This article has been written by Anjali Chaudhary while interning with Le Droit India.
Abstract
The digital age has ushered in an era where data is a currency, and children—often early adopters of digital platforms—are inadvertently becoming sources of vast personal data. This article critically examines the legal landscape governing children’s data and privacy in India. With the increasing use of online platforms by minors, the collection, processing, and misuse of their data raise significant legal and ethical concerns. This piece explores constitutional protections, statutory provisions, judicial pronouncements, recent legislation including the Digital Personal Data Protection Act, 2023, and comparative insights with international frameworks like the GDPR and COPPA.
1. Introduction
Children, as a vulnerable group, require heightened protection—especially in the digital realm where their personal data is often collected, processed, and analyzed without their full understanding or consent. The rise of online education, social media, and gaming platforms has exacerbated risks such as profiling, exploitation, and behavioral manipulation.
Although India is rapidly digitizing, its legislative and institutional frameworks for protecting children’s digital privacy have historically lagged. However, recent developments, particularly the enactment of the Digital Personal Data Protection Act (DPDP), 2023, mark a significant shift toward data accountability and child safety.
2. Why is Children’s Data Protection Important?
Children are not just miniature adults. They lack the capacity to fully understand the consequences of sharing data online. This makes them more susceptible to:
- Surveillance and Profiling: Algorithms can target children with manipulative advertising.
- Identity Theft: Personal information can be harvested and misused.
- Online Predation: Inadequate safeguards lead to grooming and exploitation.
- Psychological Manipulation: Behavioral targeting influences their preferences and worldviews.
As digital participation becomes a necessity, ensuring children’s privacy rights becomes paramount.
3. Constitutional Protections
India’s Constitution, though drafted long before the internet era, enshrines several provisions that implicitly protect children’s privacy:
a) Article 21 – Right to Life and Personal Liberty
In Justice K.S. Puttaswamy v. Union of India (2017), the Supreme Court held that the Right to Privacy is a fundamental right under Article 21. Though not child-specific, this judgment applies to all citizens, including minors.
b) Article 15(3) – Protective Discrimination
The State is empowered to make special provisions for children, justifying stronger safeguards for child data under law.
4. Statutory Framework Prior to 2023
Before the DPDP Act, India lacked a dedicated data protection law. However, children’s data was indirectly covered under various legislations:
a) Information Technology Act, 2000 (IT Act)
- Section 43A: Allows compensation for failure to protect sensitive personal data.
- IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011:
- Requires consent for data collection.
- Doesn’t distinguish between adults and children.
Shortcoming: No child-specific definitions or obligations.
b) Juvenile Justice (Care and Protection of Children) Act, 2015
Prohibits disclosure of child identity in media and legal proceedings, thus protecting privacy in judicial contexts.
c) Right to Education Act, 2009
Restricts collection of demographic data but lacks robust digital protections.
d) Indian Penal Code & POCSO Act
Punishes digital abuse (e.g., cyberstalking or child pornography), but reactive, not preventive.
5. The Digital Personal Data Protection Act, 2023: A New Dawn
Enacted in August 2023, the DPDP Act is India’s first comprehensive data protection law. It introduces substantial provisions to safeguard children’s digital rights.
Key Features for Children’s Data Protection
a) Definition of a Child
- Section 2(i): Any individual under the age of 18.
b) Parental Consent
- Section 9(1): Data fiduciaries must obtain verifiable parental consent before processing children’s data.
c) Prohibition on Harmful Processing
- Section 9(2): Prohibits tracking, behavioral monitoring, or targeted advertising directed at children.
d) Guardianship Approach
- Parental consent is needed even for teenagers, unlike the GDPR which sets 13/16 as the threshold.
e) Exemptions
- Section 17 grants the government broad powers to exempt data fiduciaries under “public interest” or for state functions. This could potentially weaken child protections.
6. Strengths and Criticisms of the DPDP Act, 2023
✅ Strengths
- Clarity in defining children.
- Introduces parental control mechanisms.
- Prohibits behavioral profiling of children.
- Introduces the role of a Data Protection Board.
❌ Criticisms
- Over-inclusive definition: Treating all under-18s uniformly overlooks teenage autonomy.
- Parental verification burden may discourage compliance.
- Lack of a graded consent model.
- No mandate for child-centric design or privacy-by-design frameworks.
- Enforcement and oversight mechanisms still evolving.
7. Judicial and Regulatory Landscape
1. Justice K.S. Puttaswamy v. Union of India
(2017) 10 SCC 1
- Landmark judgment that recognized the Right to Privacy as a fundamental right under Article 21 of the Constitution.
- The court emphasized informational self-determination and child-specific vulnerabilities, laying the foundation for data privacy jurisprudence. “Children merit greater protection in matters of privacy because they are often unable to fully comprehend the implications of data disclosure.”
2. Avni Prasad v. Union of India & Ors.
(Delhi High Court, 2021)
- A public interest litigation (PIL) raising concerns about EdTech platforms collecting data from students without informed consent.
- The court issued notice to the Union Government seeking clarity on regulatory measures.
- Though still pending, it marks growing judicial attention to children’s digital privacy.
3. Supreme Court Observations on WhatsApp-Facebook Data Sharing (2021)
- In proceedings related to the WhatsApp privacy policy, the SC highlighted the importance of data protection for vulnerable groups, including minors.
- The court sought to balance corporate interests with user autonomy, reinforcing the idea that children require special safeguards in the digital ecosystem.
4. Faheema Shirin v. State of Kerala(2019)
- While not directly on children’s data, the Kerala HC upheld a student’s right to access digital platforms as part of right to education and privacy.
- Laid a foundation for treating minors’ digital access as a constitutional concern.
Regulatory Bodies and Their Roles
1. Ministry of Electronics and Information Technology (MeitY)
- Nodal ministry for data governance.
- Drafted the DPDP Act and Data Governance Policy.
- Released Advisories to EdTech companies (2022) to obtain parental consent and disclose data policies.
2. Central Board of Secondary Education (CBSE) & State Boards
- Issued informal advisories to schools on restricting third-party data sharing.
- No statutory authority on data privacy; needs integration with DPDP mandates.
3. National Commission for Protection of Child Rights (NCPCR)
- Plays a limited role in digital rights but has published reports on online child abuse and called for regulation of EdTech platforms.
- Can be empowered under future amendments to coordinate with the Data Protection Board.
4. Data Protection Board of India (DPBI)
– (proposed under DPDP Act)
- To serve as a grievance redressal and enforcement mechanism.
- Lacks child-specific mandates, unlike global peers such as UK’s ICO or US FTC.
8. Comparative Jurisprudence: GDPR and COPPA
a) General Data Protection Regulation (GDPR) – EU
- Requires parental consent for under 16 (can be lowered to 13).
- Emphasises transparency and age-appropriate communication.
- Promotes privacy by design and data minimization.
b) Children’s Online Privacy Protection Act (COPPA) – USA
- Applies to children under 13.
- Requires verifiable parental consent.
- Strictly regulates data collection, storage, and third-party sharing.
India vs Global Standards
| Feature | DPDP 2023 | GDPR | COPPA |
|---|---|---|---|
| Consent Age | 18 | 13-16 | 13 |
| Verifiable Consent | ✅ | ✅ | ✅ |
| Behavioral Ad Ban | ✅ | Conditional | ✅ |
| Privacy by Design | ❌ | ✅ | ❌ |
| Enforcement Mechanism | Weak (as of now) | Strong | Moderate |
9. Role of EdTech and Social Media Platforms
The COVID-19 pandemic triggered an explosion in EdTech platforms targeting minors. This has raised critical concerns:
- Unregulated data collection
- Lack of data anonymisation
- Third-party data sharing for advertising
The NCPI and NCPCR have issued advisories, but enforcement remains weak. Platforms like YouTube Kids and Instagram for Kids have come under global scrutiny, though Indian regulators have yet to issue comprehensive sector-specific rules.
10. Road Ahead: Recommendations for Strengthening Legal Safeguards
- Introduce a Graded Consent Model:
Allow children aged 13–17 to provide limited consent, subject to parental oversight.
- Mandate Child Impact Assessments:
Platforms must audit features and their impacts on child users before deployment.
- Stronger Role for NCPCR and DCPUs:
Child rights bodies should monitor compliance on platforms used by children.
- Data Literacy in Schools:
Curriculum should include modules on digital hygiene and privacy rights.
- Incentivize Age-Gating and Privacy-by-Design:
Encourage safer platform designs through compliance incentives.
- Fast-track Guidelines for EdTech:
NCPCR and MeitY must urgently regulate data practices of EdTech players.
11. Conclusion
India’s legal framework for protecting children’s data is evolving. The DPDP Act, 2023 marks a promising step, offering a structured and enforceable basis for protecting children in the digital age. However, challenges remain in enforcement, inclusivity, and balancing parental control with adolescent autonomy.
To make cyberspace truly safe for children, the law must be dynamic, child-centric, and reflective of emerging digital realities. Legal safeguards must be buttressed by institutional vigilance, technological innovation, and public awareness to ensure a secure digital future for India’s youngest citizens.
References
- Supreme Court of India. Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
- Digital Personal Data Protection Act, 2023. Government of India.
- Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
- B.N. Srikrishna Committee Report on Data Protection Framework, 2018.
- GDPR – General Data Protection Regulation. EU Regulation 2016/679.
- COPPA – Children’s Online Privacy Protection Act, 1998.
- National Commission for Protection of Child Rights (NCPCR).
- UNICEF India. (2021). Children and Digital Privacy in India: A Policy Perspective.
