In Short:
The Digital Personal Data Protection (DPDP) Act will establish broad guidelines for companies on managing consent but won’t provide specific rules. It will require government-issued ID for age and consent verification, allowing firms to create their own systems. The rules are designed to support smaller organizations, like schools, which handle children’s data without needing extensive infrastructure. While schools may have some exemptions for parental consent, ed-tech firms don’t get the same leniency. Users under 18 must obtain verifiable parental consent to access social media and other online services, and targeted advertising toward these users is prohibited.
New Guidelines Under the Digital Personal Data Protection Act
Exciting changes are on the horizon for how companies manage consent under the **Digital Personal Data Protection (DPDP) Act**. According to sources familiar with the developments, the upcoming executive rules are set to offer a broader framework rather than issuing strict, detailed regulations. This means companies will have more flexibility in navigating compliance.
Focus on Age and Consent Verification
In a significant move, the rules will propose the use of government-issued identity cards for age and consent verification. However, companies will still have the opportunity to create their own age-verification systems in-house. One insider, who chose to remain anonymous, commented: “There will be broad prescriptions on the norms that institutions must follow while adhering to parental consent guidelines, including the types of identity cards that are acceptable.”
Supporting Smaller Entities
This approach is vital to ensure that smaller organizations, such as schools and universities, can comply without facing disruption. The insider added, “The rules will need to be followed even by smaller organisations like schools and, in some cases, universities which handle significant amounts of children’s data. These institutions may not always have the resources to invest heavily in complex consent management infrastructures.”
Exemptions for Educational Institutions
While the rules may offer certain leniencies to schools and higher education institutions regarding processing and securing parental consent for children’s data, **ed-tech companies** are unlikely to benefit from these exemptions. Another source shared that the provisions of the DPDP Act, 2023 classify all users under 18 as children, necessitating verifiable parental consent for social media usage and various online services.
Stakeholder Engagement
Back in July, the **Ministry of Electronics and Information Technology** held discussions with stakeholders, including social media platforms and internet companies, on how best to implement verifiable parental consent. During these meetings, many companies expressed uncertainty about tracking children’s activities for advertising purposes. It’s important to note that Section 9 of the DPDP Act prohibits the behavioral tracking of children on digital platforms and explicitly forbids targeted advertising for users under 18.
