NEW DELHI: There will be no age-gating for children to join social media platforms in India, but those under 18 will require “verifiable consent” of parents, say draft rules of the digital personal data protection (DPDP) Act released late Friday by the IT ministry. Data fiduciaries – under which the draft rules club e-commerce, social media and gaming platforms – can process children’s data only after provision of details and documents, issued by authorised entities, by the parent giving consent.
The draft rules also impose restrictions on transfer of certain classes of “personal data” outside India, in line with recommendations by a committee formed for this purpose by the central govt. “A significant data fiduciary shall undertake measures to ensure that personal data specified by the central govt…is processed subject to the restriction that the personal data and the traffic data pertaining to its flow is not transferred outside the territory of India,” the rules say.
These curbs are likely to be an irritant for top social media and internet companies such as Meta, Google, Apple, Amazon, and Flipkart, which may oppose the measure in their feedback to the ministry.
Stakeholder comments on the draft will be accepted till Feb 18.
The draft rules were being anxiously awaited by social media giants, particularly with regard to the Centre’s stand on processing of data of children and any possible age-gating.
Highlighting the need for “verifiable consent” for processing of personal data of a child or of a person with disability who has a lawful guardian, the draft rules say a data fiduciary shall adopt “appropriate technical and organisational measures” to ensure that verifiable consent of the parent is obtained first.
The data fiduciary “shall observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable” if required in connection with compliance with any law in force in the country.

The verification can come in the form of “reliable details of identity and age” already available with the data fiduciary. Alternatively, documents can be voluntarily provided by the parent that give “details of identity and age or a virtual token mapped to the same, which is issued by an entity entrusted by law or the central govt or a state govt”. Such details can be made available by a Digital Locker service provider.
Illustrating the process, the draft rules say, “Child (C) informs Data Fiduciary (DF) that she is a child. DF shall enable C’s parent to identify herself through its website, app or other appropriate means. Parent (P) identifies herself as the parent and informs DF that she is a registered user on DF’s platform and has previously made available her identity and age details to DF. Before processing C’s personal data for the creation of her user account, DF shall check to confirm that it holds reliable identity and age details of P.”
If the parent is not a user of the platform, “C informs DF that she is a child. DF shall enable C’s parent to identify herself through its website, app or other appropriate means. P identifies herself as the parent and informs DF that she herself is not a registered user on DF’s platform. Before processing C’s personal data for the creation of her user account, DF shall, by reference to identity and age details issued by an entity entrusted by law or govt with maintenance of the said details or to a virtual token mapped to the same, check that P is an identifiable adult. P may voluntarily make such details available using the services of a Digital Locker service provider.”