The Digital Personal Data Protection (DPDP) Act 2023, is like a fortress safeguarding personal information. It puts pressure on companies to handle data more responsibly, especially the data of a child.
If companies fail to protect children’s data under DPDP, they will face serious consequences like fines of up to 250 crores. In addition, there could be a loss of reputation and consumer trust. This blog is the perfect guide companies must follow to know the provisions under DPDP that protect children’s data and how they can comply with the regulations.
What is Children’s Data Under the DPDP Act?
Under the DPDP Act, children’s data is any personally identifiable information like name, address, or date of birth belonging to an individual less than eighteen years of age. For example, when a child creates an account in an online gaming platform, their data like username and age will fall into the category of children’s data.
It’s important to note that the definition of data of a child is broad under the DPDP Act. While sensitive information like names and addresses come under this, even seemingly harmless information like a child’s profile picture could qualify as children’s data. So if a 17-year-old child adds his picture while creating an account on a social media platform, the picture would also be considered personal data.
Key Provisions of the DPDP Act for Handling Children’s Data
The key provisions of the DPDP Act highlight three main areas: the need for parental consent, restrictions on targeted advertising directed at children, and obligations businesses must follow.
The need for parental consent
The DPDP Act mandates a company—known as a data fiduciary under the Act—to obtain verifiable parental consent before processing their children’s data. This means the company is responsible for getting explicit interest from the parents or legal guardians before collecting, storing, and using children’s data. The DPDP Act made this mandatory so that parents or guardians stay informed and have complete control over their children’s personal data. Continuing with our previous example, when a 17-year-old child creates a social media account, the company must obtain parental consent.
Restrictions on targeted advertising and data tracking
Section 9 of the DPDP Act prohibits companies from tracking and monitoring children’s online behaviour for targeted advertising. For example, a social media company cannot track a child’s usage patterns to target ads without their parent’s consent. This law is already applicable in countries like the United States. Four years ago, Google and YouTube were asked to pay a record $170 million for tracking children’s personal data without parental consent and violating the Children’s Online Privacy Protection Act (COPPA) Rule.
Obligations businesses must follow
Here’s a list of obligations companies must fulfil to comply with Section 9 and avoid severe consequences:
- Obtain verifiable parental consent before processing the personal data of children
- Maintain strong security standards to protect children’s personal data from breaches and cyberattacks
- Ensure data accuracy and completeness
- Appoint a Data Protection Officer (DPO) to oversee the proper execution and implementation of data protection mechanisms
- Delete children’s data when the purpose is over or the consent is withdrawn
- Set up a grievance redressal team to address complaints related to data handling
- Inform the Data Protection Board of India within 72 hours in case of breaches
Challenges You Might Face in Implementing the DPDP Act for Children’s Data
If you’re reading this as a business owner or a key member of the leadership in a company that deals with children’s personal data, the DPDP Act will present several challenges. For starters, obtaining verifiable parental consent. You have to start by setting up an effective system to verify the identity of parents or guardians. This could be time-consuming and may demand additional resources ultimately leading to potential delays in service delivery.
The next big challenge is the complex definitions of terms like “targeted advertising.” For example, if a mobile gaming company wants to promote a new gaming app to children, then it must be careful about that. If they use children’s gameplay activities to send ads, then that might be targeted advertising. For some companies, target advertising would mean pivoting or overhauling their marketing strategy. It will depend on a thorough understanding of the regulations.
The third challenge is balancing privacy concerns with providing an engaging experience to users. Companies offer many personalized experiences to their young audience presently to attract and retain them for the long term. However, with the DPDP Act provisions, companies must find ways to engage this group of audiences while adhering to strict data processing laws.
One of the best ways companies can balance this is by investing in platforms like Hypertrust. It streamlines parental consent verification always keeping your business compliant with the data protection laws.
Looking Beyond India: Global Best Practices in Children’s Data Protection
Looking beyond India, two significant laws address children’s data protection giving valuable insights that might influence the DPDP Act.
The General Data Protection Act (GDPR), implemented in the European Union (EU) is one of those two. It has set a high standard for protecting children’s personal data. It understands that children are vulnerable to risks associated with data processing activities. To protect them from such vulnerabilities, the GDPR mandates companies to obtain parental consent before processing the personal data of children under 16 years of age. The European Data Protection Board also provides additional guidelines to ensure businesses prioritize children’s privacy.
Like GDPR, the Children Online Privacy Protection Act (COPPA)is a benchmark for protecting children’s privacy online. COPPA was enacted in 1998 mandating websites and online services to obtain verifiable parental consent before collecting information on children under 13.
GDPR and COPPA set the precedent for how companies must approach children’s privacy. These international frameworks prioritize children’s data protection and understanding them can help businesses align their practices with the best standards.
Real-World Examples of Children’s Data Mismanagement
Let’s take a look at two real-life case studies violating children’s data privacy. The companies involved are large organizations following the best practices, yet a slight overlook brought them under the radar of the regulatory authorities.
Instagram’s Data Breach
In 2022, Instagram was fined a record 405 million Euros by Ireland’s Data Protection Commissioner (DPC) for violating children’s privacy. The DPC found Instagram guilty of allowing minors to upgrade their personal accounts to business profiles. This resulted in exposing their personal information like phone numbers and email addresses. This incident reiterates how vulnerable children’s data are online and how careful you must be before changing your business policies.
TikTok’s Failure to Translate Privacy Statement
The Dutch Data Protection Authority (DPA) fined TikTok 750,000 Euros for not being transparent about children’s data privacy. The DPA found in its investigation that the platform’s privacy statement was in English and not easily understandable. By not translating the privacy statement into Dutch, TikTok was not clearly communicating how they collect, use, and process children’s data. This was observed as an infringement as it was against the law that the user must have complete information about how their data is getting used by the platform.
Edmondo’s Data Hacking Incident
Edmondo a popular US-based educational platform used by school teachers, students, and their parents faced a data breach in 2017. A hacker stole the data of approximately 77 million users and put it on the dark web for sale. The stolen information included email addresses, user names, and even hashed passwords which were encrypted, still it was risky. Investigations revealed that the data breach occurred due to a vulnerability in Edmondo’s system. While Edmondo used a strong encryption system to protect user information, fraudsters still got access to their database. This is a reminder to companies to build a formidable security structure and follow the best security practices to protect the data of children.
How Businesses Can Ensure They’re Compliant with the DPDP Act for Children’s Data
To ensure compliance with the DPDP Act for children’s data, companies must take a systematic approach to verify a user’s age, consent processes, and continuous monitoring. Let’s look at each of them in detail:
Implementing age verification and consent mechanisms
The first step for adhering to the DPDP Act would be establishing a system that verifies whether the user is a child. This means using methods like requesting the date of birth while signing up, using AI-based age estimation tools or asking the users to submit age verification documents. Once the user’s age has been verified, companies also have to set up a consent mechanism process to get approval from the parents. One of the best ways to achieve this is through email verification or SMS-based authentication.
Tips to create transparent and clear consent processes
A transparent consent process immediately builds trust with young users and their parents. One of the best ways to maintain transparency is by providing clear privacy notices explaining how the children’s personal data will be collected, used, and protected. Companies must translate the notice into different languages so it can be accessed by diverse people. While requesting consent, businesses must also clearly declare the purpose of data collection and provide options to parents to grant or deny consent.
Regular audits and updates to stay compliant
Setting up the mechanisms to protect the data of a child might be a one-time process, however, companies must conduct regular audits to identify gaps or vulnerabilities. These audits include assessing the effectiveness of the consent mechanisms and reviewing data security measures according to the latest updates or amendments in the DPDP Act. Failing to monitor processes through audit might result in heavy penalties and loss of consumer trust.
Why Children’s Data Protection Should Be a Top Priority
After the children’s protection provisions implementation, companies prioritizing children’s data protection will certainly build a strong pathway for long-term success and building consumer trust. The reason is a strong positive brand image easily trusted by parents or legal guardians. As consumers start taking data privacy more seriously, they will naturally gravitate towards such organizations. Therefore, by complying with the DPDP provisions companies are setting themselves up for competitive advantage.
The best way to build that competitive advantage is by acting now. Companies prioritizing children’s data privacy will be able to look beyond implementing solutions for maintaining the highest level of data security. They can embrace a privacy-by-design approach to integrate data protection in all aspects of the operations like product development or marketing strategies.
Embracing the privacy-by-design approach is easier said than done. Companies must invest in modern and advanced platforms like Hypertrust to automate compliance with the DPDP Act provisions and implement children’s data protection effectively.
Wondering how Hypertrust can help? Sign up for a live demo now
FAQs
1. How does the DPDP Act define a child?
The Digital Personal Data Protection Act 2023 defines a child as an individual under the age of eighteen years
2. What constitutes verifiable parental consent under the DPDP Act?
The DPDP Act mandates data fiduciaries to obtain verifiable parental consent for processing of personal data of children. The central government is expected to share explicit details after the Act’s implementation. But it’s clear that for companies to meet the threshold of verifiable parental consent, they must maintain detailed records.
3. Are there any exemptions to the parental consent requirement?
According to the available information, there is no exemption to the parental consent requirement
4. How can data fiduciaries ensure compliance with the DPDP Act concerning children’s data?
Here’s what data fiduciaries must do:
- Verify the user is a child
- Validate the guardian’s identity to ensure that they are not minors themselves
- Verify the legitimacy of the parent and child relationship
- Obtain verifiable consent from parent or guardian
- Maintain detailed digital records to prove that the pre-requisites for children’s data safety have been fulfilled
- Provide clear notice and offer easy withdrawal of consent
- Implement age verification mechanisms
