The Digital Personal Data Protection Act (PDPA) 2024 plays a significant role in safeguarding individuals’ personal information in India. This act sets out clear guidelines on how personal data should be processed while emphasizing the rights of individuals to protect their information. A critical aspect of the PDPA is its provisions for children and individuals with disabilities. This article explores how the PDPA approaches child data protection, analyzing its key provisions and potential areas for improvement.
PDPA and Its Perspective on Children’s Data Protection
Under the PDPA, individuals under the age of 18 are legally considered children. This classification differs from other international laws such as the General Data Protection Regulation (GDPR) in the European Union, which defines children as those below 16 years, and in some cases, even 13 years.
Section 9: Regulations on Child Data Processing
Section 9 of the PDPA explicitly regulates the processing of children’s personal data. According to this provision, any entity handling a child’s personal data must obtain verifiable parental consent (VPC) before processing such information. Additionally, the act prohibits any processing of children’s data that could potentially harm them.
For instance, organizations are barred from tracking, monitoring, or profiling children’s behavior, particularly for advertising purposes. This means that businesses and digital platforms cannot target children with advertisements that may influence their decision-making or exploit their vulnerability.
Analysis of Verifiable Parental Consent (VPC)
The PDPA mandates parental consent before processing a child’s data, but it does not define how this consent should be obtained. In contrast, other regulations, such as the United States’ Children’s Online Privacy Protection Act (COPPA), provide clear guidelines on securing parental consent.
Methods for Verifiable Parental Consent (VPC)
In the U.S., the Federal Trade Commission (FTC) has established multiple methods for obtaining verifiable parental consent, including:
- Physical consent forms that parents mail to the organization.
- Email-based consent verification.
- Toll-free phone numbers for parental authorization.
- Video calls for direct parental consent.
- Knowledge-based authentication through Q&A.
- Verification using government-issued identification.
- Facial recognition for parental verification.
Although these methods ensure strict parental oversight, they have been criticized for being cumbersome, time-consuming, and expensive. While some parents appreciate the added security, others believe these steps create unnecessary hurdles.
Platform-Mediated Verifiable Parental Consent
One potential alternative is a platform-mediated VPC system. This method involves a dedicated platform that systematically verifies parental consent and flags underage users across multiple digital services. This would simplify the process while maintaining data protection standards.
The Indian government needs to develop a practical and efficient mechanism for parental consent. Additionally, authorities should consider the diverse maturity levels within the 0-18 age group. For example, a five-year-old child’s data privacy needs vastly differ from those of a 16-year-old. Social media platforms should also be required to implement stringent VPC measures to prevent children below the age of 10 from creating accounts without parental supervision.
Restrictions on Processing Children’s Data
The PDPA criminalizes the misuse of children’s data if it results in a detrimental effect on their well-being. Organizations are strictly prohibited from tracking, monitoring, or analyzing children’s data in ways that may harm them.
Understanding the “Detrimental Effect”
The act, however, does not clearly define what constitutes a detrimental effect on children. In contrast, U.S. laws provide specific definitions regarding how certain digital activities can negatively impact minors. Without a detailed explanation in the PDPA, there is room for misinterpretation.
For example, some argue that social media inherently affects children’s mental health, while others believe that only specific online activities should be considered harmful. Additionally, most social media platforms require users to be at least 13 years old before creating an account. However, with PDPA defining childhood as under 18 years, the regulation raises concerns about how platforms should handle accounts of teenagers aged between 13 and 18.
Online Tracking and Behavioral Monitoring
Several online platforms and applications, including educational tools, track children’s behavior for various purposes, such as personalized learning. While these tools may seem beneficial, constant surveillance could negatively impact a child’s mental well-being.
Another major concern is the advertising industry. Many online games and applications target children with ads that entice them to make purchases without fully understanding the consequences. This raises ethical concerns about exploiting children’s lack of financial literacy and decision-making capabilities.
Need for Further Clarification in PDPA
While the PDPA is a step in the right direction, there are still several areas that require further clarification and enhancement, such as:
- Clearer Definition of Detrimental Effect – The law should specify what constitutes a harmful impact on a child’s physical, emotional, and mental well-being.
- Stronger Verification Mechanisms for VPC – The government must develop a standardized system to ensure parental consent is both practical and secure.
- Age-Specific Data Processing Guidelines – A five-year-old child’s privacy concerns differ from those of a 17-year-old; regulations should reflect these differences.
- Better Regulation of Social Media and Online Advertising – Platforms must be held accountable for preventing unauthorized tracking of minors.
