Why Safeguarding Personal Data of Children is Crucial for Businesses in India

Why Safeguarding Personal Data of Children is Crucial for Businesses in India

by | Sep 28, 2023

Gajendra Maheshwari and Chinmay Verma 

In an increasingly digital world, personal data has become a valuable commodity. For businesses, the collection and processing of personal information are often vital to delivering products and services effectively. However, amid this data-driven landscape, there is a vulnerable demographic that requires special attention: children.

Safeguarding the personal data of children is not just an ethical imperative but also a legal necessity, particularly in India, where the data protection landscape is evolving rapidly.

In this article, we will delve into why it is crucial for businesses to prioritize the protection of children’s data and explore the implications of India’s data protection law – The Digital Personal Data Protection Act, 2023 (DPDPA) on businesses collecting data of children.

Why Protecting Children’s Data Matters

  • Ethical Responsibility: Beyond the legal obligations, businesses have an ethical responsibility to protect children’s privacy. Children lack the capacity to fully comprehend the implications of sharing their personal information online, making them particularly susceptible to privacy violations.
  • Legal Requirements: Various countries, including India, have recognized the need for specific data protection measures for children. India’s data protection law acknowledges this, and imposes additional obligations on businesses to process personal data of children.
  • Reputation Management: A data breach involving children’s personal data can be a PR nightmare. Such incidents not only damage a business’s reputation but can also result in financial losses due to legal actions and customer attrition.
  • Parental Trust: Parents trust businesses with their children’s data when they engage with online platforms such as educational apps or e-commerce websites. Violating this trust can have severe consequences for customer retention and brand loyalty.

Protection of Children’s Data Under DPDPA

The DPDPA contains specific provisions that impose additional requirements for collecting and processing personal data of children. All individuals under the age of 18 years are covered within the definition of children under the DPDPA.

The key provisions concerning data of children are summarized below:

  • According to the law, businesses are required to obtain parental consent to collect and process personal data of their children. The provision specifically states that ‘verifiable’ consent of the parent must be obtained; this means that an identity verification process must be adopted to ensure the identity of the parent. The manner in which such measures can be adopted will be prescribed in the subordinate legislations to follow.
  • Further, any tracking or behavioural monitoring of children or targeted advertising directed at children is prohibited. This may include processing operations that can be perceived as cyberbullying, sale of data to predatory advertisers, identity theft, unwanted profiling, targeting with harmful content, invasive school surveillance, social media monitoring, behavioural analytics for ed-tech apps, school issued devices and software etc.
  • The DPDPA also prohibits the processing of personal data of a child that is likely to cause any detrimental effects to the wellbeing of the child.

In addition to these specific provisions, business must adhere to other general provisions under the DPDPA to process personal data in a compliant manner. Some of the important general provisions are highlighted below in the context of the data pertaining to children:

  • Purpose Limitation: The law emphasizes the importance of limiting data processing to the purpose for which it was collected. This provision is especially critical when dealing with children, as data misuse can have severe consequences.
  • Data Minimization: Businesses must minimize the data collected from children to only what is necessary for the intended purpose. This helps reduce the risk of data breaches and misuse.
  • Data Security: The DPDPA mandates stringent data security measures. Businesses handling data, that may include data of children, must implement robust security protocols to protect this sensitive information from breaches.
  • Data Subject Rights: The law grants data subjects, including children, certain rights, such as the right to access, rectify, or erase their data. Businesses must be prepared to facilitate these requests.
  • Data Protection Impact Assessments: Specified businesses may need to conduct Data Protection Impact Assessment (DPIA) to assess the risks associated with processing children’s data and take appropriate measures to mitigate them.

Lastly, Businesses that are found to be in breach of the provisions regarding safeguarding personal data of children and not observing the prescribed obligations may attract a penalty of up to INR 200 Crore. Thus, businesses must initiate processes to ensure their compliance with the provisions of the DPDPA to reduce the risk of attracting a financial penalty.

Way Forward

As per recent reports, the Minister of State for Electronics and Information Technology has said that the Data Protection Board and additional guidelines will be put in place within one month. Large tech companies – that already have EU GDPR compliant measures in place, are likely to be given approximately 6 months to comply with DPDPA, whereas MSMEs will be given 12 months to fine tune their systems to comply with the DPDPA.

However, age gating measures, which are to be implemented by businesses that process personal data of children (to verify the age of the user) may be provided an extended timeline as developing the DPDPA compliant age verification mechanisms are technically complex processes.

Conclusion

Safeguarding the personal data of children is not just a legal requirement; it is also a moral obligation for businesses. India’s data protection law recognizes this by imposing specific obligations and responsibilities on organizations that handle children’s data.

Businesses collecting data of children must prioritize the compliance with these regulations to protect their reputation, maintain parental trust, and, most importantly, ensure the privacy and safety of children in the digital age. By doing so, they not only fulfil their legal obligations but also contribute to creating a safer online environment for the youngest members of society.

Reach Us

*In association with Moore, UAE

Disclaimer

You might have been redirected to this website if you accessed ReinaLegal.in or Headsup.in since both the firms have merged to form ReinHeads.

As per the rules of the Bar Council of India, we are not permitted to solicit work or advertise for our services. The user acknowledges the following:

  • there has been no advertisement, personal communication, solicitation, invitation or inducement of any kind whatsoever from us or any of our members to solicit any work through this website;
  • the user wishes to gain more information about us for his/her own information and use;
  • the information about us is provided to the user only on his/her specific request and any information obtained or material downloaded from this website is completely at the user’s volition and any transmission, receipt or use of this site would not create any lawyer-client relationship.
    • I AGREE