Privacy Week Series: Status of children's data under the Indian Privacy Regime
(Vikram Jeet Singh, Kalindhi Bhatia & Prashant Daga)
On the 4th day of Privacy Week, we examine the status of children's data under the Indian privacy regime. Ensuring a child's privacy is the joint responsibility of their parents/guardians and stakeholders handling their data. As of now, Indian privacy law requirements for children's data are straightforward, i.e., the law requires data controllers to, inter alia, obtain the consent of the data subject prior to collection; personal data of minors is not separately regulated. However, certain other Indian laws have a knock-on effect on data collection practices. Indian contract laws do not recognize minors, i.e., persons under the age of 18, as competent persons to contract with. Therefore, obtaining a child's consent has no legal validity, thereby making it necessary to obtain the consent of a parent/guardian to collect a child's data. Consequently, entities implement varying mechanisms to obtain parent/guardian consent.
Under the draft Digital Personal Data Protection Bill, 2022 ("2022 Bill"), anyone below the age of eighteen is classified as a "child". Correspondingly, data fiduciaries are required to obtain verifiable parental consent before processing their personal data. Additionally, the 2022 Bill also restricts any tracking or behavioral monitoring of children or targeted advertising towards children. On the contrary, the age of classification across global privacy laws ranges between 13 to 17 . However, given the sensitivity of children personal data and potential damage, the Indian government has taken the conservative route. While the intent is appreciated, one cannot deny that digital platforms have seeped into a child's daily activities, spanning from entertainment to education. It is unlikely that screen time will be eliminated from a child's life going forward and neither would it be prudent to deny them easy access to information. Given that individuals aged below eighteen years access Internet platforms and use their personal data to avail services such as academic content, edu-tech facilities, pursuing hobbies etc., resorting to the age-gating of eighteen may not be practical. Expecting young adults to halt their activities and coordinate with their parents/guardians for consent each time they shuffle through platforms is an undue barrier. Comments submitted to the draft law by stakeholders have cited varying age classifications under global privacy laws to advocate for lowering the age-gate and alternatively developing differential consent requirements depending on the user’s age. Platforms contend that threshold of eighteen years to accord consent will not tie in with the unbridled use of internet. On that note, another element which needs clarity is what qualifies as verifiable parental consent. Presently, each platform obtains parental consent using different methods (i.e., via “express consent” or a mere representation in their user terms). Following footsteps of other regulators, the Data Protection Board of India (to be set up under the 2022 Bill) may issue a guiding document which indicates what is considered valid parental consent. Nonetheless, businesses that operate online platforms cannot afford any lapses in the handling of children's data and will have to review their existing system to weed out any potential flaws.