op-edPrivacyDPDP Rules, 2025

Safety of Children Online: A Privacy Trade-off?

Amid the global moral panic over online child safety, and in context of the recent Draft DPDP Rules, 2025, this post highlights the need for a more thoughtful approach that considers broader implications.

Medha Garg
Medha Garg
Shravani Nag Lanka
Shravani Nag Lanka

19 January, 2025
5 min read

Donate Now

Trade-off?

In a global moral panic to protect children online, nations seem to be scrambling for solutions, adopting measures that address perceived harms without fully understanding the complexities at hand.

Australia, for instance, recently passed legislation in November 2024 that bans social media use for all children under 16, with no exemptions even for those with parental consent, illustrating an extreme example.

Meanwhile, India enacted its Digital Personal Data Protection Act, 2023 (Data Protection Act) in August 2023, but it took 16 months of anticipation before we got the Digital Personal Data Protection Rules, 2025 (draft Data Protection Rules) to operationalise the Act.

The draft Data Protection Rules try to offer some solutions yet still raise significant concerns – particularly around the requirement for verifiable parental consent for users under 18.

This reflects a broader trend of one-size-fits-all measures that ignore the complexities of online safety, instead of encouraging a more thoughtful discussion on the real issues.

The Data Protection Act stipulates that platforms cannot process the data of individuals under 18, classified as 'children' under the Act, without obtaining verifiable parental consent from the parent or legal guardian.

The draft Data Protection Rules mention that the platforms must implement "appropriate technical and organisational measures" to ensure this consent is obtained prior to processing a child's data.

However, they provide no clarity on the exact mechanism for identifying children and how collecting parental consent will function.

They rely on self-declaration for consent, but this approach is inherently flawed as it creates an either/or situation. Either individuals misrepresent their age, bypassing the system, or there is widespread age gating across the internet, where every service provider demands an ID.

It forces people into a position where they must either lie or surrender more personal information than necessary, both of which undermine privacy and security.

Children, who are often more tech-savvy, can easily lie about their age or provide false information, bypassing any age verification. Further, there is no way for platforms to verify a parental or guardian relationship, when processing personal data for a child. Consent could easily be granted by an older sibling or a friend.

The confusion is further exacerbated by the statements provided by Minister of Electronics and Information Technology Ashwini Vaishnaw and senior officials of the ministry.

Vaishnaw, in an interview with NDTV, stated that platforms would need to obtain parental consent before processing the data of minors.

To do this, they must also verify the parent's credentials, which could be accomplished using verified data points or virtual tokens from existing platforms, such as banks and schools.

Additionally, Information Technology (IT) Secretary S Krishnan, in an interview with Hindustan Times, acknowledged the fundamental challenges in implementing parental consent requirements and conceded that relying on self-declaration by children could be prone to abuse.

“The problem really is that while wanting to protect, you are actually forcing the sharing of more data. So, you have to be very careful,” he said.

These statements reflect a broader trend of the government still attempting to resolve implementation issues, despite having nearly 16 months to address it.

Now, if we zoom out a little, apart from the enforceability concerns, the rule regarding parental consent has broader implications.

Clearly, in a panicked bid to offer some solution for the protection of minors on the interweb, the unintended consequences were overlooked.

Firstly, as per the Oxfam’s India Inequality Report 2022, only 38 percent of Indian households are digitally literate. Asking parents/guardians to provide “free” and “informed” consent who may not fathom the gravity of the consequences, fails the intended aim of parental consent.

Either the minors, who are more digitally savvy will fake consent, find a workaround, or provide false information, not to forget the high instances of device sharing in the Indian households.

The alternative? Children may be denied access to digital tools that are essential in today’s world.

The requirement of parental consent hinders children’s opportunities and the flow of information. This is true, especially in a country like India, where the social situation of the country is more layered and complex than its western counterparts.

Trading Parents' Privacy For Kids' Safety?

Ultimately, the catch-22 remains for all the guardians and parents who will have to provide their own identifiable sensitive data to provide consent to processing of their children’s data.

This is a huge trade-off, not backed by any additional protection.

The government’s push for digital identity systems such as the Aadhaar ID, APAAR ID, and state-specific IDs such as Haryana’s Parivan Pehchan Patra only further incentivises data collection by both internet intermediaries and the state, raising serious concerns over data security and surveillance.

Not only will internet intermediaries have access to your sensitive identifiable information, but the government will also have data on your internet activity.

This raises serious privacy concerns, as it promotes surveillance, undermines data minimisation, and increases the risk of data breaches. Over-collection of personal information heightens the potential for misuse, and takes away individuals’ control over their own data.

The Data Protection Act along with the draft Data Protection Rules also fail to address one of the key issues: how does parental consent guarantee protection from harmful content?

For example, while a parent may consent to a child using Facebook, harmful content could still easily be accessed, with the law only focusing on data processing.

This one-dimensional approach ignores the broader issue of online content moderation.

Need a Collaborative Approach to Safety

The government seems to be dealing with the current issue in silos from the broader issue of privacy.

This either/or approach—requiring parental consent while limiting children’s digital opportunities— is counter-intuitive as it undermines both privacy and children’s autonomy.

Rather than adopting a nuanced strategy to address the multifaceted challenge of online safety, the government appears to have opted for a more expedient solution—placing the entire onus of safeguarding children on parents by mandating their consent for minors’ access to the internet.

The challenge of ensuring online safety for children cannot be solved by a single measure, and any solution will only provide a layer of protection.

Relying solely on tech companies or the government is insufficient. It is essential to foster broader awareness, involve civil society, and empower parents to take an active role in their children’s digital lives.

While not flawless, platforms like Instagram already offer valuable tools—parental supervision on Instagram—that give parents the ability to guide their children’s online experiences without imposing blanket restrictions.

These efforts may be expanded, not replaced with sweeping, sub-par laws.

We should focus on a collaborative approach that balances safety with children’s autonomy and access to valuable digital opportunities.

By focusing on removing technology, the core issue is overlooked: the need to hold tech companies accountable and redesigning platforms to prioritise children's development and safety. Have we, most importantly, asked the children for their input?

This opinion piece was originally published on The Quint website on January 18, 2025.

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

1
Supreme Court issues notice in Sushant Singh's transfer petition challenging website blocking

Sushant Singh has sought transfer of his writ petition from the Bombay High Court to the Supreme Court, challenging Rules 8 and 16 of the IT Blocking Rules, 2009. On 02.05.2025, the Supreme Court issued notice and tagged it with SFLC’s pending petition raising similar issues.

6 min read

2
Section 44(3) and the Systematic Dismantling of the RTI Act: A Fact Check to Ashwini Vaishnaw

Section 3 has no relevance to the RTI amendment, and Mr. Ashwini Vaishnaw's response fails to address the core concern: Section 44(3) weakens citizens’ right to information and transparency in governance. IFF does a fact check. 

6 min read

3
Budget Session 2025: A Digital Rights Review

The Budget Session of Parliament, held from January 21 to April 4, 2025, included a recess from February 13 to March 10 for Standing Committee reviews. Key discussions covered various national issues, including digital rights and freedoms.

12 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!