried out by your organisation and ensures compliance with the law. Using reliable tools for verification will also enhance the efficiency of the process.
- Ensuring Compliance in Exempted Scenarios: In the case of healthcare services, educational institutions, childcare services and other such exempted scenarios, it is essential to ensure that the conditions of processing are complied with. The processing of data must be limited to the purpose of providing healthcare services, educational services to children or ensuring safety as specified in the Rules. The concepts of data minimisation and purpose limitation are crucial in this scenario.
- Safeguarding The Well-Being of Children: It is crucial to ensure that data processing includes protections against harmful content and that adequate age verification is implemented to ensure only eligible individuals are targeted.
- Regular Audits and Monitoring: Regular audits and monitoring are essential to ensure that the practices of the organisation are compliant with the law. Regular collaboration with and consulting experts plays a crucial role in ensuring compliance.
Conclusion
The DPDPA and the Draft DPDP Rules introduce a crucial framework for the responsible processing of personal data, particularly for vulnerable populations such as children and persons with disabilities. The framework carries significant implications for businesses, as data fiduciaries who must carefully assess their data collection practices and ensure they implement the necessary safeguards, such as verifying parental consent and adhering to exemptions where applicable for the benefit of the business. By emphasizing verifiable parental consent and placing strict limits on behavioural monitoring and tracking, these regulations seek to protect sensitive data while ensuring its beneficial use. The exemptions outlined within the DPDP Rules offer flexibility for sectors like healthcare and education but also highlight the need for businesses to adopt robust data governance practices. It is time for organisations to evolve with the regulations, and stay vigilant and proactive in adapting their data processing practices to ensure compliance.
If you want to learn more about Privacy for Children in the DPDPA, you can read our blog here.
