A Data Fiduciary will have to ensure verifiable consent of the parent before the processing of any personal data of a child, according to the draft Digital Personal Data Protection Rules, 2025 which have been published by the Central Government on Friday.
This will doubly ensure the privacy of a child on various social media platforms and other websites.
The Digital Personal Data Protection Act, 2023 was passed by the Parliament in 2023. The draft rules, once finalised and notified, will come into force. The Centre has set a deadline of February 18, 2025, for the public to comment and send their feedback over the draft rules.
As per the draft, the Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child. The Data Fiduciary would also observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable.
The draft rules have illustrated four scenarios in this regard where C is a child, P is her parent, and DF is a Data Fiduciary. A user account of C is sought to be created on the online platform of DF, by processing the personal data of C.
Case 1
C informs DF that she is a child. DF shall enable C’s parent to identify herself through its website, app or other appropriate means. P identifies herself as the parent and informs DF that she is a registered user on DF’s platform and has previously made available her identity and age details to DF. Before processing C’s personal data for the creation of her user account, DF shall check to confirm that it holds reliable identity and age details of P.
Case 2
C informs DF that she is a child. DF shall enable C’s parent to identify herself through its website, app or other appropriate means. P identifies herself as the parent and informs DF that she herself is not a registered user on DF’s platform. Before processing C’s personal data for the creation of her user account, DF shall, by reference to identity and age details issued by an entity entrusted by law or the Government with maintenance of the said details or to a virtual token mapped to the same, check that P is an identifiable adult.
P may voluntarily make such details available using the services of a Digital Locker service provider.
Case 3
P identifies herself as C’s parent and informs DF that she is a registered user on DF’s platform and has previously made available her identity and age details to DF. Before processing C’s personal data for the creation of her user account, DF shall check to confirm that it holds reliable identity and age details of P.