The Digital Personal Data Protection Act (PDPA) passed by the Government of India is an important initiative that provides a strong foundation for the protection of the personal data of citizens in the digital age. The Act aims to ensure not only the protection of the data of ordinary citizens but also to specially protect the privacy of the most vulnerable sections of society – children and persons with disabilities. In this article, we will analyze in detail the legal, technical and social aspects of children’s data protection under PDPA.
Definition of children in PDPA and its importance
The PDPA Act defines a person below the age of 18 as a ‘child.’ This definition is broader than international standards, where the limit is set at 16 years in the European Union and 13 years in the US COPPA Act. This limit is considered safer, keeping in mind India’s social structure, digital literacy and family environment.
The purpose of this higher age limit is to protect children from potential exploitation through digital means. This category also includes teenagers aged 13 to 18 years, who are active in the digital world but are not considered mentally fully mature. In such a situation, special care is required regarding monitoring their activities and processing of data.
Scope of data processing and parental consent
Section 9 of the PDPA states that before processing the personal data of any child, the ‘verifiable consent’ (VPC) of his/her parents or legal guardian is required. This consent is necessary because children are not able to decide for themselves how their data can be used.
Although the process of VPC is not clearly defined in the PDPA, this creates the need for the Central Government to prepare detailed guidelines on this. Taking inspiration from the US COPPA Act, measures can be taken in India as well, such as:
- Submission of identity documents by parents
- Confirmation of consent by video call or toll-free number
- Scanned copy of government certificates or OTP-based system
- Digital signature or KYC-based verification system
In addition, a centralized digital platform can be developed in India that helps in authenticating the identity and consent of parents. This system can be implemented in schools, healthcare apps, e-learning platforms and social media networks.
Advertising targeted at children: Risks and responsibilities
In today’s digital age, advertising companies use their data to promote products and services targeting children. It has become common to track children’s activities on social media platforms like YouTube, TikTok, Instagram and mobile games and show them appropriate advertisements. This trend can affect the mindset, likes and dislikes, and decision-making ability of children.
The PDPA prohibits such targeted advertising in relation to children. The Act makes it clear that any use of children’s data that may affect their mental, physical or emotional health will be a punishable offence. But the definition of ‘harmful effect’ is vague, making it difficult to enforce this ban.
In this situation, the Indian government should make this concept more clear. For example:
- Games that make children addicted should be banned
- In-app purchases should be linked to parental permission
- Personalized content based on children’s activities should be banned
Adolescents’ freedom vs safety: A balance is needed
The PDPA also classifies adolescents aged 13 to 18 as children, but this age group is often more digitally empowered. Teens of this age use the Internet for studies, social networking, digital content creation, and career-related information. In such a situation, there is a need to balance their freedom and security rather than relying completely on parental consent.
For example:
- Adolescents can be given some limited rights so that they can themselves give permission to share their data in certain situations.
- Platforms should develop separate interfaces or modes for adolescents where risks are limited and privacy is high.
- Adolescents should be trained on data protection through education and awareness programs.
Rights of Persons with Disabilities: Inclusive Approach
The PDPA ensures that the specific needs of persons with disabilities are taken into account during the processing of their data. It is imperative to make the process of obtaining consent simple, easy and technically accessible for them.
For example:
- Voice-based confirmation systems for visually impaired people
- Text and sign language-based consent systems for hearing-impaired people
- Guardian-assisted consent process for mentally challenged people
The government and digital platforms should ensure that these options are available to all and do not violate the right to privacy.
Interpretation of PDPA and suggestions for improvement
The PDPA has many positive initiatives, but some areas still need improvement:
- ‘Harmful effects’ should be defined clearly and with examples
- Technical and legal guidelines for VPC should be clarified
- Adolescents should be made aware of the need for VPC
- Develop a compliance mechanism for digital platforms
- Set stringent penalties for crimes involving children’s data
Conclusion: Digital safety of children – a shared responsibility
PDPA is a law that helps strengthen the foundation of a digital society in India. This Act not only ensures the safety of data of children and persons with disabilities but also defines the role and accountability of all stakeholders in the digital space.
But just making a law is not enough. Its implementation requires the participation of everyone – the government, parents, schools, tech companies and children themselves. Awareness campaigns, education on data privacy in schools, digital literacy programs for parents and the development of technological solutions – all these together can make PDPA a successful and effective law.
Protecting the innocence and privacy of children is not only a legal duty but also a moral responsibility. PDPA is a solid start in this direction, which can be transformed into an effective security system through continuous improvement and collaboration.
FAQs
Q. What is the PDPA Act?
A. The Personal Data Protection Act (PDPA) is a law designed to protect the personal data of individuals and regulate how personal data is processed, especially for children and vulnerable groups.
Q. What is considered a “child” under the PDPA?
A. Under the PDPA, a child is anyone under the age of 18 years. This is a stricter age limit compared to some other regions like the EU, which sets it at 16.
Q. Why does the PDPA require parental consent for children’s data?
A. The PDPA mandates parental consent for processing children’s data to protect them from harm and ensure that their data is used in a responsible manner, especially in digital platforms.
Q. What is Verifiable Parental Consent (VPC)?
A. VPC is a method used to verify that parental consent is genuine, ensuring that parents approve the use of their child’s data. This can include methods like video calls, government IDs, and knowledge-based questions.
Q. What happens if a child’s data is misused under PDPA?
A. If a child’s data is processed in a harmful way, it is considered a punishable offense under the PDPA. Organizations are prohibited from tracking or monitoring the behavior of children to prevent adverse effects on their mental and physical well-being.