A person below the legal drinking age in Delhi (25 years) once found a simple workaround to enter bars in the city: they edited their Aadhaar PDF to add on a few years, got a colour printout, and laminated it. It was that simple. India’s Data Protection Law enforces upon Children below the age of 18, the unfortunate requirement of getting verifiable parental consent before accessing any app or a website. Rules and laws are only as good as their enforcement. In past articles, I repeatedly highlighted issues with this clause because it robs people below 18 of their agency. We needed a graded approach to consent and risk, but the Indian Government thought otherwise.
The current leadership at the Ministry of Electronics and Information Technology (MeitY) has attempted to fix the mess their predecessors left by defining four scenarios for parental consent. Two of these rely on the child self-declaring their age to an online business (a “Data Fiduciary”), which is laughable. The remaining two involve a parent opening an account on behalf of the child.
Here’s a set of probable scenarios MeitY has missed, which unfortunately create confusion about the liability of online businesses.
Missing Scenario 1: The child lies about their age
The cases illustrated in the rules assume that the child will declare themselves as a child and won’t lie, especially if a parent declines to give consent. But there can be instances where:
1.a. The online business detects that a user may be a child; or
1.b. Someone complains that a child has not disclosed their age.
While there is an exemption for processing of data for confirmation by the Data Fiduciary that the Data Principal is not a child, under the condition that “Processing is restricted to the extent necessary for such confirmation or observance”, this does not protect online businesses. They may still have unknowingly processed behavioural data belonging to a child. There is no guidance on what counts as “actual knowledge” that a user is an unverified child, nor any instructions on what platforms should do next.
Probable solution: On a best efforts basis, platforms need to collect information including behavioural patterns and other indicators that allow it to determine the age of a person, on suspicion that C maybe a child, require age verification, and subsequent verifiable parental consent, failing which the account shall be suspended. The platform should have a specified period of time where upon being informed that an account is that of a child, they need to verify the age.
Missing Scenario 2: The cases illustrated assume that it is the parent who will directly interact with online businesses to give consent. The following situations are not covered:
2.a. The child may onboard using an adult’s ID (relative, sibling, neighbour, or stranger), or identity and age.
2.b. The platform receives a complaint or gets an indication that the entity who has given parental…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
