The current version of India’s Digital Personal Data Protection Bill, 2022 (DPDP) defines a ‘child’ to mean “an individual who has not completed eighteen years of age.” Further, DPDP introduces special requirements for collecting and/or processing children’s information. For example, Clause 10 specifically requires verifiable ‘parental consent’; prohibits processing when it is likely to cause harm; and imposes additional obligations in respect of online tracking, behavioural monitoring, and targeted advertising. The penalty for non-compliance may go up to ₹200 crore.
Meanwhile, the proposed Digital India Act (DIA) is likely to focus on user safety, stricter obligations for intermediaries and regulating new technologies. To reduce cybercrime and prevent online harm, the DIA may introduce provisions on ‘age-gating’ children from addictive technologies and platforms that collect and/or process their data.
In the US, since the Children’s Online Privacy Protection Act imposes special requirements on online platforms that cater to children under 13, many social media companies have opted out of the regime altogether by declaring that such children are not permitted on their sites. Yet, several under-13 children remain active users. However, if India’s DIA ends up defining a ‘child’ the way DPDP does (with an 18-year threshold), there may be additional implications for online, digital, and/or social media intermediaries, as well as for children and parents themselves.
DPDP defines ‘profiling’ as a form of data processing that analyses the behaviour, attributes or interests of a ‘data principal’. But, when the individual is a child, a ‘data principal’ includes their parents as well. Hence, a valid consent may always require parental intervention. If a 17-year old wishes to access a social networking portal, for example, they may/should not be able to proceed without getting a parent or legal guardian involved.
However, children routinely engage with digital media across diverse platforms. In fact, compared with their parents, children are far more likely to adopt new technologies early. Unsurprisingly, when technology companies build large databases of consumer preferences which can later be transformed into commercially useful knowledge, children’s data may also get included.
Given the high age-limit prescribed under DPDP, access to new technologies may become cumbersome for teenagers.
Even for younger children, a new generation of interactive digital toys has been introduced in the IoT marketplace. Going forward, India may witness a further boom within this segment, fuelled by children’s rising value as a lucrative demographic. Since bespoke content designed for young people gets distributed across a growing array of devices, ‘children’ of all ages may inevitably (want to) engage with them.
Feasibility has to be an important consideration while determining an appropriate age-range for defining a child – including for the purpose of data protection. Accordingly, corresponding laws ought to be practically designed to ensure implementation.
(The writer is a lawyer with S&R Associates)