IT ministry releases new rule making parental consent mandatory for minors to join social media

The Ministry of Electronics and Information Technology released the long-awaited draft of the Digital Personal Data Protection (DPDP) Rules on Jan 3.

The draft proposes that the Union government mandate verifiable parental consent for children under the age of 18 to open social media accounts.

Additionally, the draft requires parents' age and identity to be verified through voluntarily provided identity proof, "issued by an entity entrusted by law or the government."

Data fiduciaries, which are entities responsible for determining the purpose and means of processing personal data, include e-commerce, social media, and gaming platforms.

"A Data Fiduciary shall adopt appropriate technical and organizational measures to ensure that verifiable consent of the parent is obtained before processing any personal data of a child and shall observe due diligence to ensure the individual identifying themselves as the parent is an adult, who is identifiable if required in connection with compliance with any law for the time being in force in India," reads the draft.

Under the draft regulations, social media companies will not be able to store children's personal information or allow them to create accounts on their platforms without verified parental consent.

The ministry will review the draft after Feb 18, as it has been made available for public consultation. Feedback can be submitted on mygov.in.

The draft regulations were released after the Digital Data Protection Bill 2023 was approved by Parliament 14 months ago.

Interestingly, the draft rules do not include any penalties authorized under the DPDP Act of 2023.

The Act, which aims to protect against the processing of personal data, allows for fines of up to ₹250 crore on data fiduciaries.

According to the proposal, data fiduciaries will need to conduct due diligence to ensure that the individual claiming to be a child's parent is an adult and identifiable if necessary, in compliance with any applicable Indian laws.

The proposed regulations state that fiduciaries will only be required to retain data as long as consent is valid and must delete it after consent is withdrawn.

The draft regulations also include provisions governing the consent processing of individuals, independent companies handling consents, data fiduciaries, and the operation of authorities under the Digital Data Protection Act 2023.

Data fiduciaries, such as healthcare professionals and educational institutions, can process children's personal data under certain restrictions.

Additionally, if a user is inactive on an e-commerce provider, social media platform, or online gaming service for an extended period, their data must be deleted within 48 hours, with notice provided before the deletion process begins.