1 day Ago By Kamya Pandey
The draft Digital Personal Data Protection Rules, 2025 has led to confusion about whether or not all users will have to verify their age and identity to access online services. Under the Digital Personal Data Protection Act, 2023 (which the rules seek to operationalise) online platforms have to obtain verifiable parental consent before processing the data of anyone under 18 years of age. The rules then elaborate that platforms have to verify the age and identity of anyone claiming to be a parent and giving consent on behalf of a child.
While the rules specify what platforms can do when an under-18 user declares themself as a child and when a parent comes forward, they don’t take note of situations where a child inputs the wrong information and claims to be an adult. In such cases, platforms will have to verify everyone’s age, some like MediaNama’s editor Nikhil Pahwa argue. On the other hand, some, like Aparajita Bharti, the co-founder of Quantum Hub Consulting believe that the way the rules read right now, companies could use self-declaration measures as a means to determine whether the person signing up is a child or not.
“The illustrations 1 & 2 seem to suggest if the user indicates they are a child then the platform has to take steps to gather verifiable parental consent,” she explained in a post on X (formerly Twitter). Similarly, the founder of social media impact consulting Space2Grow, also told MediaNama that the DPDP Rules “do not explicitly require mandatory age verification unless the user’s data triggers any sign of them being a child”. How consent provisions could cause user drop-offs: When a parent comes forward to give consent on behalf of a child, the platform has to verify their age and identity as well.
The rules provide two ways in which platforms can approach this verification— Bharti expressed concern that getting synchronous consent (consent right before a child uses the platform) will be operationally difficult. She explained that it would lead to “huge drop-offs (especially among low-income/rural households) and increased costs of compliance.” Talking about the synchronicity of consent, she said that there could be circumstances where the parent isn’t available to give consent when the child needs to access a specific online service.
During a spaces discussion on X, Bharti explained that her organisation Young Leaders for Active Citizenship (YLAC) works with rural communities where there is a lot of shared device usage. “Children [in these communities] are way more sophisticated users of technology than their parents. Parents on the other hand ask children for help to navigate the tech world,” she explained.
She said that while children do need to be safe online, cutting their access to the internet off is a bigger harm to them. The grey area for establishing parent-child relationships: One of the age verification scenarios under the rules is where a person comes forward identifying themself as child’s parent. The platform then verifies the age and identity of the parent.
The rules do not specify how platforms have to go about verifying this parent and child relationship. “The ‘due diligence’ methods expected of data fiduciaries to establish relationship with the minor is a grey area – in effect indicating that people have to surrender more data about themselves, their relationships, and online behaviour to either platforms or the government,” Nidhi Sudhan, co-founder of Citizen Digital Foundation told MediaNama. According to her, the rules appear to favour the interests of businesses and the Government more than the people whose data it was meant to protect.
Other key comments about the rules: Besides parental consent, the act also restricts platforms from carrying out tracking/behavioral monitoring of children. It says that the government can exempt certain platforms from these restrictions as well as verification restrictions provided that they process a child’s data in a verifiably safe manner. While the rules list a range of different services that the government allows to carry out behavioral monitoring/exempts from verifiable consent, Sidharth Deb from Quantum Hub Consulting mentioned that they “seem to miss out on an opportunity to incentivise positive/beneficial processing activities that can preserve meaningful internet experiences for under 18 users.
” He adds that the rules could have initiated a discussion around what standards companies must meet to qualify as verifiably safe so that the Government allows them to curate digital products for under 18 users. The Data Protection Act says that companies can only process the personal data of an Indian citizen for purposes to which the citizen has specifically consented or for legitimate uses as specified under the act such as court orders, medical emergencies, epidemics, employment and so on. Bharti says that in certain situations like sending gifts to friends or family, or fraud prevention require vicarious consent.
Now that I have had the time to sleep over them for a (very) few hours, here are some observations: 1) At this stage creating a backdoor for bringing in data localisation norms for significant data fiduciaries through a committee that may be formed at a later time doesn't...
Under the DPDP Rules, companies that want to transfer people’s personal data must abide by certain requirements that the Government can make through general or special orders, especially in those cases where the company wants to transfer the data to a foreign government or a company controlled by a foreign company. Further, in the case of companies being notified as significant data fiduciaries, the Government can ask them to not transfer certain kinds of personal data out of the country. The Central Government will formulate a committee which will give recommendations about what these kinds of data would be.
Further, in recent interviews, IT Minister Ashwini Vaishnaw has elaborated that this committee will carry out stakeholder consultations before implementing any specific regulations. Speaking about the cross-border data regulations on X, Bharti said that the localisation committee “can lead to some overzealous efforts to localise data later because there will be domestic lobbies who will have it in their interests that all data should be localised.” She gave the example of those setting up data centers in India as people who may favour localisation.
Bharti mentioned that businesses might face challenges when trying to operationalise data localisation. On a similar note, Monica Jasuja, the Ambassador for the Emerging Payments Association of Asia, said that since there is a lack of clarity around data localisation requirements, there could be concerns about ensuring compliance with existing cross-border initiatives. “We have trade agreements and there are cross-border payment initiatives that are ongoing, the privacy law which has now been implemented as well the erasure of data which has now been made a requirement, have we considered the impact on physical and digital trade because both require data to be shared? Now I know there is a provision about jurisidictions but when there is no clarity the existing initiatives will not be compliant,” she pointed out.
The Data Protection Act requires a company to inform users the purpose for which it is processing their data. During a spaces discussion last week, former Rajya Sabha member Dr Amar Patnaik mentioned that the way companies use personal data to create innovative products, they probably never know what the ultimate product they will generate from the data. “So how do you tell the purpose right up front?” he questioned.
The act specifies that companies must report incidents of data breaches to the Data Protection Board as well as the people affected by the data breach. Speaking about data breach reporting in the context of financial institutions, Jasuja said that even in the financial ecosystem data breach reporting is low. “The compliance with data breaches and notifications being made [to the people and the board] is going to be very difficult to implement.
The penalties are there but the enforcement of the penalties and the board will require a huge amount of administrative and execution machinery,” she said. Note: We will continue to update this story as we get more stakeholder perspectives. If you want to share your thoughts about a specific aspect of the rules please email shashidhar@medianama.
com or [email protected]. Also read: Support our journalism: For You.
