India’s New Digital Privacy Rules Require Parents’ Consent for Children’s Social Media Accounts
New Delhi, 6th January 2025: Under the draft rules for the Digital Personal Data Protection (DPDP) Act released late Friday by the Ministry of Electronics and Information Technology, children will not face age-gating to join social media platforms in India, but those under the age of 18 must obtain “verifiable consent” from their parents.
The new rules, which apply to data fiduciaries including e-commerce, social media, and gaming platforms, stipulate that these platforms can process children’s personal data only after a parent provides the necessary consent and submits relevant documents issued by authorized entities.
The draft also includes restrictions on the transfer of certain types of personal data outside India, in line with recommendations from a government-formed committee. “A significant data fiduciary shall implement measures to ensure that personal data, as specified by the central government, is processed with the restriction that the personal data and traffic data relating to its flow are not transferred outside India,” the rules state.
This provision is expected to raise concerns among major social media and tech companies such as Meta, Google, Apple, Amazon, and Flipkart, who may voice opposition during the public consultation period.
The Ministry is inviting stakeholder feedback on the draft rules until February 18. Social media giants, in particular, have been waiting to understand the government’s stance on age restrictions and data processing for children.
The draft specifies that the personal data of children or individuals with disabilities, who have a lawful guardian, can only be processed with “verifiable consent” from the parent or guardian. The rules require data fiduciaries to take “appropriate technical and organizational measures” to ensure that consent is properly verified.
According to the draft, the data fiduciary must ensure that the parent is an identifiable adult, using reliable identification and age verification methods. This could involve using identity details already available with the data fiduciary or voluntary submission of documents like age and identity details from the parent. One possible option for verifying this information is through a Digital Locker service provider, which can issue a virtual token mapped to the parent’s identity.
The draft outlines a scenario to clarify the process: “If a child (C) informs the Data Fiduciary (DF) that she is a child, the DF will enable the parent (P) to identify herself through appropriate means on the DF’s website or app. If the parent is not already a registered user, the DF will ensure that the parent provides verifiable identity details, either through the services of a Digital Locker or other official government sources, before processing the child’s personal data.”
The term ‘Digital Locker service provider’ refers to intermediaries, including agencies or bodies corporate authorized by the government, who maintain identity details in accordance with the rules under the Information Technology Act, 2000.
These changes are expected to impact a wide range of online platforms, particularly those targeting younger audiences, as the government seeks to establish stricter safeguards around the personal data of children.