The draft rules of the Digital Personal Data Protection (DPDP) Act provides a constraint on social media access to children under 18, and they will have to receive verifiable consent from parents or legal guardians to access social media platforms, the MEITY (Ministry of Electronics and IT) states.

People are expected to submit their feedback on the draft rules latest by February 18, 2025. The DPDP Act, passed in Parliament in August 2023, balances the individual’s right to protect personal data with the need to process such personal data for lawful purposes.

The draft rules have specified that the Data Fiduciary must verify the age of a child’s parent or legal guardian as an adult through a government ID or a token linked to such details. The verification process is key to ensuring that consent is given by a responsible adult, with their identity provided by a Digital Locker service in line with relevant laws.

“Examples are provided to clarify how this process should work, particularly in cases where the parent is already a registered user or when the parent needs to provide identity details using a Digital Locker service,” it states.

Exemptions:

To process children’s personal data, certain exemptions are provided under section 9 of the Act for  various types of Data Fiduciaries and purposes, subject to conditions outlined in Schedule IV. Part A of the schedule exempts healthcare professionals, educational institutions, and children providers.

To ensure the safety of the child, data processing is done within a limited zone. “The processing of children's personal data by these entities is permitted, but it is restricted to specific activities like health services, educational activities, safety monitoring, and transportation tracking,” it notes.

Part B of the Schedule IV laid out the purposes where exemptions can apply, such as processing in legal duties, issuing subsidies or benefits to children, creating user accounts for communication purposes, or ensuring the child does not have access to harmful information.

“The provision acknowledges that certain activities, such as verifying the age of a data subject to confirm they are not a child, also fall under this exemption, as long as the processing remains limited to the necessary scope,” it adds.

Tech giants like Google and Meta are at loggerheads over the definition of children in the DPDP Act.