Verifying the Consent of Parents/Legal Guardians under the Draft DPDP Rules
Comprehensive framework for ensuring verifiable consent of parents and lawful guardians before processing personal data of children and persons with disabilities.
Introduction
The Draft DPDP Rules have introduced a robust mechanism to ensure that the personal data of children and persons with disabilities are safeguarded. Rule 10 provides that the Data Fiduciaries are under a mandate to adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent or lawful guardian is obtained before processing the personal data of a child or a person with disabilities.
Verifiable Parental Consent
The Rules establish a comprehensive framework requiring data fiduciaries to adopt appropriate technical and organizational measures. These measures are crucial to verify the identity and age of a parent before processing the personal data of a child.
Data fiduciaries can fulfill this obligation by adopting either of the two following pathways:
The first verification method is the utilisation of the "reliable details" that the Data Fiduciaries possess. For instance, if the parent is already a registered user of the app selling clothes and his/ her child wishes to register for the same, the Data Fiduciary can leverage existing age and identity information to confirm their status as an adult.
Where no pre-existing relationship exists between the Data Fiduciary and the parent, Data Fiduciaries must rely on:
- Voluntarily provided identity and age details, or
- Virtual tokens mapped to these details, issued by authorized entities such as digital locker service providers designated under the Information Technology Act, 2000
This approach provides flexibility while ensuring verification integrity, allowing organizations to implement verification methods appropriate to their operational context.
Exemptions from Consent Requirements
Rule 10 also recognizes certain exemptions from these strict consent requirements. These exemptions apply to:
Clinical establishments, educational institutes and mental health establishments are exempted from these strict consent requirements when processing the personal data of children.
Activities such as verifying whether a data principal is a child or creating limited-purpose user accounts for email communication may proceed without these consent requirements.
These exemptions also extend to the prohibited practices of tracking, behavioral monitoring, and targeted advertising involving children in these particular cases.
Lawful Guardianship for Persons with Disabilities
The DPDP Rules also extend special protection to persons with disabilities. It provides for guardianship verification requirements which provide that the Data Fiduciaries must:
- Observe "due diligence measures" to ensure that individuals identifying themselves as lawful guardians are appointed by the courts, designated authority or a local level committee under existing laws.
- Implement appropriate measures to verify the documents of the guardian
Conclusion
These specific rules for verifying the consent of the parents and the lawful guardians ensures the responsibility of the Data Fiduciary for developing appropriate measures to ensure that the personal data of children and persons with disabilities is safeguarded.
Related Resources
Need Expert DPDPA Implementation Support?
Get personalized guidance on implementing parental consent verification requirements for your organization.