The new rules, announced on 3 January, require users under 18, defined as "children" under the DPDP Act, to obtain verifiable parental consent before accessing social media, marking a significant step in regulating children's online presence
Published Jan 04, 2025 | 7:40 PM ⚊ Updated Jan 04, 2025 | 7:40 PM
Explainer : The new DPDP Act draft rules that will impact children’s access to social media. (iStock)
India’s government has introduced new draft rules under the Digital Personal Data Protection Act (DPDP) of 2023 that will significantly impact how children access and use social media platforms.
The rules, which were made public on Friday, 3 January, require that all users under the age of 18, defined as “children” under the Act, must obtain verifiable parental consent before using social media services. This marks a major step in regulating children’s online presence in India.
The DPDP Act, which was passed by the Indian Parliament in August 2023, aims to tighten data privacy protections for users.
With the release of these draft rules, the government is now seeking public feedback until 18 February, 2025, before finalising the regulations.
Parental consent for children:
The new rules mandate that social media platforms, along with other digital services, must obtain verifiable parental consent before processing any personal data of children.
This means parents or guardians must confirm their approval for a child to use social media platforms, a move designed to enhance children’s privacy protection.
Data fiduciaries’ responsibilities:
The rules also introduce stringent requirements for companies, referred to as “data fiduciaries,” which handle personal data. These entities, which include social media platforms, e-commerce firms, and online gaming intermediaries, will be required to delete the personal data of inactive users after three years.
They must also notify the Data Protection Board within 72 hours in the event of a data breach. Additionally, users must be informed about any breaches in a clear and transparent manner, including details such as the nature, extent, and impact of the breach, as well as the steps being taken to address it.
Annual data protection audits:
Significant data fiduciaries—those handling sensitive data—will be required to conduct annual data protection impact assessments and audits.
The findings of these evaluations must be submitted to the Data Protection Board. This ensures that companies are actively managing risks to personal data and improving security practices.
Data localisation provisions:
The draft rules also revive the potential for data localisation, requiring that certain personal data be stored within India. This could impact how international companies manage data related to Indian users.
Strengthened parental consent verification:
To ensure the legitimacy of parental consent, platforms will need to verify the identity of the guardian claiming responsibility for a minor.
This will involve confirming the guardian’s details, such as identity and age, through reliable sources, either from platform records or voluntarily provided user information.
Under the proposed rules, internet companies will face new obligations to protect children’s data. They must implement technical and organisational measures to secure parental consent before collecting or processing personal information about users under 18.
The rules further place responsibility on these platforms to authenticate the relationship between the guardian and the minor.
Social media companies that handle large volumes of personal data, especially those processing sensitive information, will be designated as “significant data fiduciaries.”
These companies will face stricter compliance requirements, including the mandatory annual data protection audits mentioned earlier.
A central feature of the draft rules is the establishment of a Data Protection Board, which will oversee compliance and act as a regulatory body for data breaches and privacy violations.
The Board will be headed by a chairman, and its composition will be based on recommendations from a four-member committee led by the Secretary of the Ministry of Electronics and Information Technology (MeitY).
The Indian government’s proposed regulations represent a significant shift in how children’s data will be handled online, aiming to bolster privacy protections and give parents more control over their children’s digital footprint.
While these rules are still in draft form and open for public consultation, their eventual implementation could bring about substantial changes for social media platforms and other online services, especially those with significant user bases under the age of 18.
The deadline for public feedback is set for 18 February, 2025, and once finalised, these rules will shape the future of data privacy and digital rights in India.
(Compiled by Ananya Rao)
