According to section 9 of the DPDP Act, A data fiduciary shall, before processing any personal data of a child or a person with a disability who has a lawful guardian, obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed.
Verifiable parental consent refers to obtaining permission from a parent or guardian and confirming their identity in a manner that ensures legitimacy before collecting, using, or sharing a minor’s personal information.
While the DPDP Act mandates this practice to safeguard the interests of children, is it possible to put this into practice? Is it easy for data fiduciaries to obtain verifiable parental consent? Let’s say a user is successfully identified as a child. Then what? Can data fiduciaries in this case, gaming companies, reach out to the child’s parents or legal guardian to get their ‘approval’? And if an entity fails to comply with this norm, they’ll be slapped with a hefty fine that can go up to 200 crore rupees. What could be a worse catch-22 situation than this?
The gaming industry thrives on real-time interactions and quick onboarding, so any delays or complexities in securing consent could disrupt user experiences. But what happens if a parent gives their approval, only to revoke it later, citing concerns about the nature of the games or in-game purchases? The operational headache this creates for gaming companies is bound to be insurmountable.
While the gaming industry awaits the arrival of the DPDP rules, the impact of this latest regulation is bound to impact different gaming sectors differently. For example, companies falling under the ‘free-to-play games’ category consist of users who are usually below 18. That means such data fiduciaries have additional obligations hanging over them.
Discussions on child protection are gaining momentum across industries. Recently, the National Commission for Protection of Child Rights (NCPCR) held a meeting with different social media platforms to address children’s exposure to adult content. The Commission stressed on obtaining parental consent via KYC verification for users under 18.
The Challenges of Collecting Verifiable Parental Consent in India
What seems close to impossible is securing parental consent. Indian identity documents usually don’t include the contact information of parents or legal guardians, making it difficult for data fiduciaries to reach out to them—- let alone verify them.
Age-gating or ensuring that users of the correct age access certain content or services comes with its own set of obstacles. While the Aadhaar Demographic Solution is a widely used tool for identity verification, it lacks the precision needed for exact age determination. It typically provides broad age bands (e.g., 10-20, 20-30), making it unreliable for pinpointing whether a user is specifically under 18 or over 18. As a result, companies can’t always trust this method to ensure compliance with the DPDP Act’s age verification mandates.Employing methods like OCR to extract age details from documents like Aadhaar or PAN introduces another layer of complexity. It does not address the main problem of identifying, contacting, and verifying that it’s the same parent giving the consent and not someone else (sometimes the child himself).
Since this situation looks complicated in India, how are other countries obtaining verifiable parental consent? How are they dealing with the challenges of age-gating? The Children’s Online Privacy Protection Act (COPPA) in the USA mandates that companies must obtain verifiable parental consent for children under 13. They use methods such as signed consent forms, small credit card charges, and even video calls to ensure that a parent is involved in the process. The European Union’s General Data Protection Regulation (GDPR) makes sure that entities obtain parental consent via digital signatures, verification emails, and two-factor authentication before processing the data of children under 16 (or lower, depending on the country).
Possible Solutions for India
To address these challenges, India can take inspiration from these global practices while tailoring them to local conditions. A few potential solutions include:
Establish a parental guidance body: The gaming industry could set up a standardized rating system that informs consumers, especially parents about the nature of the game’s content (violence, language, sexual content, etc.) and the age group it is appropriate for. This can be similar to how movies are rated PG, PG-13, or R.
Improved API Capabilities: Enhancing the Aadhaar Demographic solution to deliver more precise age verification for services requiring stringent compliance.
Parental Identification Systems: Developing integrated systems that allow platforms to identify and contact parents, possibly through collaboration with government databases or educational institutions.
Web3-Based Solutions: Implementing Web3 technologies to create verifiable credentials for both children and parents. This decentralized approach could provide tamper-proof, easy-to-verify records of parental consent across various platforms.
KYC Integration: Using KYC frameworks to streamline the parental consent process, ensuring both the child and parent are properly verified before any data is processed.
Consent Managers: They can streamline the process of obtaining parental consent by establishing a parent-child relationship once, allowing parents to provide consent on behalf of their children without the need for repeated verifiable parental consent each time.
As the DPDP rules roll out, the gaming industry must confront the challenges of protecting children’s data in a way that balances compliance with user experience. Age-gating and verifiable parental consent, while crucial for safeguarding minors, are not easy to implement under India’s current digital infrastructure. By adopting best practices from other regions and upgrading verification systems, India can establish a more secure environment for children in the online space. The journey toward data privacy for children is complex, but with the right mix of regulation and innovation, it’s a game worth playing.
