MeitY may not prescribe tech measure for parental consent under data protection rules

Last year, as part of its internal deliberations on the data protection rules, the ministry was considering two ways to establish the relationship between children and their parents – one was to use parents’ DigiLocker app, which is based on their Aadhaar details, and the other is for the industry to create an electronic token system which will be allowed only if the government authorises it.

However, the ministry no longer thinks these solutions could be implemented at scale and is understood to have dropped the idea. The inability to arrive at a conclusive decision on how to proceed with the verifiable parental consent provision is the biggest reason behind the delay in releasing the data protection rules. Without the rules, the data protection Act can not be operationalised as it depends on at least 25 such provisions to implement the modalities of the Act.

With the government not prescribing a set technical measure for the consent framework, India would follow global regulations where a particular technology is not specified for gathering the consent of a child’s parents or guardians.

The Digital Personal Data Protection Act, 2023 requires tech companies to develop a consent framework to verify a child’s age (people below the age of 18) and gather their parents’ consent before they can use an online service. This has been a major sticking point for the industry since the Act itself does not suggest ways in which platforms can perform age-gating.

During the meeting, tech companies also asked the ministry for concessions on the provision which prohibits them from behavioural tracking of children and showing them targeted advertisements, it is learnt.

Globally, privacy legislations have not prescribed a technology to gather verifiable parental consent, and have left it to data collectors to use relevant technology through which such consent can be gathered.

For instance, the United States’ Children’s Online Privacy Protection Act (COPPA) does not mandate the method a company must use to get parental consent. Instead, it says that an operator must choose a method “reasonably designed” in light of available technology to ensure that the person giving the consent is the child’s parent.

The COPPA, however, has prescribed some basic standards that any technological measure to gather a child’s parent’s consent should adhere to. These include signing a consent form and sending it back to them via fax, mail, or electronic scan; using a credit card, debit card, or other online payment system that provides notification of each separate transaction to the account holder; calling a toll-free number staffed by trained personnel; connecting to trained personnel via a video conference; or verifying a picture of a driver’s licence or other photo ID submitted by the parent and then comparing that photo to a second photo submitted by the parent, using facial recognition technology, among others.

The European Union’s General Data Protection Regulation (GDPR) – considered to be among the strictest privacy laws globally – on the other hand, requires data collectors to make “reasonable efforts” using available technology to verify that consent provided on behalf of a child under the age of 13 has, in fact, been provided by the holder of parental responsibility for that child.