NewsCanvassEdu

What Is the DPDP Act? Provisions, Consent Rules, and Global Comparisons

What Is the DPDP Act? Provisions, Consent Rules, and Global Comparisons

The Digital Personal Data Protection (DPDP) Act, 2023 marks a significant step in India’s journey toward data governance and privacy protection. While the DPDP Act has largely been welcomed by the tech industry for its streamlined compliance structure, one clause has sparked significant debate — the requirement for verifiable parental consent when processing children’s data.

Industry Concern: Verifiable Parental Consent Under the DPDP Act

One of the most contentious provisions under the DPDP Act is its mandate requiring tech platforms to verify the age of users under 18 and obtain parental consent before collecting or processing their personal data.

Key Developments

  • The Ministry of Electronics and Information Technology (MeitY) has not yet identified a conclusive technological mechanism to implement this provision effectively.
  • In a recent internal meeting, it was acknowledged that reliably establishing the parent-child relationship in a digital context remains a major challenge.
  • The DPDP Act, 2023 has deferred to rule-making for such modalities, leading to a delay in finalizing the rules, which are essential to operationalize the legislation.

Core Requirement: Section 9 of the DPDP Act on Children’s Data

Under Section 9 of the DPDP Act, data fiduciaries are required to:

  • Verify the age of a digital user and confirm if they are below 18 years.
  • Obtain verifiable consent from a parent or guardian before processing any personal data of minors.
  • Refrain from conducting harmful data processing or targeted advertising for minors.
  • Exemptions may apply to healthcare and educational institutions, or based on the specific purpose for which the data is processed.

Implementation Roadblocks and Delays

The biggest roadblock to enforcing the DPDP Act remains the implementation of the verifiable parental consent clause:

  • MeitY initially explored using DigiLocker (linked to Aadhaar) to verify guardianship, but concerns over scalability and privacy led to its rejection.
  • An alternative idea of a government-authorized electronic token system was also discussed but found to be impractical.
  • As a result, more than 25 critical provisions of the Act remain inoperative until the rules are framed.

Global Practices: How Other Countries Handle Parental Consent

United States – COPPA (Children’s Online Privacy Protection Act)

  • Does not prescribe a specific method.
  • Requires operators to use a method “reasonably designed” to confirm the consent is from a parent.

European Union – GDPR (General Data Protection Regulation)

  • Mandates “reasonable efforts” to ensure that parental consent has been given for processing data of children under 13.
  • Emphasizes technological feasibility and risk-based assessment.

Key Takeaway:

Global privacy laws like COPPA and GDPR do not prescribe specific technologies but focus on accountability and due diligence by data collectors — an approach India may also consider while implementing the DPDP Act.

Overview of the DPDP Act, 2023: Objectives and Structure

What is the DPDP Act?

The DPDP Act, 2023 is India’s comprehensive data protection framework that:

  • Regulates the processing of digital personal data.
  • Ensures that such data is used only with individual consent.
  • Applies to data collected in India or processed by entities abroad offering goods or services to Indian users.

Origins

  • Based on recommendations by the Justice B.N. Srikrishna Committee.
  • Introduced after several iterations and public consultations.

Key Terms in the DPDP Act

  • Data Principal (DP): The individual to whom the data belongs. Has rights to consent, withdraw, and seek correction or erasure.
  • Data Fiduciary: Entity that decides the purpose and means of data processing.
  • Consent: Must be informed, specific, and revocable. Parents/guardians must consent on behalf of minors.

Core Provisions of the DPDP Act

Rights of Data Principals

  • Right to know what data is being processed.
  • Right to correction and erasure.
  • Right to grievance redressal.
  • Right to nominate a representative in case of death or incapacity.

Duties of Data Principals

  • Should not file false complaints.
  • Must not impersonate others or provide incorrect data.

Obligations of Data Fiduciaries

  • Ensure data accuracy and security.
  • Report breaches to affected individuals and the Data Protection Board of India.
  • Erase personal data once the purpose is fulfilled.

Data Transfer and Storage Outside India

  • The DPDP Act permits cross-border data transfers, except to countries explicitly restricted by the Indian government.
  • Government bodies are exempt from certain provisions such as data storage limitations.

Institutional Framework: Data Protection Board of India

  • To be established by the Central Government.
  • Responsible for:
    • Ensuring compliance.
    • Imposing penalties.
    • Grievance redressal.
  • Appeals can be filed before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

Penalties Under the DPDP Act

  • Emphasis on monetary penalties, not imprisonment.
  • ₹200 crore: Failure to fulfill obligations related to children.
  • ₹250 crore: Failure to prevent a data breach.

Exemptions Under the DPDP Act

The government may exempt agencies from the Act for:

  • National security and public order
  • Sovereignty and integrity of India
  • Foreign relations
  • Prevention of crimes

Global Context: Data Protection Laws Across Countries

According to UNCTAD, 137 of 194 countries have enacted data privacy laws:

EU Model

  • Based on GDPR — strict, rights-focused, and comprehensive.
  • Enshrines privacy as a fundamental right.

US Model

  • Sector-specific, liberty-based approach.
  • Lacks an all-encompassing federal privacy law.

China Model

  • Introduced Personal Information Protection Law (PIPL) and Data Security Law (DSL).
  • Strong regulatory control by the state, including restrictions on cross-border data flow.

Conclusion: What Lies Ahead for the DPDP Act?

While the DPDP Act, 2023 provides a robust and modern framework for data protection in India, its effectiveness hinges on clear rule-making, especially in areas like age verification and parental consent. As the government engages with stakeholders, India’s data governance will evolve — but ensuring trust, accountability, and technological feasibility will be key to the Act’s success.

To Download Monthly Current Affairs PDF Click here

Click here to get a free demo

Discover all about CLAT Exam

Categories

Latest Current Affairs

Related Current Affairs

View All
Line of Actual Control
Line of Actual Control (LAC) | China’s Border Villages and India’s Response
Team Newscanvassedu March 27, 2025
Read More
agnibaan
Agnibaan | India’s First Rocket Powered by a Fully 3D Printed Engine
Team Newscanvassedu May 27, 2025
Read More
Jallikattu
Jallikattu Dispute 2024: Evolution and History
Team Newscanvassedu July 23, 2024
Read More