Experts Raise Concerns About Parental Consent and Age Rules in India’s Data Privacy Law
Some experts are questioning how effective parental consent really is in keeping children safe online, especially under India’s Digital Personal Data Protection Act (DPDPA). They argue that the law assumes parents always understand and can control what their kids do online — which may not always be true.
Traditionally, parents controlled what children watched on TV or rented from stores. But now, children have constant access to the internet through smartphones, making it harder for parents to keep track.
According to an opinion piece in Tech Policy, the DPDPA defines anyone under 18 as a child. The law says companies can only use children’s data if parents give permission. It also bans tracking, targeted ads, and anything that could harm children. These rules are stricter than those in the UK and Europe, but they haven’t been put into action yet because the government hasn’t finalized them.
The draft rules don’t say exactly how companies should confirm a user’s age. They only ask that businesses use “appropriate” methods to make sure parents have given consent. But this creates problems, the article argues. Many parents may not have the digital knowledge to make informed choices. In fact, a report by Oxfam in 2022 found that just 38% of Indian households are digitally literate. Often, kids are more tech-savvy than their parents and are the first in the family to use digital platforms.
The article also says that methods like ID checks could collect too much personal data. Asking for official documents to verify age might go against privacy principles like “data minimization.”
Instead of relying only on parental consent or ID checks, the article suggests building safer digital platforms with features like privacy by design. These changes would make digital spaces safer from the start, rather than just blocking access based on age.
Another article in Medianama raises similar points. It asks whether a blanket rule is fair to all children, who vary in age and maturity. It argues that targeted or personalized content can actually help children — for example, a child with a disability could more easily find useful study materials, or a teenager in distress might find a support group online.
The author proposes dividing children into age groups with different protections:
- Under 8 years: Strict controls with full parental oversight.
- Ages 9–12: Clear, simplified explanations of data use and optional parental guidance.
- Ages 13–17: More freedom and control over their privacy settings.
This approach would avoid treating all minors the same and better match rules to children’s different maturity levels.
Meanwhile, companies like Google and Meta are watching closely to see how India will handle age verification rules. Both companies have over a billion users in India. Google has shared a new “zero-knowledge” age check system in Europe, but it’s unclear if Indian law will allow something similar.
Experts say India’s laws don’t yet say who can act as a trusted verification provider. Until this is made clear, companies are unsure what age-check methods are allowed. While India’s digital ID system could help, concerns about privacy and data misuse remain.
