Opinion Data Protection Bill 2023: What the law must do for children online

Under the DPDP Bill, people under the age of 18 are considered minors. It places three conditions on data processing entities for children’s data: Obtaining “verifiable parental consent”, not causing harm to children, and not tracking or monitoring children or targeting ads at them. Considering that prohibition on causing harm to children and tracking and monitoring them are not disputed, let’s analyse the requirements of age-gating and parental consent.

Obligating all entities to obtain parental consent for every individual below 18 years before processing their data will make it extremely onerous for young adults and adolescents to freely access the internet. Currently, children over 13 years can sign-up for Facebook, Instagram, YouTube, Twitter, and Snapchat. This is because US law allows them to process data of children above that age. Even the European Union’s General Data Protection Regulation defines children as under 16 years and provides member countries the flexibility to lower the age of consent to 13 years if desired.

The DPDP’s formulation also disregards the nuance that children at different stages of their development may need varied supervision. A 17-year-old may think twice before volunteering their address and phone number, as compared to an 11-year-old. If the DPDP Bill passes as is, a sizable number of children will need to seek parental consent for services they can easily access right now.

A simple solution may be for the DPDP Bill to adopt a graded and risk-based approach to processing children’s data. Instead of adopting blanket age-gating, the government should have the power to lower the age for certain digital services which may not carry significant privacy risks. These could include services like web search, online encyclopaedias, and others which children may access for educational purposes. Services like video-streaming or e-commerce platforms could carry a strict age-gating mechanism.

News reports suggest that the latest DPDP Bill that is expected to be tabled in Parliament allows the government to lower the age of consent for certain entities if they process children’s data in a “verifiably safe manner”. Although this will be a step in the right direction, the Bill must articulate core principles around what qualifies as a “verifiably safe manner” to avoid ambiguity.

There are questions about how data processing entities will verify the age of children and obtain parental consent, given that these have been left to future implementation guidelines to determine. How will these entities know that they are interacting with a child? What methods will they use to verify parental consent? Incorporating some safeguards within the text of the DPDP Bill will help future policymakers.

Like previous drafts of the Data Protection Bill in 2018 and 2019, the DPDP Bill must lay down twin obligations before entities process children’s data — the first being age verification, followed by obtaining parental consent. The current text of the Bill is ambiguous about when and how entities would verify the age of a child. On the question of how, as age verification on the internet is tricky to implement, knowledge-based tests like puzzles, maths quizzes, and Question and Answers could be used to assess the age of a child.

In cases where parental consent is required, it should be based on a self-declaration on the existence of a parent-child relationship and the consent could be verified using readily available government identity documents.

Although specific mechanisms for age verification and parental consent could be left to future implementation guidelines, these could result in the collection of unintended data. The time taken to solve a quiz could reveal information about a child’s personality or intellect. Similarly, identity documents shared by a parent will lead to the collection of sensitive demographical data. To protect against misuse, the text of the DPDP Bill should clarify that mechanisms for age verification and parental consent must adhere to basic data protection principles and safeguards like data minimisation and purpose limitation.

It is pertinent to mention that the DPDP Bill allows the government to exempt entities from the requirement of parental consent and tracking and targeting ads for specific purposes. Presumably, exemptions are required for services like ed-tech that may not need parental consent and may benefit from tracking and monitoring a child’s behaviour. Although it seems logical to have flexibility for such exemptions, the Bill must clearly mention that they should be for the “best interests of a child”. This will guide future policymakers and courts in better implementation of the law.

In the coming months and years, India will debate laws and policies to regulate different layers of the internet. In addition to the DPDP Bill, a Digital India Bill and a Telecom Bill to replace the current IT Act and the Telegraph Act, are in the pipeline. As we create these guardrails for an open, safe, trusted, and accountable internet for India’s digital nagriks, we must not forget about the needs and interests of children.

Joshi is a Project Officer and Mohan is a Programme Manager at the Centre for Communication Governance, National Law University, Delhi