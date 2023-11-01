“When a population of 80% adults do not know what consent is, and is distributing data like prasad, how are we expecting our children to understand privacy, consent, or data and its protection, is something that I really fail to understand. I also feel very strongly that adults themselves are unaware about what data and what consent is about, and therefore it is shared so, so commonly in various platforms, and there are no boundaries created,” Sonali Patankar of Responsible Netism said in reference to the Digital Personal Data Protection Act (DPDP Act), 2023, at the Children and Privacy session during the 2023 edition of MediaNama’s annual conference PrivacyNama.

Under the DPDP Act, companies are required to seek verifiable parental consent before processing the data of anyone under the age of 18. However, Patankar pointed out that only 20% of the parents in India are literate and digitally aware. “But the remaining 80, I feel they’re under the category of giving assent because they don’t know what they’re giving consent about or for,” Patankar mentioned. Fellow speaker at the conference Nidhi Sudhan, Co-founder of Citizen Digital Foundation, agreed with Patankar: “So, if I, as a parent, I’m faced with a VPC– a verified parental consent protocol through an architecture of the technology platform that I’m interacting with, saying that you need to now grant consent for your child, I will just do it for the heck of it. I’m not going to think about it too much as to what happens,” she said.

Patankar suggested that both children and parents need to be educated on consent. “Consent needs to be taught as a life skill for children from age six or even younger because that is when the exposure actually begins. And which means consent needs to be taught to parents before children are born,” she explained. Alternatively, Sudhan looked towards COPPA in the US and explained that it requires an intermediary between the platform (which is seeking verification) and the parents and suggested that such intermediary bodies can also be implemented in India. “So, if the parent knows that this is like ISI [Indian Statistical Institute] or FPO [Farmer Producer Organizations] certified based on, okay, if I consent, I know that the data that my child is going to submit is going to be used in safe ways, the necessity, proportionality aspects, everything is taken care of,” she explained. Fellow speaker and public policy professional Manasa Venkataraman added that this system of age verification sounds similar to the use of DigiLocker for storing parental consent, which is currently being imagined in India.



Why a sliding scale of consent should have been brought in by the DPDP law:

“World over, I can’t think of a single law where an age of consent is provided and it’s not an arbitrary age. So, this could be 13, this is 14 in Korea. The GDPR sets it at a band between 13 to 16, [and] India sets it at 18, but it’s always an arbitrary age. And that’s not any better than not having an age of consent at all. What would have been better and what we still have an opportunity to do is introduce a sliding scale of consent,” Venkataraman said at the conference.

Venkataraman pointed out that individuals under the age of 18 are not a homogenous bunch and as such, they need “different levels of parental observation and intervention to ultimately give them the autonomy that they will need once they turn 18 and have to consent on their own.” She said that such a sliding scale that meets the needs of different age groups is worthwhile to explore given that it is being discussed currently in the US as the Children’s Online Privacy Rule (COPPA) has been tabled again.

How companies can go about age verification:

“When we think of age verification, we instantly think of like, okay, I’ll have to upload a photo of my Aadhar Card or I’ll kind of have to provide my date of birth and I’ll be allowed access to a digital platform if I’m over the age gate,” Venkataraman said, adding that the reality is a lot more complicated. “There’s a lot of very sophisticated mechanisms that are coming up, which are also privacy-protective, which are ephemeral, tokenized and still provide a certain level of autonomy to guardians as well as individuals, as well as minors to kind of surpass the age gate and move forward,” she explained.

She said that while such ephemeral and tokenized age verification systems are not in use right now, they are being considered by the National Commission on Informatics and Liberty (CNIL) in France. “So, they’re working with a think tank slash privacy expert, cryptography expert to devise a system where the age verification question is actually a challenge that’s posed to the minor. And it’s a cryptographic question-and-answer kind of challenge, there is a certain amount of friction. But it’s, if it’s answered correctly, then the assumption is that an individual over the age of majority would have only known the answer to this kind of question. For the life of me, I couldn’t figure out I couldn’t find an example of what this challenge would be. But that’s the idea. It’s also ephemeral and tokenized, meaning that only a hash is shared between the third-party verifier and the platform to which the minor seeks access,” she explained.

While Venakataram spoke about privacy-protective age verification mechanisms, social media platform Snap’s head of public policy Uthara Ganesh explained that each verification mechanism comes with a trade-off. “There’s self-disclosure, which is easily circumventable. The second is, of course, ID-based verification, which we know, of course, has data privacy risks, but then also the trade-off there is that some people may not even have IDs. There’s an access versus accuracy trade-off there. The third is, of course, using biometrics of some sort, which some experts think actually might be quite fine from an accuracy perspective, but then there are variances because of things like skin color and your physical features, etc,” she said at the conference.

Circumvention of age verification:

One of the concerns raised during the discussion was that children could circumvent age verification mechanisms. “ I think I went to a woman MP; I can’t name whom, and I was just talking to her about this issue. And she was like, this is the law. My child will just make their own email ID and they’ll give consent on my behalf,” the moderator for the session Aparajita Bharti from The Quantum Hub said, asking the panelists how circumvention could be tackled.

Ganesh pointed out that when discussing circumvention, it is important to consider why teenagers would want to circumvent it in the first place. “I think that the reason circumvention is such a real problem is because teenagers don’t want to be excluded from using digital services and from vast parts of the internet,” she said. As such, she mentioned that the community could benefit from research on the aspirations of young people in India. This, she said would help formulate the rules for seeking verifiable consent (which are yet to be prescribed by the government) and could also inform the design process of social media platforms.

Challenges posed by age verification:

Ganesh also pointed out that different regions may have differing stances on what constitutes as a risk to children’s privacy online, causing compliance issues for companies. “I feel like maybe the EU has a different point of view on risk than India. And as a company that’s globally sort of present, negotiating that is a bit of a nightmare,” she said. Further, she pointed out that regions may also vary on the acceptable technologies for age verification. So while the EU might not be okay with biometric verification, India may be open to the use of the same. “And therefore, having different mandates from different countries on very specific parts of this complex issue is going to be problematic,” she explained.

Ganesh did however see a glimmer of hope in the age verification provisions. She pointed to sub-section 4 and 5 of section 9 (on the processing of children’s data), which provides exemptions for certain websites that the government may allow to process the data of a child if they do so in a verifiably safe manner. “It sounds to me like that is an opportunity to make a persuasive case for a risk-based approach,” she explained.

“I think to me, the sliding scale approach looks a little bit like this– We need to sort of identify what are high risk or high harms or use cases or platforms that have high potential for harm. And within platforms also, we need to look at specific functions that have [a] higher possibility of harm than others. And the rolling out of the verification mechanism and the type of severity of the mandate should be proportionate to the level of harm and the level of risk from my perspective,” Ganesh said, explaining how a risk-based approach to verification should look like. She suggested that platforms, where users are consuming content, should have a different verification mechanism than ones where they are chatting, which might be treated differently because they are at higher risk.

Giving primary consideration to the best interests of a child:

“Since 2018, I know that several stakeholders have gone to the government, gone to bodies that have been constituted to emphasize that it’s important to bring this phrase [‘best interests of a child’] in because it’s a global standard,” Venkataraman mentioned, speaking about the UK’s age-appropriate design code. She added that if this phrase had been added to the DPDP law, it would have allowed India to benefit from what’s happening on the best interest framework in the Western hemisphere.

“For example, if there is a conflict between [the] best interests of the child or processing that has to be curtailed because it’s insidious and not in the child’s best interests if there’s a conflict between that and commercial interest for the platform, the best interests of the child prevail. It takes a leg up. So, setting those principles at the very foundation and then working up from that to bridge the information gap between parents and what they’re required to consent to is really step zero,” she explained.

Even though this phrase is not present in the law, just like Ganesh, Venkataraman is hopeful about the rules yet to be created by the government under sub-section 4 and 5 of section 9. “There is space in the rules to kind of carve something out from the ground up, to carve not just technical standards, which I understand are a little ways down the road, but principles-based frameworks, depending on the Indian context,” she said.

Is the government equipped to keep children’s data safe?

Patankar expressed that the entire data of school children is with the government and that while there are mechanisms to control the data, there is no awareness of what needs to be done. “I think understanding how to protect data systems, even basic audits, computer audits in schools, in organizations or in institutions that are dealing with children, the awareness on that front is very, very low. So, I think as stakeholders, critical stakeholders of child protection, the entire mechanism needs to be equipped with skills to protect children, understand what is crucial, critical data, and also understand where, how, and what not to be shared,” Patankar suggested.

How can companies that cater to children grow under the DPDP law?

Sudhan pointed out these laws come in post facto which makes it is difficult for companies to go back and correct their ways. “And we don’t even know whether what we were doing was right or wrong. And why does the law suddenly prevent us from doing something that was just business as usual? So these are the negotiating challenges,” she said. She added that there has to be several layers of learning, “before we arrive at an ecosystem where we recognize why some of the things that were okay earlier are now not okay.”

She pointed out how behavioral targeting is often used to recruit children to a platform when they are young to make them long-term users. “So, when we have a conflict of interest with business metrics driving us to recruit customers young, and then we have a law that says prioritize child safety, what are we going to go with? We’ll always try to circumvent. So, this is the kind of conflict and dilemma that I think we have to negotiate. And it will only evolve in the coming years, “ Sudhan said.

The purpose of verifiable parental consent:

“When you become an adult, you’re responsible for the consequences of your action from the state and citizen point of view. So, when you do something, you are by law responsible for all consequences thereof which you can foresee. Now, in terms of a parent and a child, it is not that the parent or the child is able to appreciate the harm, but the state is fixing responsibility of the harm to be caused to the child on the parents saying, listen, it was done under your supervision care and you’re responsible for the harm,” Intellectual Property lawyer, Rahul Ajatshatru, a participant at the discussion pointed out. He suggested that this protects the state and the service provider from liability in case a child is harmed by the data processing activity of a company.

“So, what you’re saying is the purpose is to transfer the liability from the child to the parent,” MediaNama’s founder Nikhil Pahwa said, adding to the discussion. “And then for verification, the purpose is to transfer the liability to the platform,” he mentioned.

