New Draft Rules: Parental Consent Now Required for Children Under 18 to Join Social Media – What This Means for Privacy Protection

Introduction

In a significant step towards safeguarding children's privacy in the digital realm, the Government of India has released a draft of the Digital Personal Data Protection (DPDP) rules. A key provision in the draft mandates that children below the age of 18 will require parental consent to create social media accounts. This move is intended to enhance the protection of personal data and privacy for minors, a group that is increasingly active on digital platforms.

Background

As the digital landscape expands, children and teenagers are some of the most frequent users of online platforms, including social media, gaming, and e-commerce. According to a 2023 report by the Internet and Mobile Association of India (IAMAI), approximately 80% of Indian children between the ages of 13-18 are active on social media. However, this widespread use often comes with privacy risks. The DPDP Act, introduced in 2023, aims to regulate the processing of personal data and provides a robust legal framework for data protection in India. The draft rules further clarify the role of "data fiduciaries" (e-commerce, gaming, and social media platforms) in ensuring that parental consent is obtained before the personal data of children is collected or processed.

Rationale

The rationale behind these provisions lies in the growing concerns around children's data security. Research shows that children, while tech-savvy, often lack the maturity to understand the potential consequences of sharing personal information online. A study by the Data Privacy Foundation revealed that nearly 60% of parents are unaware of how their children are interacting with digital platforms, which increases the risk of data misuse. By introducing parental consent requirements, the government is aiming to put the onus of responsibility on both the platforms and parents to ensure children's online activities are monitored and protected.

Problem Statement

While the proposed rules offer significant protection, the draft does not specify any penal actions for violations. Without enforceable consequences, there are concerns about whether these provisions will be adhered to by all digital platforms, especially those operating globally, where compliance with local regulations can sometimes be overlooked. The absence of penalties might weaken the impact of these rules, making it harder to hold data fiduciaries accountable.

Why It Is Important

In India, over 500 million internet users, with a significant proportion being young individuals, are exposed to the risks associated with online data collection. According to the Ministry of Electronics and Information Technology (MeitY), the country’s digital footprint is expected to grow further, with youth being the major drivers of this growth. Protecting children’s personal data is therefore not just an ethical imperative but also a necessity to prevent potential harm such as exploitation, cyberbullying, identity theft, and the violation of privacy.

• The rule aims to protect children from exploitation and cyberbullying.
• It can help reduce impulsive and harmful usage patterns.
• It can encourage responsible digital habits.

How will the rule work?

• Parents or legal guardians will need to provide verifiable consent before a child's personal data is processed.?
• The child's age will be verified against a government-mandated ID or a token from a Digital Locker service provider.?

What Should Be Added / Suggestions

1. Penal Provisions: One of the major gaps in the draft rules is the lack of clear penalties for non-compliance. It is essential that strict penalties, including financial fines or suspension of services, be outlined for data fiduciaries that fail to obtain verifiable parental consent before processing children's data. This will ensure that platforms take the regulations seriously.
2. Age Verification Mechanisms: In addition to parental consent, it is crucial to integrate stronger age verification processes. This will help ensure that children do not bypass restrictions by misrepresenting their age. Age verification could involve linking user accounts to government-issued IDs or using biometric verification where feasible.
3. Parental Education and Awareness Campaigns: To ensure the effectiveness of the regulations, the government should initiate nationwide campaigns to educate parents about the importance of safeguarding their children's online privacy and how they can monitor their children's digital footprint. Research by the National Commission for Protection of Child Rights (NCPCR) has shown that a significant number of parents are unaware of the privacy risks their children face online.

Challenges

1. Implementation and Enforcement: Enforcing these rules across diverse digital platforms, especially global tech companies, can be challenging. There might be resistance from some platforms, particularly those with large user bases in India. The government will need to ensure a robust monitoring and enforcement mechanism is in place to tackle such challenges.
2. Technological Barriers: Implementing age verification and parental consent mechanisms could prove to be technologically challenging, particularly for small platforms that may not have the resources to comply with such stringent requirements. A standardized, cost-effective solution should be developed to ensure that all platforms, regardless of their size, can comply.
3. Parental Involvement: While the rules place responsibility on parents to grant consent, there is the challenge of ensuring that parents are actively involved in their children’s digital lives. Many parents are not well-versed in the digital landscape and may find it difficult to keep up with new trends in social media and online gaming platforms.

Way Forward

The government has opened the draft DPDP rules for public consultation, and stakeholders are encouraged to provide feedback and suggestions. This consultation process, which ends on February 18, 2025, provides a crucial opportunity for the public, tech companies, and privacy advocates to weigh in and improve the draft. After the consultation period, the final version of the rules will be drafted and implemented.

The way forward involves not only refining the rules based on public feedback but also setting up clear enforcement frameworks, including regulatory bodies to oversee implementation. These bodies should be empowered to ensure compliance, address grievances, and impose penalties for non-compliance. Moreover, there should be an emphasis on continuous education for both parents and children to raise awareness about online privacy and security.

In conclusion, while the DPDP draft rules mark a promising step towards protecting children's data privacy in India, comprehensive solutions addressing enforcement, technological barriers, and parental engagement will be essential for the success of these regulations.