Imagine a child, wide-eyed with wonder, exploring the vast expanse of the internet – a universe brimming with possibilities. But amidst the vibrant colors and interactive games lies a hidden danger: the vulnerability of personal data. India’s recently enacted Digital Personal Data Protection (DPDP) Act, with its emphasis on verifiable parental consent, is a beacon of hope, signaling a commitment to safeguarding the digital rights of its youngest citizens. Yet, the path to effective implementation is fraught with challenges.

The Challenge of Verifiable Consent

At the heart of the DPDP Act lies the mandate for companies to obtain “verifiable parental consent” before engaging with children (below 18 years of age) and special abled people online.

However, the Act stops short of providing a clear roadmap, leaving room for interpretation and potential loopholes. Companies face the spectre of hefty fines for non-compliance, yet current methods such as self-declaration or document verification are riddled with limitations. The case of Uber in the US, where the ride-sharing app faced criticism for inadequate verification of minor users, serves as a stark reminder of the complexities involved.

Implementing robust verification systems across India’s booming internet user base, with an estimated 624 million children online (till 2021), is a Herculean task. While AI-based techniques offer a glimmer of hope, concerns about privacy and the high costs of implementation, especially for smaller companies, cast a shadow. However, AI isn’t the only avenue to explore. Zero-knowledge proofs, a cryptographic technique that allows verification of information without revealing the information itself, could offer another potential solution, striking a balance between protection and privacy.

Beyond Age

Verifying a child’s age is merely the first step in this intricate dance. Determining who holds the authority to provide consent in India’s diverse family structures can be a labyrinthine task. Single parents, guardians, or even grandparents may be the primary caregivers. Additionally, privacy concerns further complicate verifying parental identity and their relationship with the child.

The Act’s ambiguity surrounding “verifiable consent” opens the floodgates to potential legal battles. The strict liability approach, akin to the European GDPR’s or UK GDPR stance on children’s data, could discourage some organizations from offering services to children altogether. This could stifle the development of educational apps, games, and other online resources tailored for young audiences, potentially limiting their digital experiences.

Uncertainties also loom over the role of intermediaries. Can they be held strictly liable for verification failures, especially when children themselves might provide false information? The lack of clear guidelines regarding specific steps for verifiable consent could lead to disputes over the adequacy of companies’ measures. Intermediaries, such as schools or parents’ associations, could play a crucial role in the verification process, but their responsibilities and liabilities need to be clearly defined.

Collaborative Solutions for a Safer Digital Future

Clearer Regulatory Guidance: The government must provide detailed guidelines defining acceptable verification methods, perhaps adopting a risk-based approach tailored to the type of data being collected and the age of the child.

Industry Collaboration: Industry bodies can play a pivotal role by developing standardized verification mechanisms, such as a universal age verification system or a common consent form.

Empowering through Education: Awareness campaigns for both parents and children are crucial to foster digital literacy and responsible data practices. Parents need to understand the importance of data privacy and how to make informed choices about the online platforms their children access. Equipping children with the knowledge to navigate the digital world safely and responsibly is equally essential.

Balancing Act

In this endeavor, finding the right balance is paramount. Overly stringent verification processes could stifle innovation in child-focused technologies. The focus should be on ethical data collection and processing, ensuring children have enriching digital experiences without compromising their safety. For instance, age verification might be more critical for social media platforms than educational apps.

The DPDP Act is a significant stride towards safeguarding children’s data privacy, but the journey is far from over. By addressing practical challenges, clarifying legal ambiguities, and fostering collaboration between government, industry, and civil society, India can create a safer and more empowering digital environment for its children. Continuous research, open dialogue, and ongoing policy refinement will ensure the Act’s efficacy in the ever-changing digital landscape, allowing young navigators to explore the digital world with confidence and security. Protecting our digital natives is a shared responsibility, and by working together, we can build a future where children can thrive online without fear.

(The writer is a technology lawyer and co-founder of World Cyber Security Forum.)