MeitY New age guidelines for minor verification

MeitY Calls For New Age Verification Methods For Children Online

India’s Digital Personal Data Protection (DPDP) Act has posed a significant challenge for tech companies, especially concerning the age verification of users under 18 and obtaining parental consent. The Ministry of Electronics and Information Technology (MeitY) has been engaging with industry stakeholders to find viable solutions, yet a universally accepted method remains elusive.

The act mandates that organisations implement robust data protection measures, including obtaining explicit consent from individuals before collecting their data, and provides individuals with greater control over their personal information. One of the critical aspects of the DPDP Act is its focus on protecting the privacy of vulnerable groups, particularly children, who are more susceptible to online risks.

Significance Of Children’s Data Privacy

Children’s data privacy has become a pressing concern in the digital age, where young users are increasingly exposed to online platforms. Protecting the personal information of children is crucial, as they are often unaware of the potential risks and implications of sharing their data online. The DPDP Act recognises this vulnerability and places significant emphasis on ensuring that children’s data is handled with the highest level of security and care.

The importance of children’s data privacy is underscored by the growing number of cyber threats targeting young users. According to a report by the Mobile Association of India (IAMAI), approximately 71 million children aged 5-11 years in India use the Internet on family members’ devices. This group makes up about 14 per cent of the country’s active Internet user base, which exceeds 500 million, making them potential targets for cybercriminals. Ensuring that their data is protected is not only a legal obligation but also a moral imperative.

Government’s Stance On Age Verification

On July 18, MeitY communicated to major social media platforms that the government would not prescribe a specific method for verifying the age of children and obtaining parental consent. This decision came after considering and finding methods like Aadhaar and DigiLocker unfeasible. Instead, platforms are encouraged to devise their tech-enabled solutions that comply with the DPDP Act’s requirements.

During the meeting chaired by MeitY secretary S. Krishnan, with attendance from top tech companies like Meta, Google, Sharechat, and Snap, the government emphasized flexibility. They suggested that platforms should implement “appropriate technical and organizational measures” as per Section 8(4) of the DPDP Act to ensure compliance.

The tech industry has acknowledged the necessity of age verification but raised concerns about practical implementation and user safety. Senior Government officials highlighted the limitations of current methods in verifying the identity of minors using:

  • Aadhaar Authentication: During Aadhaar Authentication, issues arise in establishing the relationship between a child and the parent, especially with outdated data.
  • DigiLocker and One-Time Electronic Tokens: Methods like DigiLocker verification struggle to keep pace with rapid technological changes and are not robust enough for consistent social media verification.

The industry has proposed a more streamlined solution involving app-store-level verification. This method would require users to verify their age once at the app store level, simplifying the process for both platforms and users. This approach could provide a more uniform and manageable solution, reducing the burden on parents and ensuring compliance across various apps.

A significant discussion point during the meetings was the restriction on behavioural tracking and targeted advertising for children. While these restrictions aim to protect minors, platforms argue that such tracking is essential for ensuring online safety and providing beneficial personalisation.

Without the ability to monitor user behaviour, platforms might struggle to prevent children from engaging with inappropriate content or interacting with potential threats. This could lead to a compromise in user safety, a concern echoed by industry executives.

While no definitive solution has been reached, the government has invited tech companies to submit their proposals. The aim is to develop a feasible solution, protect user privacy, and ensure the safety of minors online.

In the long term, implementing these checks at the app store and device levels, rather than at the individual app level, seems to be a promising direction. This would facilitate a more consistent application of the age verification process across various platforms and reduce redundancies.

Conclusion

The challenge of verifying the age of children under the DPDP Act highlights the complexities of balancing regulatory compliance, user privacy, and safety. The collaborative approach between the government and the tech industry is crucial in finding a viable solution. As discussions continue, the goal remains to develop a method that is both effective and practical, ensuring the safety and privacy of minors in the digital space.

DPDP Act

Digital Personal Data Protection (DPDP) Act: Key Highlights

The Digital Personal Data Protection (DPDP) Act 2023 represents a significant advancement in India’s approach to data privacy and protection. With the rapid digitalisation of various sectors, there has been an exponential increase in the collection, processing, and storage of personal data. This surge has brought about critical concerns regarding data breaches, misuse of personal information, and the necessity for stringent data protection measures.

The need for such legislation became evident with high-profile data breaches and incidents of personal data misuse, which eroded public trust in digital services. The Justice Srikrishna Committee, established in 2018, played a pivotal role in highlighting these issues and recommending a comprehensive data protection framework. Their recommendations underscored the importance of protecting personal data while fostering innovation and economic growth.

Objectives Of The DPDP Act

The DPDP Act is designed to achieve several key objectives:

  • Safeguarding Personal Data: The Act aims to protect the privacy of individuals by setting clear guidelines for the collection, processing, and storage of personal data. This includes ensuring that personal data is handled with the highest standards of security to prevent unauthorised access and breaches.
  • Establish Lawful Processing Framework: It provides a legal framework for the lawful processing of personal data, outlining the conditions under which data can be collected and processed. This includes obtaining explicit consent from data principals and ensuring that data is processed transparently and fairly.
  • Empower Data Principals: One of the central tenets of the Act is to empower individuals with rights concerning their data. These rights include the ability to access, correct, and delete their data, as well as to object to and restrict processing.
  • Ensure Accountability: The Act imposes stringent obligations on data fiduciaries to ensure accountability in handling personal data. This includes implementing robust data protection measures, conducting data protection impact assessments, and appointing data protection officers.
  • Facilitate Cross-Border Data Transfers: Recognising the global nature of data flows, the Act sets out conditions for cross-border data transfers. It aims to ensure that personal data transferred outside India receives adequate protection.

Some Key Terms & Definitions In The DPDP Act

Understanding the DPDP Act requires familiarity with several key terms that define the roles and responsibilities within the data protection framework:

  • Data Principal: The individual whose personal data is being collected and processed. This term is crucial as it underscores the individual’s ownership and control over their data.
  • Data Fiduciary: An entity or individual who determines the purpose and means of processing personal data. Data fiduciaries bear the primary responsibility for ensuring that data processing activities comply with the Act.
  • Data Processor: Any entity that processes personal data on behalf of a data fiduciary. Data processors must adhere to the data protection standards set by the data fiduciary and the Act.
  • Personal Data: Any data that relates to an identified or identifiable individual. This broad definition encompasses a wide range of information, from names and contact details to online identifiers and biometric data.
  • Processing: Refers to any operation performed on personal data, whether automated or manual. This includes collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, disseminating, aligning, combining, restricting, erasing, or destroying personal data.
TermDefinition
Data PrincipalIndividual to whom the personal data belongs
Data FiduciaryEntity determining the purpose and means of processing personal data
Data ProcessorEntity processing data on behalf of the data fiduciary
Personal DataData relating to an identifiable individual
ProcessingAny operation performed on personal data, including collection, use, etc.

Scope And Applicability Of The DPDP Act

Territorial Jurisdiction

The DPDP Act has a wide-reaching territorial scope. It applies to:

  • Processing of Personal Data within India: Any personal data collected, stored, or processed within the Indian territory falls under the purview of the Act. This includes data processed by entities incorporated in India and those offering goods or services within India.
  • Processing of Personal Data Outside India: The Act also extends its jurisdiction to entities located outside India if they process personal data in connection with any business carried out within India, offer goods or services to individuals in India, or profile data principals within India. This extraterritorial application ensures that foreign entities handling Indian data are subject to the same stringent protections.

Applicability To Data Fiduciaries And Data Processors

The DPDP Act differentiates between two primary categories of entities involved in data processing:

  • Data Fiduciaries: These are entities or individuals that determine the purpose and means of processing personal data. They hold the principal responsibility for ensuring compliance with the Act. This includes companies, government bodies, and NGOs that collect and decide how to use personal data.
  • Data Processors: Entities that process data on behalf of data fiduciaries are considered data processors. While their role is more limited, they must still adhere to the standards and instructions provided by data fiduciaries and ensure data protection measures are in place.

Exemptions And Special Cases In The DPDP Act

While the DPDP Act aims to cover a broad spectrum of data processing activities, it provides certain exemptions to balance operational efficiency with privacy concerns:

  • National Security and Defence: Data processing for national security and defence purposes is exempt from the provisions of the Act. This ensures that national security operations are not hindered by privacy regulations.
  • Public Interest and Research: Processing of personal data for research, statistical analysis, or archiving in the public interest may be exempt from certain requirements, provided adequate safeguards are implemented.
  • Personal and Household Activities: Data processed for personal or household activities, such as maintaining personal contacts or social media usage, is exempt from the Act’s requirements.

Principles Of Data Protection In The DPDP Act

  1. Purpose Limitation

    The DPDP Act mandates that personal data should be collected only for specific, clear, and lawful purposes. Data fiduciaries must ensure that the data collected is not used for purposes beyond what is initially stated unless the data principal consents to such additional uses.
  2. Data Minimisation

    Data minimisation is a core principle, requiring that only the data necessary for the intended purpose should be collected and processed. This minimises the risk of data breaches and reduces the burden on data fiduciaries to protect unnecessary data.
  3. Accuracy and Quality of Data

    Data fiduciaries are obligated to ensure that the personal data they collect is accurate, complete, and up-to-date. This includes verifying data at the point of collection and taking steps to rectify any inaccuracies promptly.
  4. Storage Limitation

    The Act imposes strict guidelines on how long personal data can be retained. Data fiduciaries must retain data only for as long as necessary to fulfil the purposes for which it was collected. Once the data is no longer needed, it should be securely deleted.

Rights Of Data Principals In The DPDP Act

  1. Right to Information

    The DPDP Act empowers data principals with the right to be informed about the collection and use of their data. Data fiduciaries must provide clear and transparent information regarding the nature of the data collected, the purposes of processing, and the duration for which the data will be retained. This information should be easily accessible and understandable to ensure that data principals can make informed decisions.
    Example: If an e-commerce company collects data for order processing, it must inform customers about how their data will be used, the duration of data retention, and any third parties with whom the data will be shared.
  2. Right to Correction and Erasure

    Data principals have the right to request the correction of inaccurate or outdated personal data. Data fiduciaries are required to take reasonable steps to ensure that such data is corrected promptly. Additionally, data principals can request the erasure of their data if it is no longer necessary for the purposes for which it was collected if they withdraw their consent, or if the data has been unlawfully processed.
    Example: A user of a social media platform can request to correct their profile information or delete their account and associated data if they decide to stop using the service.
  3. Right to Data Portability

    The DPDP Act introduces the right to data portability, allowing data principals to receive their data in a structured, commonly used, and machine-readable format. This right enables individuals to transfer their data from one data fiduciary to another without hindrance, facilitating greater control and flexibility over their personal information.
    Example: A person using a fitness app can request their health data in a portable format if they decide to switch to a different app or service provider.
  4. Right To Object And Restrict Processing

    Data principals have the right to object to the processing of their data in certain circumstances, such as for direct marketing purposes. They can also request the restriction of data processing if the accuracy of the data is contested, the processing is unlawful, or if they require the data for the establishment, exercise, or defence of legal claims.
    Example: An individual can object to their data being used for targeted advertisements or restrict processing if they believe their data is incorrect.

Duties Of Data Fiduciaries

Lawful And Fair Processing

Data fiduciaries are obligated to process personal data lawfully and fairly. This includes obtaining valid consent from data principals or ensuring that the processing is necessary for the performance of a contract, compliance with a legal obligation, or the protection of vital interests. The processing must be transparent and conducted in a manner that respects the rights and freedoms of data principals.

Example: A healthcare provider must obtain explicit consent from patients before collecting their medical records and ensure the data is used solely for providing healthcare services.

Transparency And Accountability

Transparency is a cornerstone of the DPDP Act. Data fiduciaries must provide clear and accessible information about their data processing activities, including the purposes, legal basis, and recipients of the personal data. Accountability mechanisms, such as maintaining records of processing activities and conducting regular audits, are essential to demonstrate compliance with the Act.

Example: Financial institutions must disclose how customer data is processed and ensure regular audits to maintain data protection standards.

Security Safeguards

The DPDP Act mandates that data fiduciaries implement appropriate technical and organisational measures to ensure the security of personal data. This includes protecting data against unauthorised access, loss, destruction, or damage. Data fiduciaries must regularly review and update their security practices to address evolving threats.

Example: Companies must employ encryption, access controls, and regular security audits to protect customer data from breaches.

Data Protection Impact Assessments

Before undertaking processing activities that pose a high risk to the rights and freedoms of data principals, data fiduciaries are required to conduct Data Protection Impact Assessments (DPIAs). These assessments help identify and mitigate potential risks associated with data processing activities. DPIAs are particularly crucial for new technologies or large-scale data processing operations.

Example: A technology company developing a new AI-based service must conduct a DPIA to identify and address potential data protection risks.

Grievance Redressal Mechanism In The DPDP Act

Data Principal’s Right To Redressal

The DPDP Act establishes a robust grievance redressal mechanism to address the concerns of data principals. Individuals have the right to file complaints if they believe their data rights have been violated or if they are dissatisfied with the way their data has been handled. Data fiduciaries are required to respond to grievances within a specified timeframe, ensuring that data principals have access to timely and effective redressal.

Role Of Data Protection Officers

Data fiduciaries must appoint Data Protection Officers (DPOs) who are responsible for overseeing data protection strategies and ensuring compliance with the DPDP Act. DPOs act as a point of contact for data principals, addressing their concerns and facilitating the resolution of grievances.

Establishment Of Grievance Redressal Portal

The Act mandates the creation of an online grievance redressal portal where data principals can lodge complaints and track the status of their grievances. This portal aims to streamline the complaint process and provide timely resolutions, enhancing the overall effectiveness of the grievance redressal mechanism.

Compliance And Penalties

Compliance Requirements For Organisations

Organisations must adhere to comprehensive compliance requirements outlined in the DPDP Act. This includes maintaining records of data processing activities, conducting regular data protection audits, and implementing appropriate data security measures. Organisations must also ensure that their employees are trained on data protection practices and aware of their responsibilities under the Act.

Penalties For Non-Compliance Of The DPDP Act

The DPDP Act imposes significant penalties for non-compliance to ensure that data fiduciaries adhere to the regulations. Penalties vary based on the severity and nature of the violation, all monetary. All sums realised by way of penalties under this act shall be credited to the Consolidated Fund of India.

Roles Of The Data Protection Board

The Data Protection Board, established under the DPDP Act, is responsible for monitoring compliance, conducting investigations, and enforcing penalties for violations. The Board plays a crucial role in upholding the principles of data protection and ensuring that data fiduciaries comply with the Act.

Impact Of The DPDP Act On Businesses And Organisations

Changes Required In Data Management Practices

The DPDP Act mandates significant changes in data management practices for businesses and organisations. These changes aim to ensure that personal data is handled with the highest standards of security and transparency.

  • Data Collection and Processing: Organisations need to clearly define the purpose for which personal data is collected and ensure that it is processed only for that purpose. This requires revising data collection forms, obtaining explicit consent, and maintaining detailed records of data processing activities.
  • Data Security: Implementing robust security measures is crucial. This includes encryption of data, regular security audits, and employing advanced cybersecurity technologies to protect against breaches and unauthorised access.
  • Data Retention and Deletion: Organisations must establish clear data retention policies, ensuring that personal data is retained only as long as necessary for the intended purpose. Once the data is no longer needed, it must be securely deleted to prevent misuse.
  • Employee Training: Regular training programs for employees on data protection practices and compliance requirements are essential. Employees must be aware of their responsibilities and the implications of non-compliance.

Effect Of The DPDP Act On Different Sectors

Different sectors face unique challenges and implications under the DPDP Act due to the nature of the data they handle and the specific requirements of their operations.

  • Healthcare Sector: Healthcare providers deal with sensitive personal data, including medical records and health information. They must ensure the confidentiality and security of this data, implement strict access controls, and obtain explicit consent for data sharing.
    Example: Hospitals and clinics must implement robust electronic health record systems that comply with data protection standards, ensuring patient data is secure and accessible only to authorised personnel.
  • E-commerce Sector: E-commerce businesses collect a vast amount of personal data, including payment information, browsing history, and purchase behaviour. They must implement stringent data protection measures, secure payment gateways, and provide transparent information about data use to customers.
    Example: An online retailer must secure customer payment information through encryption and regularly update its privacy policy to reflect changes in data processing practices.
  • Banking and Financial Services: Financial institutions handle highly sensitive personal and financial data. They must ensure data integrity, implement advanced fraud detection systems, and comply with stringent data protection regulations.
    Example: Banks need to employ multifactor authentication for online banking services and conduct regular security audits to safeguard customer data.
  • Technology and IT Services: Tech companies and IT service providers often process large volumes of personal data. They must conduct data protection impact assessments, ensure compliance with cross-border data transfer regulations, and implement privacy by design in their products and services.
    Example: A tech startup developing a new app must conduct a data protection impact assessment to identify and mitigate risks associated with data processing.
  • Telecommunications: Telecom companies collect and process personal data for service provision and customer support. They must ensure data security, comply with regulatory requirements, and provide customers with transparency and control over their data.
    Example: A telecom operator must secure customer data, provide clear information about data use, and offer options for customers to manage their data preferences.

Conclusion

The Digital Personal Data Protection Act (DPDP) marks a significant advancement in India’s data privacy landscape. It empowers individuals with substantial rights over their data and places significant responsibilities on organisations. By aligning with global standards, the Act enhances trust in digital services and promotes responsible data use. Despite the challenges, businesses can leverage this opportunity to build stronger customer relationships. As the digital realm evolves, the DPDP Act will adapt, ensuring robust data protection and fostering a secure, transparent, and innovative digital environment in India.

FAQs on the DPDP Act

The Digital Personal Data Protection (DPDP) Act 2024 is India’s legislation designed to protect personal data and ensure privacy. It provides individuals with rights over their personal data, such as access, correction, and deletion. The Act imposes responsibilities on organisations for lawful data processing, transparency, and robust security measures. It also regulates cross-border data transfers and includes mechanisms for grievance redressal and enforcement.

The DPDP Act enforces compliance through financial penalties. Minor breaches can incur fines up to ₹10,000. More serious violations, like failing to secure data or neglecting breach notification, can result in much steeper fines reaching up to ₹250 Crore or 4% of global turnover, whichever is higher. There are no criminal penalties under the DPDP Act.

The Digital Personal Data Protection (DPDP) Act in India, introduced in 2019, underwent extensive review and revisions before being enacted in July 2023. Implementation and compliance measures started in 2024, with ongoing updates expected.

Grievance redressal under the DPDP Act involves mechanisms for individuals to raise complaints about data breaches or violations of their data rights. Organisations must appoint a Data Protection Officer to handle complaints, and unresolved issues can be escalated to the Data Protection Board for resolution.

DPDP focuses on digital personal data, while GDPR covers all personal data. GDPR also has stricter consent requirements, demanding clear and specific user authorization. Data transfer regulations are still under development in DPDP, whereas GDPR has stricter rules. Finally, both have penalties for non-compliance, but DPDP’s maximum fine might be lower than GDPR’s.

Compliance with the DPDP Act involves implementing security safeguards, conducting Data Protection Impact Assessments, reporting data breaches, appointing a Data Protection Officer, and responding to data principal requests for access, correction, or deletion of their personal data.

The right to erasure under the DPDP Act allows individuals to request the deletion of their personal data if it is no longer necessary for the purpose it was collected, they withdraw their consent, or the data is being processed unlawfully. Organisations must comply with valid erasure requests, ensuring the data is permanently deleted or anonymised.

The right to nominate under the DPDP Act allows individuals to appoint a nominee to exercise their data protection rights in the event of death or incapacitation. This ensures continuity in the management and protection of personal data according to the individual’s wishes.

The full form of DPDP Act is the Digital Personal Data Protection Act.

A consent manager under the DPDP Act is an entity registered with the Data Protection Board that facilitates individuals in providing, managing, and withdrawing consent for the processing of their personal data across various data fiduciaries. They ensure that consent is informed, specific, and can be easily managed by the data principal.

Hi! Let’s Schedule Your Call.

To begin, Tell us a bit about “yourself”

The most noteworthy aspects of our collaboration has been the ability to seamlessly onboard partners from all corners of India, for which our TAT has been reduced from multiple weeks to a few hours now.

- Mr. Satyasiva Sundar Ruutray
Vice President, F&A Commercial,
Greenlam

Thank You

We have sent your download in your email.

Case Study Download

Want to Verify More Tin Numbers?

Want to Verify More Pan Numbers?

Want to Verify More UAN Numbers?

Want to Verify More Pan Dob ?

Want to Verify More Aadhar Numbers?

Want to Check More Udyam Registration/Reference Numbers?

Want to Verify More GST Numbers?