How to Comply with Section 9 of the Digital Personal Data Protection Act, 2023?
Enhanced protections for children and persons with disabilities under the DPDP Act
What sets the Digital Personal Data Protection Act, 2023 (DPDP Act) apart from the other legislation is its effort in recognising that certain vulnerable groups require enhanced protections due to the inherent discrimination and difficulties they endure.
Section 9 of the DPDP Act specifically addresses these concerns. It establishes a protective framework for children and persons with disabilities. This reflects how the legislation acknowledges that these individuals have a limited capacity to understand the implications of data processing and make informed decisions about their personal information.
Let us examine the provision in detail.
Verifiable Parental/Guardian Consent Requirement
The basic principle enshrined in the DPDP Act is that the Data Fiduciary is required to obtain the consent of the Data Principal before processing his personal data through a notice. Section 9 (1) of the Act builds upon this principle and provides that the Data Fiduciaries must obtain verifiable consent from the parent of a child or the lawful guardian of a person with disability before processing their personal data.
Please note that the consent of the parent involves the consent of the lawful guardian.
The Act mandates that such consent must be obtained "in such manner as may be prescribed," indicating that the specific procedure for verification will be detailed in the DPDP Rules.
Prohibition on Harmful Processing
Section 9 prohibits the processing of any such personal data that has the potential of causing a "detrimental effect on the well being of a child." Therefore, Section 9(2) creates an obligation on the Data Fiduciary to make sure that the best interests of children and persons with disabilities are protected.
Ban on Tracking, Monitoring, and Targeted Advertising
Section 9(3) specifically prohibits three types of data processing activities directed at children:
1. Tracking
Following a child's online activities across different websites or services
2. Behavioral Monitoring
Observing and analyzing patterns in a child's digital activities to build profiles
3. Targeted Advertising
Delivering personalized advertisements to children based on their data or profiles
Exemptions
There are a few exemptions to the requirements stipulated under Sections 9(1) and 9(3) of the Act. These are as follows:
There are certain classes of Data Fiduciaries and processing purposes which are exempted from obtaining parental consent before processing the personal data of the children. These are provided for under the Draft DPDP Rules.
By way of a notification, the Central Government may exempt a Data Fiduciary from certain obligations provided for under this provision. This exemption would be available for processing the data of children above a certain age group only if the Data Fiduciary has demonstrated its processing to be "verifiably safe."
These exemptions provide flexibility while maintaining the protective framework. This is because it is important to recognize that some data processing activities are actually crucial in light of few activities, such as educational and healthcare purposes of the children.
Compliance with Section 9 of the DPDP Act
Data>Nuance can help businesses and organisations ensure compliance with Section 9 by helping them adopt the following practices:
Organisations need to adopt and implement robust mechanisms which ensure the age of the Data Principals. This will alert the organisations in case the data being processed is of a child, thus, enabling them to undertake the required procedure for such processing.
Technical frameworks must be developed to obtain and verify parental/guardian consent in order to ensure compliance with the provisions of the DPDP Act.
Organizations must evaluate whether their data processing could potentially cause any detrimental effect on children's well-being.
Businesses must modify their advertising technologies to ensure children are not subject to behavioral tracking or targeted advertising.
Conclusion
Section 9 of the DPDP Act plays a crucial role in this digital age by establishing a comprehensive framework for protecting children and persons with disabilities. The DPDP Act provides for the creation of a strong safeguard by requiring verifiable parental/guardian consent, prohibiting harmful processing, and banning tracking and targeted advertising directed at children.
Get Started with Data>Nuance
Stay compliant, stay safe. Reach out to Data>Nuance to comply with Section 9 and the other provisions of the DPDPA. Ensure your practices meet legal standards while safeguarding your business from regulatory penalties. Let's make compliance effortless—before regulators make it expensive!
Need Expert DPDPA Implementation Support?
Get personalized guidance on implementing Section 9 compliance requirements for your organization.