DPDP Act draft rules: Social media users under 18 years to require parental consent

Children will require verifiable parental consent to access social media in India, as per the draft rules of the Digital Personal Data Protection Act of 2023 (DPDP). Any user below the age of 18 has been defined as a child under the Act, which was passed by Parliament in August 2023.

The much-awaited rules were released by the government on Friday with stakeholder comments sought until February 18. The executive rules have also left the door ajar for the return of the data localisation provision of certain kinds of personal data. It has, for the first time, proposed to place data fiduciaries under three broad categories of ecommerce companies, gaming intermediaries, and social media firms.

The rules mandate that they must delete the personal data of inactive users on their platforms after three years. In case of a data breach, data fiduciaries will have to inform the Data Protection Board within 72 hours.


“DPDP Rules have been much awaited and a draft gives broad direction to the industry to start thinking about implementation,” said Aparajita Bharti, founding partner, The Quantum Hub Consulting. “One key concern, however, is a potential room for bringing data localisation requirements for significant data fiduciaries as the rules mention that a committee formed for this purpose may do so in the future.”

Ikigai Law partner Neha Chaudhari said, “Verifiable parental consent has a flexible, real-world approach. It’s good that it’s not overly prescriptive. Data fiduciaries can choose how to do it.”

Data fiduciaries operating in India will also need to inform every user of details of a data breach in “a concise, clear and plain manner and without delay, through her user account or any mode of communication” provided by the user. These details will contain details such as the nature, extent, timing and location of the data breach, the impact of it on the user, the risk mitigation measures being taken, and the contact information of the person who the user can get in touch with in case of any queries related to the data breach.

Organisations hit with a breach will have to inform the board with details such as the nature and extent of breach, the persons or events responsible for the breach, remedial measures being taken, and a report regarding the information given to the users of the platform impacted by the breach.

Under the new rules, the Ministry of Electronics and Information Technology has proposed that all data fiduciaries adopt appropriate technical and organisational measures to ensure that verifiable parental consent is obtained before the processing of any personal data of a child.

Further, significant data fiduciaries, or those internet intermediaries that process sensitive data, will also need to undertake an annual data protection impact assessment study and an audit, and report the findings of both to the Data Protection Board, the IT ministry has proposed.

The Data Protection Board, the draft rules proposed, will have a chairman and will be constituted on the basis of recommendations by a four-member committee headed by the IT secretary.

The IT ministry has proposed that significant data fiduciaries must take measures to ensure that the personal data and the data traffic is stored in India if a government-appointed committee mandates it.

It has made the data fiduciary liable to verify the authenticity of the person claiming to be the guardian of a minor on social media. Further, the ministry has proposed that the verification of both explicit parental consent and the relationship between the guardian and the minor shall be done by “reliable details of identity and age” as available with the platform or details of identity and age “voluntarily” provided by the user.

A compact set of rules has been notified for consultation, said Arun Prabhu, partner, head, technology, Cyril Amarchand Mangaldas.

“Some aspects of the rules, including how significant data fiduciaries will be notified, potential restrictions on cross border transfers, including for SDFs, use of ‘algorithmic software’ by SDFs, and timelines for implementation--which it appears will take place in at least two phases--are far less clear and may be ironed out during the consultation process, for which a 45-day period has been provided,” he said.