Under the Digital Personal Data Protection (DPDP) Act, the Indian government is considering the introduction of an umbrella framework to guide companies on consent management practices, rather than issuing detailed, prescriptive rules. This approach aims to provide businesses with flexibility while ensuring that data protection principles are upheld.
The executive rules under the Digital Personal Data Protection (DPDP) Act are designed to balance the need for robust data protection with practical considerations for smaller organizations and educational institutions.
The rules under the Digital Personal Data Protection (DPDP) Act are expected to introduce broad guidelines for companies on consent management rather than specific, detailed rules. This approach will give businesses a general framework to follow, allowing for flexibility in implementation while ensuring that essential data protection principles are maintained.
Key Aspects of the DPDP Act and Executive Rules:
# Broad Guidelines for Consent Management:
The upcoming rules will provide a broad framework for consent management, allowing flexibility for organizations to implement these guidelines in a manner suited to their specific needs and resources. This approach aims to minimize business disruption, especially for smaller entities like schools.
# Parental Consent Requirements:
Under the DPDP Act, users under the age of 18 are classified as children. These minors must obtain verifiable parental consent to access social media and other online services provided by internet intermediaries. This requirement is intended to enhance protection for children’s data and privacy online.
# Exemptions for Smaller Entities:
The rules will likely offer some leniency to smaller organizations, such as schools and universities, which may face challenges in investing heavily in consent management infrastructure. This is to ensure that these institutions can comply with the Act without undue financial burden.
# Restrictions on Data Use for Children:
The DPDP Act explicitly prohibits the behavioral tracking of children on digital platforms and disallows targeted advertising for users below the age of 18. This is outlined in Section 9 of the Act and reflects the government’s commitment to protecting children’s privacy from intrusive advertising practices.
# Stakeholder Engagement:
In July, the Ministry of Electronics and Information Technology held consultations with various stakeholders, including social media intermediaries and internet companies, to discuss the implementation of verifiable parental consent. These discussions included clarifications on whether tracking children’s activities for advertising purposes would be permitted, addressing concerns raised by industry players.
To comply the law, schools and universities will need to implement consent management practices in accordance with the new rules. However, they may receive some flexibility in how they achieve compliance, reflecting their resource constraints.
For Social Media and Internet Companies, these companies must ensure that they obtain verifiable parental consent before allowing minors to use their services. Additionally, they must comply with restrictions on behavioral tracking and targeted advertising for users under 18.
All organizations handling children’s data must prepare to adapt to the new regulations, ensuring they have appropriate systems in place for obtaining and managing parental consent, while also adhering to restrictions on data usage.
The rules under the DPDP Act aim to balance the need for data protection with the flexibility for businesses to innovate and adapt. The broad guidelines will provide a framework for responsible data management, while specific sectors like ed-tech will need to navigate stricter compliance requirements, reflecting the nuanced approach taken by the government.