Draft Indian data protection rules set vague age assurance, consent requirements

India’s Ministry of Electronics and Information Technology (MeitY) wants to require consent for personal data processing and age assurance for social media with draft rules to operationalize its data protection law. The exact tools and methods allowed for authenticating consent or performing age checks are not set out in the published draft.
The “Digital Personal Data Protection Rules, 2025” is subordinate legislation to the Digital Personal Data Protection Act, 2023 (DPDP Act), which passed nearly 17 months ago.
Platforms that hold data, like social media, ecommerce and gaming platforms, are considered “data fiduciaries” (DF), and will need to collect verifiable consent to store user data.
Children below 18 years old will have to obtain parental consent to open social media accounts, with the age and identity of the parent authenticated by reference to a government-issued or approved source, which could include the parent’s DigiLocker.
The four examples provided in the draft text all involve either the child or their parent informing the DF that the user is a child. Age verification methods are not specified, and no mention is made of biometric facial age estimation.
“For a child, the Data Fiduciary must verify that the parent is an adult by using reliable identity details or a virtual token mapped to such details,” an explanatory note from MeitY says.
The rules also include new data breach notification responsibilities and conditions under which personal data must be deleted, such as after a period of account dormancy.
The whole will be overseen by a Data Protection Board which can levy penalties of up to 2.5 billion rupees (approximately US$29.2 million).
The Internet Freedom Foundation criticized the draft rules in a series of nine posts to social media platform X, emphasizing that the public consultation is not transparent. The draft has not been published in most of the country’s official languages and the group says MeitY can choose not to publish all comments.
The Ministry says submissions “shall not be disclosed to any one at any stage, enabling persons to submit feedback/comments freely without any hesitation. A consolidated summary of the feedback/comment received, without attribution to stakeholder, shall be published after the finalization of the Rules.”
MeitY is accepting feedback on the draft rules until February 18, 2025.
Article Topics
age verification | biometrics | children | data protection | digital identity | Digital Personal Data Protection (DPDP) Act | India | legislation | social media
Comments