Abstract

The researcher in this research paper dwells on the adequacy of children data protection in Digital Personal Data Protection (DPDP) Act, 2023 in India and explicates the significant loopholes, compared the actual provisions in the bill with the international provisions. The DPDP Act was adopted in August 2023 and it introduces the first full-fledged data protection regime in India in which children are listed as one special category of data subjects requiring greater protection. The present paper provides a comparison and contrast of the efficiency of verifiable parental consent procedures, tracking and behavioral surveillance boundaries, and enforcement actions taken in the United States by the Children On-line Privacy Protection Act (COPPA) and the European Union by their General Data Protection Regulation (GDPR). As we have discovered, despite such an underlying protection like parental consent requirement of children below the age of 18, the ban on target advertising and tracking, and the extensive penal regime (up to 200 crores) the DPDP Act still has numerous cracks in its implementation like the standards of consent verification, the method of age establishment, and the actual functioning of the Data Protection Board of India (DPBI). The key ingredients needed to safeguard the digital right of children as discussed in the paper are harmonization with international best practices and development of sector-specific guidelines on EdTech and social media platforms and effective enforcement controls. The comprehensive examination of cases and quantitative data regarding the trends in the global regulations has revealed that the DPDP Act is a step in the right direction that requires some effective support through other regulations as well as institutional reinforcement to make it so that the best standards of the world of system of child data protection can be considered.

Keywords

DPDP Act 2023; Children’s Data Protection; Parental Consent; Data Fiduciary; Digital Privacy; GDPR; COPPA; Data Protection Board of India; Age Verification; Online Child Safety.

1. Introduction

The fast-paced digital revolution in India has made the country a technological powerhouse, and it currently has about 459 million internet users, of whom a relatively high percentage are children and adolescents.[1]Though this digital proliferation provides the most educational and economic opportunities ever, it is also subjecting vulnerable populations to data collection, profiling, target marketing and exploitation. Lack of extensive legislation on data protection until 2023 presented a legal gap that personal data of children were handled with inadequate protection under disjointed regulations such as the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.[2]

India On August 11, 2023, the Digital Personal Data Protection Act became a breakthrough event in the data privacy landscape in India. Section 2(f) of the DPDP Act describes the child as somebody who has not attained the age of eighteen years and heightened protection is given to the above 400 million minors in India.[3]India On August 11, 2023, the Digital Personal Data Protection Act became a breakthrough event in the data privacy landscape in India. Section 2(f) of the DPDP Act describes the child as somebody who has not attained the age of eighteen years and heightened protection is given to the above 400 million minors in India.

[1]India Telecom Authority, ‘Annual Report 2023,’ Ministry of Communications, Government of India, p. 47 (asserting 459 million internet users with proportionate pediatric access).

[2]Information Technology Act, 2000, No. 21 of 2000, India Code (establishing baseline data protection through Section 43 tort liability and Rule 4 security obligations); Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, Ministry of Information Technology & Telecom, S.O. 2314(E), 18 Oct. 2011 (creating fragmented sectoral protections).

[3]Digital Personal Data Protection Act, 2023, No. 49 of 2023, § 2(f), India Code (defining child as ‘individual who has not completed age of eighteen years’).