NCPCR likely to seek clause for parents’ consent under data protection rules
Under Section 9 of Digital Personal Data Protection Act, entities must obtain “verifiable consent” from parents or guardians before processing children’s data.
The National Commission for Protection of Child Rights (NCPCR) is likely to write to the ministry of electronics and information technology, asking it to prescribe methods in the upcoming draft Digital Personal Data Protection (DPDP) Rules to verify parents’ or guardians’ consent for the use of children’s data, the body’s chairperson said on Tuesday.
“There is a need to start verification of children on platforms as given under the data protection act,” said NCPCR chairperson Priyank Kanoongo. “For verification online, KYC is the best mechanism used thus far,” he said, suggesting that this could be a method that the body recommends to MeitY.
This follows the child rights body’s meeting with executives from social media companies on August 13, where Kanoongo spoke about the need for ID-based verification via KYC procedures for children and compared banking with social media.
At least one executive said that such KYC procedures are used for financial transactions to which Kanoongo had said that platforms engage in “emotional transactions”, at least one person aware of the matter said.
Under Section 9 of the Digital Personal Data Protection Act, entities that control data must obtain “verifiable consent” from parents or guardians before processing children’s data.
In a meeting with social media companies on July 18, senior MeitY officials had acknowledged the technical challenges of implementing verifiable parental consent, and said that the government does not intend to prescribe specific mechanisms for verifying parental consent, HT had reported on July 19.
{{/usCountry}}In a meeting with social media companies on July 18, senior MeitY officials had acknowledged the technical challenges of implementing verifiable parental consent, and said that the government does not intend to prescribe specific mechanisms for verifying parental consent, HT had reported on July 19.
{{/usCountry}}On Monday, IT minister Ashwini Vaishnaw had said that the government had resolved the issue around processing consent for children’s data and the details would be revealed when the draft rules are released for consultation which, he said, will happen within 30 days.
{{/usCountry}}On Monday, IT minister Ashwini Vaishnaw had said that the government had resolved the issue around processing consent for children’s data and the details would be revealed when the draft rules are released for consultation which, he said, will happen within 30 days.
{{/usCountry}}"I cannot understand that if something is written in an Act passed by the Parliament, how can they say now? We are regularly interacting with MeitY. If they did not intend to introduce a mechanism to verify parental consent, why would it be included in the Act?” Kanoongo asked, while clarifying that the NCPCR and MeitY are on the same page when it comes to the Act.
{{/usCountry}}"I cannot understand that if something is written in an Act passed by the Parliament, how can they say now? We are regularly interacting with MeitY. If they did not intend to introduce a mechanism to verify parental consent, why would it be included in the Act?” Kanoongo asked, while clarifying that the NCPCR and MeitY are on the same page when it comes to the Act.
{{/usCountry}}In the meeting, Kanoongo said that he would make two recommendations to MeitY — to introduce KYC-based verification of parental consent; and second, to insist that the US-based National Center for Missing and Exploited Children (NCMEC) reports child sexual abuse material (CSAM) online in real time to Indian authorities.
NCMEC runs CyberTipline, the centralised system in the US where individuals and online platforms report CSAM. To be sure, India’s National Crime Record Bureau (NCRB) is the agency that receives ‘CyberTipline reports’ from NCMEC through an MoU signed in April 2019. As per the MoU, NCRB must download such reports “promptly” after it is informed via email that NCMEC has made a CyberTipline report accessible to NCRB. In 2023, using geographical indicators related to the upload location of the reported CSAM, NCMEC referred more than 8.9 million reports to NCRB, the highest for any country, and accounting for about a quarter of all reports it got.
The August 13 meeting was attended in person by Indian public policy executives from YouTube, Instagram, WhatsApp, Snap, and ShareChat. It was attended virtually by the resident grievance officer of Twitter (now X) Vinay Prakash, X’s senior director of public policy for APAC Kathleen Reen, vice president of policy at Reddit Jessica Ashooh, and Bumble’s European lead for public policy Morgane Taylor.
Moneycontrol first reported that the NCPCR intends to send such a letter.
