An Analysis of the Regulation of Children's Online Activities Under the Digital Personal Data Protection Bill, 2022

The DPDP Bill was tabled by the Ministry of Electronics and Information Technology on November 18, 2022, for comments. The purpose of the Bill was to provide for the processing of digital personal data in a manner that recognized both the right of individuals to protect their personal data and the need to process personal data for lawful purposes. Though the object behind the proposed DPDP Bill appears to justify the need of the hour, the DPDP Bill has imposed certain additional obligations with respect to children.


The internet has become an indispensable part of modern life. The significance it bears and the impact it has on young minds cannot be overstated. It provides them with access to a vast array of information and resources, including educational content, news, and entertainment. It also allows them to connect with others and form communities, whether it be through social media, gaming, or online forums. The use of the internet in day-to-day affairs of life has considerably grown over the past two decades. The leitmotif of this article is not to regurgitate the importance of the internet but to reflect on the intriguing debate over the regulation of the internet by parents with respect to children under the proposed Digital Personal Data Protection (“DPDP”) Bill, 2022.

The Gordian Knot

Section 10[1] of the proposed DPDP Bill deals with the processing of the personal data of children. The section states that ‘The Data Fiduciary shall, before processing any personal data of a child, obtain verifiable parental consent in such manner as may be prescribed’. Under the Bill, a child is defined as someone who has not completed eighteen years of age[2]. Every time a child creates an account, be it social media, gaming, or an OTT account, the Data Fiduciary[3] involved, which would be the platform providing the service, would necessarily have to secure the consent of the parent or legal guardian of the child before processing their data. The DPDP Bill also prescribes a penalty of up to Rs. 200 crores for its non-compliance[4].

The implications of this proposed section are vast. Currently, most social media platforms including Twitter, Facebook, and Instagram require the user to be above the age of thirteen years to create an account, without any requirement of parental consent. Practically speaking, these platforms do not verify the age as claimed by the user and thus, it is possible to provide incorrect age in order to create an account. The same goes for all other prospective Data Fiduciaries. From knowledge-providing platforms like YouTube and Quora to entertainment or gaming platforms like Spotify and Stream, all these platforms currently have set thirteen years as the minimum age to create an account and enjoy these services. To comply with the DPDP bill, in case it is passed, the platforms would not just have to modify their own terms and conditions for the Indian jurisdiction but also have to come up with a verifiable parental consent requirement mechanism. Since most platforms and websites on the internet require the creation of an account to access the features or services fully, enforcing Section 10 of the DPDP bill would require an entire overhaul of how the internet functions. There would have to be parental consent forms and verification mechanisms in almost all corners of the internet.

While mandating such monitoring of every online activity of a child might sound fit in an average conservative Indian household, it is important to understand that doing so fundamentally alters the very forte of the internet – accessibility to information. Curtailing this would have detrimental effects on any child’s development, by allowing the parents to restrict any chances of the child’s exposure to perspectives that might not agree with their own. This would also be in defiance of Article 13 of the Convention on the Rights of the Child[5], which India had signed and ratified on December 11, 1992. The Article promotes the “right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers” for children.

Untying the Knot

Perhaps one way to mitigate the issues that could arise if the proposed section is brought into effect is by introducing gradation in the age limit that it specifies consent for. In this respect, inspiration can be taken from the Indian Penal Code, 1860,[6] which categorizes children and provides for classification based on age (below 7, from 7 to 12, etc.) to determine the law applicable to them. Even the much popular General Data Protection Regulation, 2016 of the European Union allows member states to lower the age of the child to 13 years to determine if parental consent would be needed or not[7].

The rigidity with respect to parental consent should also be based on a model which considers the evolution and development of children at different ages. France’s model of children’s data privacy rights under the French Data Protection Act, 1978 which was heavily amended recently in 2018, could also be looked at. Article 45 of the said Act[8] introduces the concept of “Joint Consent”. It states that ‘If the child is under 15 years of age, the processing will be lawful only if consent is given jointly by the child and the holder(s) of parental responsibility over that child.’ This, in essence, means that the consent is based on a mutual agreement between the child and the parent(s) holding parental rights. With respect to children above the age of 15 years, the Act allows them to give their own consent.


Thus, while it is ultimately up to the lawmakers to resolve, they must keep in mind the logistical and sociological effects of enforcing mandatory parental regulation on children’s online activities. If not by reducing the age to a more reasonable one, as done by other jurisdictions, systems like gradation in age or joint parental-child consent should be put in place. In the case of Faheema Shirin R.K. vs State of Kerala[9], the Kerala High Court, specifically speaking in the context of students, stated that the right to access the internet forms a part of freedom of speech and expression guaranteed under Article 19(1)(a) of the Constitution. In the said case, it was held that ‘Enforcement of discipline shall not be by blocking the ways and means of the students to acquire knowledge’. The concept of “best interest of the child” which is much popular in custody and guardianship cases and puts the best possible alternative for the child before the rights of the parents, could perhaps be interpreted broadly and acknowledged by the lawmakers with respect to the present debate as well.


[1] Section 10, The Digital Personal Data Protection Bill, 2022.

[2] Defined under Section 2(3), The Digital Personal Data Protection Bill, 2022.

[3] Defined under Section 2(5), The Digital Personal Data Protection Bill, 2022.

[4] Section 25, The Digital Personal Data Protection Bill, 2022.

[5] Article 14, Convention on the Rights of the Child, 1989 [General Assembly resolution 44/25].

[6] Sections 82 and 83, Indian Penal Code, 1860.

[7] Article 8, General Data Protection Regulation, 2016.

[8] Article 45, French Data Protection Act, 1978.

[9] Faheema Shirin R.K vs State of Kerala, 2019 [WP(C)No.19716 OF 2019(L)].

Image Credits:

Photo by Pavel Danilyuk:

While it is ultimately up to the lawmakers to resolve, they must keep in mind the logistical and sociological effects of enforcing mandatory parental regulation on children’s online activities. If not by reducing the age to a more reasonable one, as done by other jurisdictions, systems like gradation in age or joint parental-child consent should be put in place.