Big technology companies are reportedly seeking relaxation in the requirements for parental consent outlined in the Digital Personal Data Protection Act of 2023. This law mandates that platforms must obtain “verifiable consent” from a parent or legal guardian before processing the personal data of users under the age of 18. This provision has sparked concerns about unintended consequences to digital inclusion, privacy, and children”s safety.
During public consultations on the bill, the provision regarding parental consent was a contentious issue. While the provision has been enacted, major tech companies are anticipated to engage with the government to discuss potential exemptions and methods of implementation.
Some industry insiders believe that the requirement for verifiable parental consent could have negative impacts. They argue that it might expose both children and parents to risks and burdensome tasks, such as submitting identification documents to multiple apps with varying security practices. They view this approach as overregulation and not an effective way to address safety concerns.
The law also includes sections prohibiting the tracking and behavioural monitoring of children, as well as targeted advertising aimed at them. However, executives are concerned that these prohibitions could inadvertently block certain child safety features. Behavioural data tracking combined with artificial intelligence models is currently used by some platforms to protect children from unknown adults and predators.
Critics argue that a blanket ban on monitoring and targeted advertising could disable these safety functionalities and expose children to irrelevant or inappropriate advertisements. They also contend that verifiable parental consent might hinder young people”s empowerment and hinder their ability to effectively use technology, particularly impacting girls who might have unequal access to information and communications technology.
Moreover, the requirement for verifiable parental consent is seen by some as contradictory to privacy laws” fundamental objective of data minimisation. Collecting extensive personal data, such as ID proofs to verify age and parent-child relationships, is viewed as contrary to the principles of privacy protection.
Notably, the government introduced a clause in the final version of the bill that could potentially exempt certain categories of platforms from the consent requirement. However, a government official clarified that social media platforms are unlikely to qualify for such an exemption due to their lack of know-your-customer processes and widespread anonymous usage.
As the tech industry navigates these regulations, companies are reviewing the implications for their operations and users. During public consultations, some stakeholders suggested lowering the minimum age for data processing consent to 16 years, aligning with laws in other jurisdictions. In the US and the UK, individuals over the age of 13 can provide consent for personal data processing.