New Delhi, January 4:
The Union Ministry of Electronics and Information Technology (MeitY) has released the Draft Digital Personal Data Protection Rules, 2025, aimed at enhancing the protection of children’s personal data in the digital world. These rules, part of the Digital Personal Data Protection Act, 2023, which was passed by Parliament in August 2023, introduce measures that place stringent requirements on social media platforms and online services. Stakeholders are invited to submit their objections and suggestions to the draft rules by February 18, 2025.
Verifiable Parental Consent for Children’s Data Collection
One of the most significant provisions in the draft rules is the requirement for verifiable parental consent before processing the personal data of children. Social media platforms, online services, and other data fiduciaries must obtain explicit parental permission before collecting or using a child’s data. This ensures that parents retain control over their children’s digital footprints.
The rules also mandate that data fiduciaries verify the identity of the person claiming to be the child’s guardian. This can be done through government-issued ID checks or secure digital tokens linked to identity services.
For example, if a child wishes to create an online account, the platform must ensure that the parent verifies their identity securely before the child’s data is processed.
Illustrative Example
According to the draft rules, if C is a child and P is her parent, and they wish to create an online account on DF’s platform, the process would look as follows:
- C informs DF that she is a child.
- DF requires P to authenticate themselves as the parent.
- P confirms their identity, having previously registered with DF’s platform.
- Only after this verification does DF proceed with processing C’s personal data.
Public Sector Use of Personal Data
The draft rules also allow State entities to process personal data for the purpose of providing subsidies, benefits, or services, but only in accordance with strict standards and safeguards. This provision ensures accountability and transparency in the public sector’s handling of personal data.
Enhanced Security Measures for Data Protection
The draft rules require data fiduciaries to implement robust security measures to protect personal data from breaches. These measures include:
- Data encryption for both storage and transmission.
- Access control to restrict data access to authorized personnel only.
- Monitoring systems to detect unauthorized access or usage of data.
Mandatory Breach Notifications
In the event of a data breach, data fiduciaries must promptly notify affected individuals. The notification must include:
- A description of the breach and its extent.
- The potential consequences for affected individuals.
- The measures taken to mitigate risks.
Data fiduciaries must also report any breaches to the Data Protection Board within a specified timeframe, ensuring accountability and transparency.
Data Retention Policy: No Unnecessary Storage
The draft rules emphasize that personal data must be erased once it is no longer required for its intended purpose. This encourages organizations to regularly review their data retention practices and limits the retention of unnecessary data.
Stakeholder Feedback and Next Steps
The government has opened the draft rules for consultation and expects to receive feedback from various stakeholders by February 18, 2025. After considering these inputs, the final rules will be notified, and organizations will be required to comply with the new standards for children’s data protection.
About The Author
