Parental Consent & the DPDP Act

What does the Digital Personal Data Protection Act (DPDP Act) say about processing children’s data? What can companies do to obtain verifiable parental consent wherever possible? To what extent can a data fiduciary go to process a child’s data? Can an online tutoring company store a child’s personal contact details? What is considered a ‘verifiably safe’ way of processing children’s data? These are some of the concerns that have come up as the DPDP rules are slated to come out anytime soon. 

With technology being easily accessible to children these days, it is mandatory to ensure their privacy and safety. Thus, obtaining verifiable parental consent has become one of the bare minimum requirements that companies must abide by.

What does the DPDP Act say about parental consent? 

Section 9 of the DPDP Act clearly states that a data fiduciary must obtain ‘verifiable parental consent’ from the parent or a legal guardian before processing the personal data of children or a person with disability. A data fiduciary cannot process a child’s data if there’s a potential of having ‘any detrimental effect on the well-being of the child.’ The Act also prohibits ‘tracking, behavioral monitoring or targeted advertising directed at children’. 

However, the DPDP Act does not give any framework on ‘how’ companies can obtain verifiable parental consent. 

Can a data fiduciary be exempt from some rules for processing children’s data? 

The central government can decide that if a data fiduciary can prove that it processes children’s personal data safely, it may allow that organization to be exempt from some or all rules about processing children’s data. This would apply to children above a certain age, which the government will specify in its notification.

How can data fiduciaries obtain verifiable parental consent? 

Recently, Priyank Kanoongo, Chairperson at the National Commission for Protection of Child Rights (NCPCR) proposed a KYC-based verification method to obtain verifiable parental consent. This comes after NCPCR held a meeting with leading social media platforms such as Instagram, Youtube, WhatsApp and Twitter (now X). This however raises concerns about data privacy as documents are being collected on the pretext of ‘age gating’. There’s still a lot of loopholes that need to be resolved. 

The NCPCR also suggested that social media platforms will have to display disclaimers in English, Hindi and other vernacular languages before showing adult content. This will have serious ramifications for social platforms such as Instagram, TikTok, Snapchat etc. Here’s an example of a parent’s guide. 

Parental Consent Under the GDPR

The GDPR sets similar stringent requirements regarding the processing of minors’ data, particularly focusing on the age of digital consent and the importance of obtaining verifiable parental consent.

1. Age of Digital Consent

The GDPR establishes that children under the age of 16 cannot consent to the processing of their personal data for online services without parental consent. EU member states can lower this age limit to as low as 13, but not below.

For children between 13 and 16 years, parental consent is mandatory for processing any data, especially in cases where services such as social media, video streaming platforms, or gaming services are involved.

2. Informed Consent

Under GDPR, parental consent must be explicit and informed. The organization collecting data must provide a clear, transparent explanation of how the data will be used, stored, and shared. This includes clear details about the type of data collected, its purpose, and any third parties involved in processing.

3. Parental Verification

The GDPR obliges data controllers to implement reasonable efforts to verify that the consent given is from a legitimate parent or guardian. This involves methods such as secure identity verification processes, email confirmations, and digital authentication mechanisms. While the GDPR does not mandate a specific method of verification, it requires organizations to ensure that the process is robust enough to prevent fraud.

Comparison of Parental Consent Between DPDP Act and GDPR

Both the DPDP Act and GDPR place parental consent at the forefront of protecting minors’ data. However, they differ slightly in their approach:

• Age Threshold: The DPDP Act sets the age of consent at 18, while the GDPR allows flexibility for member states, with the age ranging from 13 to 16.
• Verification Standards: The GDPR provides more flexibility in terms of parental verification methods, whereas the DPDP Act places a stronger emphasis on robust, verifiable methods, such as requiring Aadhaar or other government-issued IDs in the Indian context.
• Multilingual Support: The DPDP Act specifically mandates multilingual support for consent forms, reflecting India’s diverse population, while GDPR focuses on transparency but does not specify multilingual requirements.

Managing the Data of Disabled Individuals

Both the GDPR and the DPDP Act emphasize the protection of vulnerable individuals, including disabled people. The handling of personal data for disabled individuals requires additional safeguards to ensure that their rights are respected, and they are not subjected to discriminatory practices.

GDPR Provisions for Disabled Individuals

The GDPR has several provisions designed to protect the rights of disabled individuals:

1. Informed Consent: Similar to minors, disabled individuals may require assistance or accommodations to provide informed consent. Data controllers are required to ensure that individuals with disabilities fully understand how their data will be used, and that they have equal opportunities to consent to or refuse the processing of their data.
2. Accessibility: Under the GDPR, organizations must provide data processing information in accessible formats. This means using formats that can be easily read by individuals with disabilities, such as braille, audio formats, or simplified language, to accommodate those with visual or cognitive impairments.
3. Right to Withdraw Consent: Disabled individuals, like any other data subjects, have the right to withdraw consent at any time. Organizations must provide accessible and straightforward methods for them to exercise this right, ensuring that they do not face additional barriers.

DPDP Act and Disabled Individuals

While the DPDP Act does not specifically highlight the rights of disabled individuals, the principles of transparency, accessibility, and user-centric consent management apply universally. Organizations are encouraged to adopt inclusive practices, ensuring that individuals with disabilities can provide informed consent and exercise their data rights.

Key considerations for handling the data of disabled individuals under the DPDP Act include:

1. Accessible Consent Forms: Organizations should ensure that consent forms are available in accessible formats, such as audio descriptions or screen reader-friendly text.
2. Accommodating Special Needs: Where necessary, guardians or caregivers should be involved in the consent process, especially in cases where the disabled individual may not fully comprehend the data processing implications.
3. Respect for Autonomy: The DPDP Act, in its commitment to protecting the rights of all individuals, mandates that consent must be informed and voluntary, including for disabled individuals. Organizations must ensure that disabled individuals have the same rights and opportunities to control their data.

Challenges in Implementing Parental and Disabled Consent Mechanisms

Something as simple as opening an email account will now need a proper consideration of age-proofing and parental consent. 

The complexity of implementing verifiable consent mechanisms, particularly for minors and disabled individuals, poses several challenges for organizations:

1. Verification Complexity: Verifying the identity of parents or guardians, and in the case of disabled individuals, their caregivers, can be resource-intensive. Balancing security with a seamless user experience is critical to ensuring compliance without causing user friction.
2. Data Security: Securing consent artifacts from tampering is a major challenge. Organizations must invest in technologies that ensure the integrity of these records. Solutions like Privy Consent Shield provide advanced encryption and tamper-proof storage to address this challenge. 
3. Accessibility: Ensuring that consent forms and withdrawal mechanisms are accessible to disabled individuals requires significant investment in user experience design and technology. Organizations must adopt best practices for inclusive design, such as providing multiple formats for consent notices.

Best Practices for Managing Parental and Disabled Consent

To effectively manage consent for minors and disabled individuals, organizations can adopt the following best practices:

1. User-Friendly Consent Mechanisms: Design intuitive consent forms that cater to parents, guardians, and individuals with disabilities. Avoid overwhelming them with technical jargon and make the process simple and clear.
2. Technological Tools for Verification: Use technologies like digital signatures, multi-factor authentication, and secure ID verification platforms to authenticate consent. Implement tamper-proof consent storage solutions to ensure compliance with both the DPDP Act and GDPR
3. Ensure Accessibility: Provide consent forms in multiple formats, including braille, audio, and screen reader-compatible formats. Ensure that withdrawal mechanisms are also accessible to all individuals, regardless of ability
4. Regular Audits and Updates: Regularly audit consent processes to ensure they remain compliant with evolving regulations. Update consent records when necessary and ensure that parents, guardians, and individuals with disabilities can easily update or revoke consent.

FAQs

1. What age requires parental consent under the DPDP Act and GDPR?
   Under the DPDP Act, parental consent is required for minors under 18 years old, while the GDPR requires parental consent for minors under 16, though individual EU member states can set the age as low as 13.
2. How can organizations verify parental consent?
   Organizations can verify parental consent using secure methods such as ID verification, digital signatures, or email confirmation loops. The DPDP Act places a stronger emphasis on government-issued IDs, while the GDPR allows more flexibility in the verification process
3. What protections are in place for disabled individuals under the GDPR?
   The GDPR mandates that organizations provide information in accessible formats for disabled individuals and ensure that they can give informed consent. It also grants them the right to withdraw consent at any time.
4. How should organizations store consent artifacts?
   Consent artifacts must be stored securely to ensure their integrity. Technologies like SHA-256 hashing and digital signatures can be used to make the consent records immutable and verifiable, ensuring they are tamper-proof.
5. How can disabled individuals exercise their data rights?
   Organizations must provide accessible tools and formats, ensuring that disabled individuals can exercise their rights, including the right to withdraw consent. These should be easy to use and available in formats that accommodate various disabilities.

Conclusion

Parental consent and the handling of data for disabled individuals are crucial aspects of both the DPDP Act and the GDPR. These regulations are designed to protect vulnerable populations from data misuse while ensuring that organizations handle their data responsibly and securely. By adopting best practices for consent management, leveraging advanced technologies for verification and storage, and ensuring accessibility, organizations can navigate these regulations effectively, ensuring compliance and building trust with users.