The draft Digital Personal Data Protection Rules, 2025, published by the Union Ministry of Electronics and Information Technology (MeitY) on January 3, introduces measures aimed at protecting the personal data of children.
These draft rules are part of a broader legislative framework established by the Digital Personal Data Protection Act, 2023, which was cleared by Parliament in August 2023.
The government has sought objections and suggestions from stakeholders on the rules by February 18, 2025.
Child protection measures
Under the draft rules, social media platforms and other online services will need to obtain verifiable parental consent before processing the personal data of children. This means that parents will need to explicitly agree to their child’s data being collected and used by the service.
The draft rules also specify that data fiduciaries (organisations that collect and store personal data) will need to take steps to verify the identity of the person claiming to be a child’s guardian. This could involve checking government-issued ID or using digital tokens linked to identity services.
For instance, if a child wishes to create an online account, the data fiduciary must enable the parent to identify themselves through secure means before processing the child’s data.
The following illustration is provided in the draft rules:
“C is a child, P is her parent, and DF is a Data Fiduciary. A user account of C is sought to be created on the online platform of DF, by processing the personal data of C.
Case 1: C informs DF that she is a child. DF shall enable C’s parent to identify herself through its website, app or other appropriate means. P identifies herself as the parent and informs DF that she is a registered user on DF’s platform and has previously made available her identity and age details to DF. Before processing C’s personal data for the creation of her user account, DF shall check to confirm that it holds reliable identity and age details of P.”
Processing of personal data by State
The rules allow State entities to process personal data when providing subsidies, benefits, or services. This provision is aimed at ensuring that such processing aligns with established standards and safeguards, reinforcing accountability in public sector data handling.
Security measures
To protect personal data from breaches, data fiduciaries are required to implement reasonable security safeguards. These measures include:
- Encrypting and securing personal data;
- Controlling access to computer resources used for processing;
- Maintaining logs and monitoring access to detect unauthorised use.
Breach notification requirements
In the event of a data breach, data fiduciaries must notify affected individuals promptly. The notification must include:
- A description of the breach’s nature and extent.
- Potential consequences for affected individuals.
- Measures taken to mitigate risks.
Additionally, they must report breaches to the regulatory board within a specified timeframe, ensuring transparency and accountability in handling such incidents.
