wordpress blog stats
Connect with us

Hi, what are you looking for?

Facing the consequences of the Data Protection Bill on children’s digital privacy

The latest draft is also problematic for companies or service providers that have nothing to with children’s data.

By Vrinda Bhandari

Discussions around the Data Protection Bill, 2021 (“DPB”) released by the Joint Parliamentary Committee (“JPC”) in December last year have largely revolved around the exemptions provided to the government, the impact of data localisation provisions, the inclusion of non-personal data, and issues of enforcement and regulatory structure of the Data Protection Authority. In many of these conversations, the DPB’s stipulations regarding the processing of children’s data have been sidestepped. Additionally, many companies believe that they need not concern themselves with the obligations surrounding children’s data, since their services are not targeted towards children. This belief is based on a misunderstanding of the manner in which Clause 16 of the DPB, which relates to children’s data, operates.

Obligations of companies while processing children’s data

Under the DPB, all companies and organisations (i) must verify the age of the child and obtain parental consent before processing any personal data relating to the child; (ii) process such data in a manner that “protects the right of the child”; and (iii) are prohibited from profiling, tracking, engaging in behavioural monitoring of children, direct targeted advertising at children, or undertaking any other processing that can cause “significant harm” to the child.

Earlier versions of the Bill, including the Personal Data Protection Bill, 2019 had introduced a separate category of “guardian data fiduciaries”, regulating those companies operating online services directed at children or which processed large volumes of personal data of children. Such guardian data fiduciaries had to comply with stricter obligations, including the prohibition on profiling mentioned above. Apart from recommending some other changes in Clause 16, the JPC has done away with the separate categorisation of guardian data fiduciaries. Thus, under the DPB, 2021, a single standard applies to all companies, regardless of the nature of services provided.

Age of a ‘child’

While the intent of the JPC may be laudable, the phrasing of Clause 16 raises many concerns and has unintended consequences. The first relates to the definition of “child”. Under the DPA, any person under the age of 18 is defined as a child and is presumed to not have the capacity to consent. This is at variance with the international position, where the age of consent for children is 13 years (USA), 15 years (Australia) or between 13-16 years (Europe). However, as the Covid-19 pandemic has revealed, the internet plays a vital role for teenagers, whether for their academic, entertainment, or other trivial pursuits. By maintaining the age of consent at 18 and requiring parental consent, the DPB is depriving teenagers of their autonomy and privacy, thereby inhibiting their growth and self-expression on the internet. Despite recognising that “from the perspective of the full, autonomous development of the child, the age of 18 may appear too high”, the JPC effectively equates the maturity levels of a toddler with that of a teenager. A graded approach is needed while dealing with the privacy rights of minors.

Advertisement. Scroll to continue reading.

Parental consent and age verification requirements

The mandatory requirement for parental consent means that in practice, the entire internet will be age-gated. Every organisation will have to verify the age of every user to ascertain whether parental consent is required. This is problematic from both a commercial and privacy point of view. For companies and service providers, especially those not directed at children, it will be expensive and onerous, and in many cases, unnecessary.

Many will choose to implement it either by requiring simple self-declarations (which may undermine the Bill’s intention of protecting children from commercial exploitation of their data) or by requiring users to furnish “hard” identifiers such as Aadhaar, passport etc. (which is contrary to the principles of data minimisation). Unlike the 2019 version where the manner of age verification was to be specified in the regulations, the DPB leaves it to companies to decide, after considering various factors.

Further, requiring children to seek parental consent is not always practical, possible, or advisable, especially for teenagers who may not receive parental support for use of a technology or a service; have easy access to relevant age documents; or whose parents may not be familiar with the digital space.

Does the DPB undermine the privacy of children?

The DPB actually undermines the privacy of children who may wish to access counselling or child protection services. Recognising the importance of confidentiality in such situations, the 2019 version did not require parental consent to access such services. However, the JPC has completely done away with this statutory protection. At a time when mental health and child safety concerns have become paramount, such a dilution is unfortunate.

The absolute prohibition on tracking – a step too far?

The DPB now prohibits all organisations from profiling, tracking, or engaging in behavioural monitoring of the child. What does this mean in practice? Consider a company that offers students practice for competitive exams by providing them with performance-based assessment and periodic online testing. The standard of the next practice test, in this case, will be based on the student’s previous performance. Such performance-oriented assessment, which is cognizant of the learning ability and outcomes, is actually beneficial to a child. However, such an act would be prohibited under the DPB’s expansive definition of “profiling” and the general understanding of “tracking”. Thus, the only option is to provide standardised practice tests to all children, regardless of their ability and previous performance.

In fact, the text of the law technically also prohibits schools from releasing report cards, which, by their very definition, engage in profiling, tracking, and monitoring the behaviour of children. One would hope that the regulator would not adopt such a strict interpretation of the law. Unfortunately, however, the text of the law provides a lot of leeway to the regulator (the Data Protection Authority) and does not expressly limit the applicability of Clause 16 to harmful or automated data processing practices. At the same time, the prohibition against targeted advertising for children is likely to see a spurt in contextual advertising and advertising directed at parents. Interestingly, the DPB goes beyond the Advertising Standard Council of India’s self-regulatory Code, whose guidelines regarding advertising for children defines a child as being under the age of 12 years.

Advertisement. Scroll to continue reading.

The need to regulate the processing of children’s personal and sensitive personal data is essential. However, the manner in which Clause 16 of the DPB has been formulated has various unintentional consequences and practical concerns. We can only hope that the Parliament addresses some of these issues before it introduces the Data Protection Bill this year.


Vrinda Bhandari is a lawyer practicing in Delhi and specialising in data protection and technology. Views expressed are personal and do not necessarily reflect the views of MediaNama. 

Also Read: 

Have something to add? Subscribe to MediaNama here and post your comment. 

Advertisement. Scroll to continue reading.
Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Amazon announced that it will integrate its logistics network and SmartCommerce services with the Open Network for Digital Commerce (ONDC).


India's smartphone operating system BharOS has received much buzz in the media lately, but does it really merit this attention?


After using the Mapples app as his default navigation app for a week, Sarvesh draws a comparison between Google Maps and Mapples


In the case of the ‘deemed consent' provision in the draft data protection law, brevity comes at the cost of clarity and user protection


The regulatory ambivalence around an instrument so essential to facilitate data exchange – the CM framework – is disconcerting for several reasons.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ