FPF and The Dialogue Release Collaboration on a Catalog of Measures for “Verifiably safe” Processing of Children’s Personal Data under India’s DPDPA 2023

Today, the Future of Privacy Forum (FPF) and The Dialogue released a Brief containing a Catalog of Measures for “Verifiably Safe” Processing of Children’s Personal Data Under India’s Digital Personal Data Protection Act (DPDPA) 2023. 

When India’s DPDPA passed in August, it created heightened protections for the processing of personal data of children up to 18. When the law goes into effect, entities who determine the purpose and means of processing data, known as “data fiduciaries,” will need to apply these heightened protections to children’s data. Under the DPDPA, there is no further distinguishing between age groups of children, and all protections, such as obtaining parental consent before processing a child’s data, will apply to all children up to 18. However, the DPDPA stipulates that if the processing of personal data of children is done “in a manner that is verifiably safe,” the Indian government has the competence to lower the age above which data fiduciaries may be exempt from certain obligations. 

In partnership with The Dialogue, an emerging research and public-policy think-tank based in New Delhi with a vision to drive a progressive narrative in India’s policy discourse, FPF prepared a Brief compiling a catalog of measures that may be deemed “verifiably safe” when processing children’s personal data. The Brief was informed by best practices and accepted approaches from key jurisdictions with experience in implementing data protection legal obligations geared towards children. Not all of these measures may immediately apply to all industry stakeholders. 

While the concept of “verifiably safe” processing of children’s personal data is unique to the DPDPA and not found in other data protection regimes, the Brief’s catalog of measures can aid practitioners and policymakers across the globe.

The Brief outlines the following measures that can amount to “verifiably safe” processing of personal data of children, proposing additional context and actionable criteria for each item: 

1. Ensure enhanced transparency and digital literacy for children. 

2. Ensure enhanced transparency and digital literacy for parents and lawful guardians of very young users.

3. Opt for informative push notifications and provide tools for children concerning privacy settings and reporting mechanisms. 

4. Provide parents or lawful guardians with tools to view, and in some cases set, children’s privacy settings and exercise privacy rights. 

5. Set account settings as “privacy friendly” by default. 

6. Limit advertising to children.

7. Maintain the functionality of a service at all times, considering the best interests of children.

8. Adopt policies to limit the collection and sharing of children’s data. 

9. Consider all risks of processing their personal data for children and their best interests via thorough assessments. 

10. Ensure the accuracy of the personal data of children held. 

11. Use and retain personal data of children considering their best interests.

12. Adopt policies regarding how children’s data may be safely shared.  

13. Give children options in an objective and neutral way, avoiding deceptive language or design.

14. Put in place robust internal policies and procedures for processing personal data of children and prioritize staff training.

15. Enhance accountability for data breaches through notifying the parents or lawful guardians and adopting internal policies such as Voluntary Undertaking if a data breach occurs. 

16. Conduct specific due diligence with regard to children’s personal data when engaging processors.  

We encourage further conversation between government, industry, privacy experts, and representatives of children, parents, and lawful guardians to identify which practices and measures may suit specific types of services and industries, or specific categories of data fiduciaries.