The Digital Personal Data Protection Act, 2023 (DPDPA) introduces heightened protection for children’s personal data. Section 9 mandates “verifiable consent” from parents or lawful guardians before processing such data. The DPDPA prohibits data fiduciaries from engaging in harmful processing or tracking/behavioural monitoring for targeted advertising directed at children.
If data processing for children is done “in a manner that is verifiably safe,” the government may lower the exempt age for data fiduciaries. The Future of Privacy Forum (FPF), in collaboration with The Dialogue, presents a catalogue of “verifiably safe” measures based on DPDPA, aligning with industry best practices and international experiences.
The unique concept of “verifiably safe” processing, exclusive to the DPDPA, emphasizes traceable and documented implementation by data fiduciaries. The proposed measures focus strictly on privacy safeguards for children, aligning with the DPDPA’s scope. While addressing various aspects of child protection online, such as exposure to harmful content, falls under other regulations; this brief concentrates on privacy, promoting transparency and accountability.
The term “children” refers to those under 18, as defined by the DPDPA. The document recognizes the diverse needs of individuals aged 0 to 17, emphasizing the importance of tailored considerations for older teens and very young children. The absence of a specific age recommendation recognizes jurisdictional variations in the age of digital consent.
Encouraging dialogue among government, industry, privacy experts, and representatives of children and guardians is pivotal to identifying practices and measures suitable for specific industry players.
The Dialogue is pleased to submit its comments on certain crucial aspects of the draft regulations. The comments have been drafted after an extensive literature review from multiple jurisdictions.