Aadhaar-based consent for children to go online proposed in new data protection rules

At least 25 rules have to be formulated to operationalise the Act notified in August and the government has also been empowered to enact rules for any provision that it deems fit.

One of them is developing a consent framework to verify a child’s age before they can use an online service. The Act states that companies will need to gather “verifiable parental consent” for letting anyone under 18 years access their platform. This has been a major sticking point for the industry since the Act itself does not suggest ways in which platforms can perform age-gating.

The rules, it is learnt, are expected to recommend two methods. One is to use parents’ DigiLocker app, which is based on their Aadhaar details, and the other is for the industry to create an electronic token system which will be allowed only if the government authorises it.

Under the first, parents will be allowed to add their kids’ Aadhaar details to the DigiLocker platform and platforms would be able to ping the app to verify whether a person accessing their site is indeed a child.

“This would be Aadhaar-based authentication. The internet platforms will not know the Aadhaar details of the users. It is a simple yes/no response from the Aadhaar database on a user’s age, as simple as that,” said a senior government official, who did not wish to be named, since the rules are yet to be made public.

Under the electronic system, the industry will be able to develop a consent manager which can accept a user’s government ID, tokenise it into an encrypted format to protect the contents of the ID, and only share the age and name parameters with an online platform to verify a user’s age. Such a system, it is learnt, will only be allowed if the Centre approves it.

Some entities can be exempted from obtaining verifiable parental consent and age gating requirements including healthcare and educational institutions. It is also understood some entities can be exempted from the norms on a restricted basis, that is, depending on the specific purpose for which they need to process a child’s data.

“For instance, a transport company can process a child’s data without age gating for the limited purpose of offering them transport services. But nothing beyond that. Similarly, the government can process a child’s data for the limited purpose of offering them welfare services,” a second official said.

The rules are also expected to propose that entities notify users about a data breach as soon as they become aware of it as part of a two-stage notification process. In the first step, they will be required to alert users about the nature and quantum of the breach, among other things. In the second stage, they will have to notify users within 72 hours about any additional details related to the breach.

Under the data protection Act, the penalty for not being able to take enough safeguards for preventing a data breach could go as high as Rs 250 crore.

Another key proposal of the rules will be to require government institutions to issue a notice to citizens whenever they are using their personal data for offering welfare services and subsidies, or for other similar activities.