by Pritika Kumar and Moksh Roy
Introduction
The Digital Personal Data Protection Act, 2023 (“PDPA”) was recently notified by the Indian government. The PDPA has been enacted to enforce the rights of individuals to protect their personal data and the need to process personal data for lawful purposes.
One of the unique features about the PDPA is that it contains special provisions related to the processing of personal data that relates to children and people with disabilities. Through this article we explore the specificities of these provisions, why such safeguards are important, and the issues that might crop up during their implementation.
What does the PDPA say about processing a child’s personal data?
Under the PDPA, a child refers to any individual below the age of 18 years. In other jurisdictions like the European Union (“EU”) no restrictions placed on processing of personal data of individuals who are above 16 years of age. Additionally, the EU’s General Data Protection Regulation (“GDPR”) allows member states to prescribe an even lower age in this context; however, such age cannot be lower than 13. The EU also clarifies that the age of consent as per the general contract law of member states would still apply.
Section 9 of the PDPA specifically deals with the processing of the personal data of a child. It states that before any such processing takes place, verifiable consent needs to be taken from the parent of the child.
Further, the section places certain limitations on data fiduciaries when it comes to processing a minor’s personal data. The data fiduciary is not allowed to process personal data where processing is likely to cause a detrimental effect on the wellbeing of the child, and it is also not allowed to track or monitor the behaviour of children or undertake targeted advertising on children.
Analysis
Verifiable Parental Consent
Firstly, it would be apposite to understand the meaning of verifiable consent of the parents in the context processing the personal data of a minor. Verifiable consent or verifiable parental consent (“VPC”) have not been defined under the PDPA. The PDPA states that verifiable consent of the parent has to be taken in the prescribed manner, which indicates that the authorities will come up with specific procedures, or guidelines expanding upon what would constitute as verifiable consent.
In the United States, where there is a specific legislation[1] directed towards protection of children’s privacy online, the Federal Trade Commission (“FTC”) has laid down certain guidelines as to how VPC can be obtained. These include, signing a physical consent form and sending it back via post, fax, or email; calling a toll-free number or giving consent via video call; answering knowledge-based questions; submitting government ID and verifying it via facial recognition. While the FTC’s guidelines to obtain VPC may seem onerous in practice, and have been criticised on grounds of being difficult and expensive to implement, being easy to circumvent by tech-savvy children, and also raising security, and convenience barriers, we believe that proper VPC methods should exist in order to completely achieve the objective of legislations like the COPPA and, to an extent the PDPA. One mechanism that can be considered is “platform-mediated” VPC, whereby it is the platform that is responsible for creating a mechanism for obtaining VPC, and uniformly flagging underage users.
It should be noted that COPPA only applies to children below the age of 13 years, which vastly varies from the age limit for minors laid out under the PDPA. Social Media websites that allow children above 13 years of age to sign up will also have to rethink their practices.
Considering that the maturity level of a 5-year-old and a 16-year-old are on very different level, it will perhaps be better to take a graded approach to VPC based on the age of the minor. The Indian authorities will have to carefully ideate effective guidelines for data fiduciaries to obtain VPC through a balanced approach to appropriately satisfy all stakeholders.
Bar on processing
The PDPA also ordinarily bars data fiduciaries from processing the personal data of children in certain cases. Such as where processing shall cause a detrimental effect to the well-being of the child, or where tracking and behavioural monitoring of children is undertaken, or for reasons of targeted advertising geared towards children.
‘Detrimental effect’ in the context of a child’s well being has not been elaborated upon under the DPDA. The Information Commissioner’s Office (“ICO”) in the United Kingdom (“UK”) defines ‘detrimental use of data’ as “any use of data that is obviously detrimental to the children’s physical or mental health and wellbeing or that goes against industry codes of practice, other regulatory provisions or Government advice on the welfare of children.”
The inclusion of the term “detrimental effect” without properly mapping out its meaning might lead to unintended consequences. To instantiate, the fact that spending time on social media is linked to poor mental health has been documented by several studies. Most social media platforms allow children above 13 years of age to sign up by collecting their personal data. In such a case processing of personal data is likely to lead to detrimentally affecting a minor’s mental health, and would be prohibited as per the language of the PDPA. Clarity will be needed from the government in this regard.
When it comes to the bar on tracking and behavioural monitoring, online coaching classes that track the performance of students will also be affected negatively and exceptions will have to be created for such industries where tracking and monitoring is actually beneficial for a child.
Lastly a bar is also placed on targeted advertisements towards children. This has been a point of contention in several jurisdictions. Recently, the President of the United States also called for an end to targeted ads towards kids. It should be noted that most online applications and platforms are monetized by way of targeted advertising. In fact, when Google banned targeted advertising in children’s games on android in 2019, it was found that a lot of these games were abandoned by developers due to lack of revenue generation. While banning targeted advertisements towards children is a step in the right direction, the government’s (hopefully nuanced) approach remains to be seen.
Conclusion
The PDPA, marks a significant step towards safeguarding the personal data of children and individuals with disabilities in India. The explicit provisions regarding children's data, including the requirement for verifiable parental consent and the restrictions on processing that could harm their well-being, reflect the government's commitment to protecting the vulnerable segments of society. However, as the law is put into practice, the authorities must work diligently to define and clarify key terms to prevent unintended consequences and to strike a balance between protecting children's privacy and allowing for beneficial activities like educational tracking. The successful implementation of the PDPA's child-specific provisions will require a nuanced and adaptive approach to address the evolving digital landscape and the diverse needs of young individuals in the age of technology.
[1] Children’s Online Privacy Protection Act, 1998 (“COPPA”)
Disclaimer: The information in this blog post (“post”) is provided for general informational purposes only. No information contained in this post should be construed as legal advice , nor is it intended to be a substitute for legal counsel on any subject matter.
Pictures from Ghostery