MeitY May Not Prescribe Tech Measure for Parental Consent Under Data Protection Rules
With the government not prescribing a specific technical measure for the consent framework, India would follow global regulations where a particular technology is not specified for gathering the consent of a child’s parents or guardians.
As per the data protection Act, some entities can be exempted from obtaining verifiable parental consent and age gating requirements, including healthcare and educational institutions.
The IT Ministry may not prescribe a specific technological measure for tech companies to verifiably gather the consent of a child’s parents and is likely to leave it to the discretion of the companies on how they want to seek such consent under the upcoming data protection rules.
In a meeting with tech companies including Meta and Google, the ministry indicated its preference to avoid prescribing a set technology to prevent potential disruptions in the industry, according to a senior government official who requested anonymity.
Last year, as part of its internal deliberations on the data protection rules, the ministry considered two methods to establish the relationship between children and their parents: using parents’ DigiLocker app or creating an electronic token system authorized by the government. However, the ministry has dropped these ideas as they may not be feasible at scale.
The delay in releasing the data protection rules is primarily due to the lack of a conclusive decision on verifying parental consent. Without these rules, the Digital Personal Data Protection Act 2023 cannot be fully operationalized.
The Act requires tech companies to develop a consent framework to verify a child’s age and gather their parents’ consent before they can use an online service. This has been a significant challenge for the industry since the Act does not provide specific methods for age-gating.
During the meeting, tech companies also requested concessions on provisions that prohibit behavioural tracking of children and showing them targeted advertisements.
Globally, privacy legislations have typically not prescribed specific technologies for gathering verifiable parental consent, instead leaving it up to data collectors. For example, the United States’ Children’s Online Privacy Protection Act (COPPA) and the European Union’s General Data Protection Regulation (GDPR) both focus on ensuring reasonable efforts using available technology without specifying exact methods.
Source: MeitY may not prescribe tech measure for parental consent under data protection rules.