Shielding Young Minds: DPDP’s Safeguards for Children’s Data Privacy
Shielding Young Minds: DPDP’s Safeguards for Children’s Data Privacy
After considerable deliberations, the Digital Personal Data Protection (DPDP) Act is finally operational and brings a host of fiduciary obligations for any entity, private or public, that is handling personal data. The Act also emphasises a special category for children, which mandates additional obligations under Section 9 of the Act.
Section 9 (1) mandates that entities which are processing data of children have to ensure they have verifiable consent of a parent or a legal guardian before processing the data. A failure to do so will be seen as a violation of the DPDP Act and could lead to stiff penalties which may extend to ₹200 crores.
This poses many challenges since the entity processing personal data of children will have to put in place measures to verify the age of their users as well as processing parental/legal guardian’s consent. This could be though a consent manager framework that can also seek documentation similar to the Know Your Customer (KYC) process, where authentic government-issued identification can be verified to establish age and relationship between the child and her parents or legal guardian.
Once a child’s age is established, companies must ensure that parents are informed about the types of data being collected, the purposes for which it is being used, and the measures in place to protect their child’s privacy. This requires clear, concise, and age-appropriate communication materials tailored to parents’ understanding of the digital world.
Entities are required to implement a transparent and secure consent mechanisms, ensuring that parents fully comprehend the implications of sharing their child’s data. This may involve multi-stage consent processes, parental dashboards, and clear opt-out options.
The General Data Protection Regulation (GDPR), the EU’s flagship data privacy law, has set a high standard. Companies that mishandled children’s data have faced significant fines under GDPR.
- In 2023, a video-sharing platform was fined €345 million for failing to obtain parental consent, provide sufficient data usage information, and implement adequate safeguards.1
- In 2022, a social media platform was fined €405 million for failing to prevent unauthorized contact between adults and children, provide adequate data usage information to minors, and implement robust safeguards.2
- In 2019, a search engine giant was fined $170 million for tracking children’s online activities without their consent, targeting them with personalized advertisements, and failing to provide adequate data usage transparency.3
The tangled web of children’s data privacy regulations, especially under the DPDP Act, can be a daunting maze to navigate. To steer clear of hefty fines and ensure compliance, companies should consider the following measures:
- Prioritize Age Verification:
Accurate age identification is the foundation of children’s data privacy compliance. We recommend implementing robust age verification mechanisms, such as:
- Age-appropriate questionnaires
- Parental verification processes
- Third-party age verification services
These measures will help you accurately identify young users and ensure that data collection and processing align with the DPDP Act’s requirements.
- Empower Parents with Informed Consent:
Parental involvement is crucial in safeguarding children’s data privacy. Entities should develop transparent and accessible communication materials that clearly inform parents about:
- Type of data being collected
- Purposes for which data is being used
- Measures in place to protect children’s privacy
- Obtaining verifiable parental consent is paramount. Implement secure consent mechanisms, such as:
- Multi-stage consent processes
- Parental dashboards
- Clear opt-out options
This will empower parents to make informed decisions about their children’s online activities.
- Embrace Data Minimization Principles:
Entities should collect only the minimum amount of personal data necessary for the stated purpose. This means establishing a clear data retention policy in keeping with Sections 5 and 8 of the DPDP Act.
- Implement Robust Data Security Safeguards:
Protect children’s personal data with stringent security measures such as:
- Multi-factor authentication
- Data encryption
- Access controls
- Regular security audits
These measures will safeguard children’s data from unauthorized access, use, disclosure, alteration, or destruction.
- Conduct Regular Privacy Impact Assessments:
Regularly assess the privacy implications of data collection and processing practices, particularly those involving children’s data. We recommend incorporating:
- LINDDUN analysis to identify what is PII and Non-PII and then go a step further to label which PII has potential risks
- Privacy impact assessments to evaluate compliance.
This proactive approach will help entities to identify and address potential data privacy issues before they escalate.
- Utilise Age-Gating Assistance:
Platforms will also need to build age- gating mechanisms to restrict access to certain content or features based on user age. Some tools that can be used are:
- Age-appropriate content filters
- Age verification pop-ups
- Restricted user profiles
This will protect children from accessing inappropriate content and ensure that their data is only collected and processed for age-appropriate purposes.
It is important to note that the Rules under the DPDP Act have not yet been notified. These Rules will further define the obligations of entities under the Act, for example, the Central Government may exempt entities under Section 9(5) from certain or all obligations for certain ages if they can demonstrate verifiable safety measures.
By keeping in mind these recommendations, entities can demonstrate their commitment to protecting children’s data privacy and creating a safe digital environment for young users.
- Data Protection Commission. (2023, September 15). Irish Data Protection Commission announces €345 million fine of TikTok [Press release]. https://www.dataprotection.ie/en/news-media/press-releases/DPC-announces-345-million-euro-fine-of-TikTok
- Helen Dixon, Commissioner for Data Protection. (2022). In the matter of Meta Platforms Ireland Limited, formerly Facebook Ireland Limited, and the “Instagram” social media network https://www.dataprotection.ie/en/resources/law/decisions/Meta-Platforms-Ireland-Limited-formerly-Facebook-Ireland-Limited-and-the-Instagram-social-media-network-September-2022
- Federal Trade Commission. (2019, September 4). Google and YouTube Will Pay Record $170 Million for Alleged Violations of Children’s Privacy Law [Press release]. https://www.ftc.gov/news-events/news/press-releases/2019/09/google-youtube-will-pay-record-170-million-alleged-violations-childrens-privacy-law
Across Borders and Across Ages: A Comparative Analysis of Data Protection Frameworks
While the DPDP Act of India imposes new obligations for protection of children’s data, European GDPR and USA’s COPPA have been in effect for some time. The following table provides an overview of the new Indian requirements with these two laws.
|Legal Provisions||Digital Personal Data Protection Act, 2023||The General Data Protection Regulation, 2016||Children’s Online Privacy Protection Act, 1998|
|Definition of a child||Individuals under the age of 18||Individuals under the age of 16||Individuals under the age of 13|
|Consent requirements||Verifiable parental consent required for processing of children’s data||Verifiable parental consent is required for the processing of children’s data.||Verifiable parental consent is required for the processing of children’s data.|
|Data collected should be processed for fulfilling the specific purpose only.
Data collected should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
|Data collected shall be retained as long as is reasonably necessary to fulfill the purpose for which the information was collected.|
|Purpose limitation||Personal data can only be processed for specified and legitimate purposes.||Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.||Personal data will not be used for any other purpose.|
|Data security||Entities shall protect personal data in its possession or under its control, by taking reasonable security safeguards to prevent personal data breach.
|Entities shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.||Entities must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected.|
|Data breach notification||Entities must notify the Data Protection Board and affected individuals of data breaches||Entities must notify the supervisory authority and affected individuals of data breaches||Entities must notify the Federal Trade Commission and affected individuals of data breaches|
|Regulatory Body||Data Protection Board of India and appeals with Appellate Tribunal.
|Data Protection Authorities of EU countries at country level have the authority to investigate and impose fines,||Federal Trade Commission, along with state attorneys general and certain federal agencies are responsible for the specific industries they regulate.|
|Fines||Penalty up to ₹200 crores ($255.59 million)||Penalty up to 20 million euros (₹1.65 billion), or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher.||Entities can be held liable for civil penalties of up to $50,120 (₹41 lakhs) per violation by a court.|