Executive Summary
Processing personal data of children requires verifiable parental consent and enhanced protections under Section 9 of DPDPA. This creates operational challenges around age verification, consent collection, and content appropriateness. This guide addresses practical approaches to compliant processing of children's data.
Key Takeaways
- 1Implement age gating or age verification appropriate to the risk level of processing
- 2Obtain verifiable consent from a parent or lawful guardian before processing
- 3Do not engage in processing likely to cause harm to children's wellbeing
- 4Tracking, behavioural monitoring, and targeted advertising present heightened concerns
- 5Design data collection interfaces appropriate for younger users where direct interaction occurs
1Understanding Section 9 Requirements
Section 9 prohibits processing children's personal data without verifiable parental consent. It also prohibits processing likely to have a detrimental effect on the wellbeing of a child and tracking or behavioural monitoring of children. These requirements create a higher compliance bar than general processing.
2Determining When Section 9 Applies
The first question is whether your processing involves children's data.
Define Your User Base
Consider whether your service is directed at children, accessible to children, or likely to have child users even if not specifically targeting them.
Age Threshold
DPDPA does not specify the age defining a child. Pending rule clarification, consider adopting a reasonable threshold aligned with industry practice, typically 13 or 18 depending on the service nature.
Actual Knowledge Standard
Consider when you have actual knowledge that a user is a child. Age declarations, parental consent requests, and usage patterns may create such knowledge.
3Age Verification Approaches
Before collecting children's data, organisations need mechanisms to identify child users.
Self Declaration
The simplest approach asks users to declare their age. While easy to circumvent, this may be sufficient for low risk processing. Document the limitations acknowledged.
Age Estimation Technology
Facial analysis or behavioural analysis tools can estimate age. These raise their own privacy concerns and have accuracy limitations.
Document Verification
For higher risk processing, require verification through identity documents. This is intrusive and often impractical for broad consumer services.
Neutral Age Gates
Avoid designs that teach children to lie about age. If your gate can be easily bypassed by entering a false birthdate, its protective value is limited.
Important Warnings
- •Age verification itself collects personal data and requires its own compliance consideration
- •Overly intrusive verification deters legitimate users without necessarily stopping determined minors
4Obtaining Verifiable Parental Consent
Once a user is identified as a child, parental consent must be obtained before processing.
Identify the Parent or Guardian
Establish who is authorised to consent. This requires identifying the parent or lawful guardian and their relationship to the child.
Verification Methods
Verify that the purported parent is actually the parent. Methods include credit card verification, government ID verification, video calls, signed consent forms, or knowledge-based verification.
Consent Request Content
Provide clear information about what data will be collected, how it will be used, and the specific protections applicable to children's data.
Document Consent
Maintain records of consent including verification performed, consent provided, and the specific scope of consent.
Practical Tips
- •Proportionality applies: verification rigour should match processing risk
- •Consent should be refreshable, not permanent. Periodic reconfirmation may be appropriate
5Prohibited Processing
Certain processing involving children is prohibited regardless of consent.
Detrimental Processing
Processing likely to have a detrimental effect on child wellbeing is prohibited. This requires assessing potential harms from specific processing activities.
Tracking and Behavioural Monitoring
Tracking children or monitoring their behaviour faces heightened scrutiny. This impacts common practices like analytics, personalisation, and recommendation systems.
Targeted Advertising
Targeted advertising directed at children based on their personal data is problematic. Consider age appropriate advertising approaches that do not rely on personal data targeting.
6Design Considerations
Services likely to be accessed by children should be designed with their interests in mind.
Default Privacy Settings
Apply privacy protective defaults for child accounts. Opt into data sharing rather than requiring opt out.
Limited Data Collection
Collect only data necessary for the service. Children should not be required to provide unnecessary personal information.
Appropriate Content
Ensure that content and features available to children are age appropriate.
Parental Controls
Provide tools for parents to monitor and control their children's use of the service where appropriate.
7Ongoing Compliance
Children's data protection requires ongoing attention beyond initial consent.
Age Transition
Consider what happens when children age into adulthood. Will processing basis and permissions transfer? Should consent be refreshed?
Consent Withdrawal
Parents should be able to withdraw consent and request deletion of their child's data.
Regular Review
Periodically review processing involving children against evolving regulatory guidance and best practices.