Big Tech Companies Seek Amendments to Parental Consent Norm in Data Protection Act

Tech industry leaders are poised to engage in discussions with the government regarding the stringent parental consent requirement outlined in the Digital Personal Data Protection Act, 2023. This provision has sparked concerns surrounding unintended consequences to digital inclusion, privacy, and the safety of children.

The law specifies that digital platforms must obtain “verifiable consent” from a parent or legal guardian before processing personal data of users under the age of 18. During the public consultations on the bill, this provision emerged as one of the most contentious issues.

Although the provision is now enacted, major tech corporations are expected to seek adjustments to its implementation and potential exemptions under government guidance.

A senior industry executive voiced concerns, stating, “Verifiable parental consent is one of the most worrying obligations. It could expose the child and the parent to significant risks and may burden Indian users with the demanding task of submitting ID documents to multiple applications (apps) with varying security practices. It”s a strange way to address safety concerns and appears to be a case of overregulation.”

The law also prohibits tracking or behavioral monitoring of children and targeted advertising directed at them within the same section that addresses the processing of children”s personal data. Some experts worry that this blanket ban could inadvertently block certain child safety features.

For instance, certain social media platforms utilise behavioral data tracking coupled with artificial intelligence models to prevent unknown adults from messaging children and to thwart predators from approaching minors. Blocking targeted advertising might also expose children to irrelevant and inappropriate advertisements.

The executive further emphasised the importance of empowering young people who often guide their parents in effectively using computers. The executive concluded that the concept of verifiable parental consent is inappropriate for regulating the internet.

Critics argue that the parental consent provision would require the collection of substantial amounts of personal data, such as ID proofs, to verify the age of users and the relationship between a parent and child. This contradicts the fundamental objective of privacy laws, which is data minimization.

During the public consultations, some stakeholders called for lowering the minimum age for consent for data processing to 16 years, aligning with laws in other jurisdictions where individuals over 13 can provide consent for personal data processing.

The government introduced a clause in the final version of the bill that could potentially exempt certain categories of platforms from the consent requirement. However, Union Minister of State for Electronics and Information Technology, Rajeev Chandrasekhar, clarified that social media platforms are unlikely to qualify for such exemptions due to their lack of “know-your-customer” procedures and prevalence of anonymous usage.