Online platforms may be required to delete data of users inactive for 3 years

At least 25 rules have to be formulated to operationalise the Act notified in August and the government has also been empowered to enact rules for any provision that it deems fit.

Data protection, delete data of users, Online platforms, Digital Personal Data Protection (DPDP) Act, Indian express business, business news, business articles, business news stories

It is also understood some entities can be exempted from the norms on a restricted basis, that is, depending on the specific purpose for which they need to process a child’s data.

The Centre may require online platforms to permanently delete personal data of users who have been “completely away” from their accounts for at least three years in a row, The Indian Express has learnt.

According to the yet-to-be-released data protection rules, the government could impose the data deletion rules on e-commerce companies, online marketplaces, gaming intermediaries and all social media intermediaries, irrespective of the number of users they have in India, a senior government official said. The proposal is part of draft executive rules of the Digital Personal Data Protection (DPDP) Act, which was ratified as a law in August this year.

At least 25 rules have to be formulated to operationalise the Act notified in August and the government has also been empowered to enact rules for any provision that it deems fit.

One of them is developing a consent framework to verify a child’s age before they can use an online service. The Act states that companies will need to gather “verifiable parental consent” for letting anyone under 18 years access their platform. This has been a major sticking point for the industry since the Act itself does not suggest ways in which platforms can perform age-gating.

The rules, it is learnt, are expected to recommend two methods. One is to use a digital locker system backed by a government ID like Aadhaar, this paper had earlier reported. The other is for the industry to create an electronic token system which will be allowed only if the government authorises it. Some entities can be exempted from obtaining verifiable parental consent and age gating requirements including healthcare and educational institutions.

It is also understood some entities can be exempted from the norms on a restricted basis, that is, depending on the specific purpose for which they need to process a child’s data.

Tags:
Data protection