India’s Digital Personal Data Protection Act of 2023 (DPDP) will require children to obtain verifiable parental consent to access social media platforms. The Act, passed in August 2023, defines anyone under the age of 18 as a child. The government released the highly anticipated draft rules for the Act on Friday, which invite stakeholder comments until February 18. These executive rules propose categorizing data fiduciaries into three primary groups: e-commerce companies, gaming intermediaries, and social media firms.
A notable feature of the draft rules is the mandate for data fiduciaries to delete personal data of inactive users after three years. In the event of a data breach, the rules require data fiduciaries to notify the Data Protection Board within 72 hours of discovering the breach. This provision aims to ensure a swift and transparent response to incidents that compromise user data.
Aparajita Bharti, founding partner at The Quantum Hub Consulting, noted that the release of the DPDP rules provides the industry with much-needed direction on implementation. However, she expressed concern about the potential introduction of data localization requirements for significant data fiduciaries, as the rules suggest that a committee might address this matter in the future.
Ikigai Law partner Nehaa Chaudhari highlighted the flexibility of the verifiable parental consent requirement, emphasizing that the rules provide a real-world approach rather than being overly prescriptive. Data fiduciaries have the autonomy to decide how to obtain parental consent, allowing them to tailor processes to their specific platforms and user base.
Additionally, the draft rules stipulate that data fiduciaries must inform users promptly in the event of a data breach. The notification must be clear and concise, detailing the breach’s nature, extent, timing, and location, as well as its potential impact on the user. It should also outline the risk mitigation measures being taken and provide contact information for user queries.
Organizations affected by data breaches must also submit a report to the Data Protection Board, including the breach’s nature, the responsible parties, remedial actions, and details about user notifications. Moreover, significant data fiduciaries, which process sensitive data, are required to conduct annual data protection impact assessments and audits. The findings must be reported to both the Data Protection Board and the IT ministry.
Under the draft rules, the Ministry of Electronics and Information Technology requires all data fiduciaries to implement appropriate technical and organizational measures to ensure that parental consent is obtained before processing personal data of children.
