Draft DPDP rules leave age verification, data localisation doubts - 20250108 - fulltext

## Full Text The draft Digital Personal Data Protection Rules, 2025 has led to confusion about whether or not all users will have to verify their age and identity to access online services. Under the Digital Personal Data Protection Act, 2023 (which the rules seek to operationalise) online platforms have to obtain verifiable parental consent before processing the data of anyone under 18 years of age. The rules [then elaborate](https://www.medianama.com/2025/01/223-data-protection-rules-2025-children-data-india/) that platforms have to verify the age and identity of anyone claiming to be a parent and giving consent on behalf of a child. While the rules specify what platforms can do when an under-18 user declares themself as a child and when a parent comes forward, they don’t take note of situations where a child inputs the wrong information and claims to be an adult. In such cases, platforms will have to verify everyone’s age, some like MediaNama’s editor Nikhil Pahwa argue. Bagmishika Puhan, Managing Partner at Puhan and Puhan LLP also told MediaNama that her clients within the social media intermediary space believe that they will now have to ask everyone to verify their age. On the other hand, some, like Aparajita Bharti, the co-founder of Quantum Hub Consulting [believe](https://x.com/BhartiAparajita/status/1875499224034316699) that the way the rules read right now, companies could use self-declaration measures as a means to determine whether the person signing up is a child or not. “The illustrations 1 & 2 seem to suggest if the user indicates they are a child then the platform has to take steps to gather verifiable parental consent,” she [explained](https://x.com/BhartiAparajita/status/1875418009256522175) in a post on X (formerly Twitter). Similarly, the founder of social media impact consulting Space2Grow, also told MediaNama that the DPDP Rules “do not explicitly require mandatory age verification unless the user’s data triggers any sign of them being a child”. ### **How consent provisions could cause user drop-offs:** When a parent comes forward to give consent on behalf of a child, the platform has to verify their age and identity as well. The rules provide two ways in which platforms can approach this verification— - In case a parent is already registered with the platform, the platform can just rely on the age and identity that the parent has specified there to verify them. - In case a parent is not a user of the platform, the platform can verify the parent’s age and identity through a legally authorised entity or government body. They can also rely on a virtual token “mapped” to the identity and age details of the parent voluntarily provided by them. Bharti expressed concern that getting synchronous consent (consent right before a child uses the platform) will be operationally difficult. She explained that it would lead to “huge drop-offs (especially among low-income/rural households) and increased costs of compliance.” Talking about the synchronicity of consent, she said that there could be circumstances where the parent isn’t available to give consent when the child needs to access a specific online service. During a [spaces discussion](https://x.com/Amar4Odisha/status/1875841181818535947) on X, Bharti explained that her organisation Young Leaders for Active Citizenship (YLAC) works with rural communities where there is a lot of shared device usage. “Children \[in these communities\] are way more sophisticated users of technology than their parents. Parents on the other hand ask children for help to navigate the tech world,” she explained. She said that while children do need to be safe online, cutting their access to the internet off is a bigger harm to them. ### **The grey area for establishing parent-child relationships:** One of the age verification scenarios under the rules is where a person comes forward identifying themself as child’s parent. The platform then verifies the age and identity of the parent. The rules do not specify how platforms have to go about verifying this parent and child relationship. “The ‘due diligence’ methods expected of data fiduciaries to establish relationship with the minor is a grey area – in effect indicating that people have to surrender more data about themselves, their relationships, and online behaviour to either platforms or the government,” Nidhi Sudhan, co-founder of Citizen Digital Foundation told MediaNama. According to her, the rules appear to favour the interests of businesses and the Government more than the people whose data it was meant to protect. ==To establish parent child relationships, social media intermediaries will have to rely on very specific identity cards: AADHAAR Cards or Passports or birth certificates, Puhan explained. “Through this, you are defeating all the basic principles and tenets of everything that’s to do with privacy. The entire concept of privacy is to have data minimization and purpose limitation,” she explained.== ### **Other key comments about the rules:** #### **Companies need more guidance about how to implement tokenisation:** Puhan mentioned that currently the only sector that predominantly uses tokenisation is fintech. “They’re the ones that process the largest volumes of data because they have heavy KYC requirements. Tokenization comes as second nature to them,” she said. However, other sectors, like social media companies, she said, need guidance on how they should implement tokenisation. #### **Missing out room for positive behavioral monitoring of children:** Besides parental consent, the act also restricts platforms from carrying out tracking/behavioral monitoring of children. It says that the government can exempt certain platforms from these restrictions as well as verification restrictions provided that they process a child’s data in a verifiably safe manner. While the rules list a range of different services that the government allows to carry out behavioral monitoring/exempts from verifiable consent, Sidharth Deb from Quantum Hub Consulting mentioned that they “seem to miss out on an opportunity to incentivise positive/beneficial processing activities that can preserve meaningful internet experiences for under 18 users.” He adds that the rules could have initiated a discussion around what standards companies must meet to qualify as verifiably safe so that the Government allows them to curate digital products for under 18 users. #### **Lack of inclusion of vicarious consent:** The Data Protection Act says that companies can only process the personal data of an Indian citizen for purposes to which the citizen has specifically consented or for legitimate uses as specified under the act such as court orders, medical emergencies, epidemics, employment and so on. Bharti says that in certain situations like sending gifts to friends or family, or fraud prevention require vicarious consent. #### **How data localisation leaves room for lobbying:** Under the DPDP Rules, companies that want to transfer people’s personal data must [abide by certain requirements](https://www.medianama.com/2025/01/223-dpdp-rules-2025-conflict-us-surveillance-laws/) that the Government can make through general or special orders, especially in those cases where the company wants to transfer the data to a foreign government or a company controlled by a foreign company. Further, in the case of companies being notified as significant data fiduciaries, the Government can ask them to not transfer certain kinds of personal data out of the country. The Central Government will formulate a committee which will give recommendations about what these kinds of data would be. Advertisements Further, in recent interviews, IT Minister Ashwini Vaishnaw has elaborated that this committee will carry out stakeholder consultations before implementing any specific regulations. Speaking about the cross-border data regulations on X, Bharti said that the localisation committee “can lead to some overzealous efforts to localise data later because there will be domestic lobbies who will have it in their interests that all data should be localised.” She gave the example of those setting up data centers in India as people who may favour localisation. #### **Lack of clarity on localisation can cause non-compliance:** Bharti mentioned that businesses might face challenges when trying to operationalise data localisation. On a similar note, Monica Jasuja, the Ambassador for the Emerging Payments Association of Asia, [said](https://x.com/Amar4Odisha/status/1875841181818535947) that since there is a lack of clarity around data localisation requirements, there could be concerns about ensuring compliance with existing cross-border initiatives. “We have trade agreements and there are cross-border payment initiatives that are ongoing, the privacy law which has now been implemented as well the erasure of data which has now been made a requirement, have we considered the impact on physical and digital trade because both require data to be shared? Now I know there is a provision about jurisidictions but when there is no clarity the existing initiatives will not be compliant,” she pointed out. #### **How do you pre-emptively inform users about data usage?** The Data Protection Act [requires](https://www.medianama.com/2023/08/223-summary-india-digital-personal-data-protection-bill-2023/) a company to inform users the purpose for which it is processing their data. During a [spaces discussion](https://x.com/Amar4Odisha/status/1875841181818535947) last week, former Rajya Sabha member Dr Amar Patnaik mentioned that the way companies use personal data to create innovative products, they probably never know what the ultimate product they will generate from the data. “So how do you tell the purpose right up front?” he questioned. On a similar note, Puhan emphasised that there are issues with the requirement for platforms to provide an itemised description of the goods and services they will provide via the personal data they process under the rules. She told MediaNama that unless the government clarifies what companies should include in this ‘itemised description’ “notices will have to be constantly modified with every new business activity/ good/ service being added, or an older one being discontinued/removed”. #### **Enforcement of data breach reporting:** The act specifies that companies must report incidents of data breaches to the Data Protection Board as well as the people affected by the data breach. Speaking about data breach reporting in the context of financial institutions, Jasuja said that even in the financial ecosystem data breach reporting is low. “The compliance with data breaches and notifications being made \[to the people and the board\] is going to be very difficult to implement. The penalties are there but the enforcement of the penalties and the board will require a huge amount of administrative and execution machinery,” she said. An important aspect of the data breach reporting requirements, according to Puhan, is that the requirement to send intimation to the users, takes precedence, over intimation to the Board. “The operative part here is that companies have to report breaches ‘without any delay’ upon becoming aware of the breach,” she said, adding that the government will have to discuss the process of implementing this further with companies since in cases where internal teams tackling the breach are in process of implementing risk mitigation measures, there will be some time lapse between becoming aware and issuing intimations to the users. ^d4d2c4 Further, the rules require companies to give the data protection board a description of the breach along with details such as the risk mitigation measures that the company has implemented so far within 72 hours of the breach. “Enabling businesses to be able to focus on addressing the issue at hand first, while also working with the Board as soon as practical/feasible, maybe a more viable option,” Puhan said, suggesting that the government should potentially reconsider the 72-hour window. #### **Codify security requirements for data processors within the rules:** The rules [require](http://medianama.com/2025/01/223-dpdp-rules-2025-encryption-logs-timely-reporting-data-breaches/) companies to ensure that the contracts they have with data processors (those who process data on their behalf) must include a requirement that the processors will implement ‘reasonable security standards’ during their processing activities. Puhan suggested that the government should consider adding a breach notification obligation on data processors to ensure that they immediately tell the companies they are working with about a breach. “This mandate should be codified within the Rules, regardless of contractual safeguards put forth by the Data Fiduciary,” she argued. *Note: We will continue to update this story as we get more stakeholder perspectives. If you want to share your thoughts about a specific aspect of the rules please email [email protected] or [email protected].* *Note: The story was updated on January 8 at 12:44 PM to include more perspectives about the rules.* **Also read:** - [How the Draft Data Protection Rules 2025 Will Change Children’s Data Processing in India](https://www.medianama.com/2025/01/223-data-protection-rules-2025-children-data-india/) - [DPDP Rules 2025 Mandate Encryption, Logs, and Timely Reporting in Case of Data Breaches](https://www.medianama.com/2025/01/223-dpdp-rules-2025-encryption-logs-timely-reporting-data-breaches/) - [Will The DPDP Rules Conflict With US Surveillance Law?](https://www.medianama.com/2025/01/223-dpdp-rules-2025-conflict-us-surveillance-laws/) ## Colophon title:: Draft DPDP rules leave age verification, data localisation doubts type:: [[full-text]] url:: https://www.medianama.com/2025/01/223-draft-dpdp-rules-2025-leave-doubts-age-verification-data-localisation/ date:: [[2025-01-08]] published:: 2025-01-07T11:03:52+00:00