Parental Consent Necessary For Online Platforms To Use Child's Data As Centre Notifies DPDP Rules 2025

The Ministry of Electronics and Information Technology on Thursday (November 13) notified the Digital Personal Data Protection Rules 2025, framed under the Digital Personal Data Protection Act 2023, a significant step towards protection of data privacy.Centre had held public consultation on the draft DPDP Rules in January this year.The rules prescribe that Data Fiduciaries shall adopt appropriate technical and organisational measures to ensure that consent of the parent is obtained before the processing of any personal data of a child. A Data Fiduciary, as per the Act, means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.Significant to note that the Rules obligate a Data Fiduciary to obtain "verifiable consent" of the parent. The following Illustrations, as contained in the Rules, are beneficial for better clarity:Suppose C is a child, P is a parent, and DF is a Data Fiduciary and user account of C is sought to be created on the online platform of DF, by processing the personal data of C. Case 1: C informs DF that she is a child and declares P as her parent. DF shall enable P to identify herself through its website, app or other appropriate means. P identifies herself as the parent and informs DF that she is a registered user on DF's platform and has previously made available her identity and age details to DF. Before processing C's personal data for the creation of her user account, DF shall check to confirm that it holds reliable identity and age details of P and that P is an identifiable adult. Case 2: C informs DF that she is a child and declares P as her parent. DF shall enable P to identify herself through its website, app or other appropriate means. P identifies herself as the parent and informs DF that she herself is not a registered user on DF's platform. Before processing C's personal data for the creation of her user account, DF shall, by reference to identity and age details issued by an entity entrusted by law or the Government with maintenance of the said details or to a virtual token mapped to the identity and age, check that P is an identifiable adult. P may voluntarily make such details available using the services of a Digital Locker service provider. Case 3: P is opening an account for C and identifies herself as C's parent and informs DF that she is a registered user on DF's platform and has previously made available her identity and age details to DF. Before processing C's personal data for the creation of her user account, DF shall check to confirm that it holds reliable identity and age details of P and that P is an identifiable adult. Case 4: P is opening an account for C and identifies herself as C's parent and informs DF that she herself is not a registered user on DF's platform. Before processing C's personal data for the creation of her user account, DF shall, by reference to identity and age details issued by an entity entrusted by law or the Government with maintenance of the said details or to a virtual token mapped to the identity and age, check that P is an identifiable adult. P may voluntarily make such details available using the services of a Digital Locker service provider.Further RulesSignificant Data Fiduciaries are now responsible to undertake annual Data Protection Impact Assessment and an audit to ensure effective observance of the provisions of this Act and the rules made thereunder.A Significant Data Fiduciary, as per the Act, means any Data Fiduciary as may be notified by the Central Government based on the volume and sensitivity of personal data processed, risk to the rights of Data Principal, etc.A Data Principal is the person to whom the personal data relates.The Rules prescribe that in case of any personal data breach, the Data Fiduciary shall immediately intimate the affected persons as well as the Data Protection Board of India, details of the breach, including its extent, the timing of its occurrence, potential consequences, safety measures that one should take, etc.The Data Protection Board of India, as per the Rules, shall be constituted by a Search-cum-Selection Committee, with the Cabinet Secretary as the chairperson.The Board shall function as a digital office and all questions which come up before any meeting of the Board shall be decided by a majority of the votes of Members present and voting.Transfer of personal data outside the territory of IndiaThe Rules prescribe that any personal data processed by a Data Fiduciary under the Act may be transferred outside the territory of India subject to restrictions that the Central Government may impose.Read Gazette Notification HereRead Notification- Enforcement Timeline for the DPDP ActRead Notification- Establishment of the Data Protection Board of IndiaNotification- Decision Regarding Number of Members in the Data Protection Board of India

Parental Consent Necessary For Online Platforms To Use Child's Data As Centre Notifies DPDP Rules 2025

LIVELAW NEWS NETWORK

Tags