Code: Section 9 DPDP
(1) The Data Fiduciary shall, before processing any personal data of a child or a
person with disability who has a lawful guardian obtain verifiable consent of the parent of
such child or the lawful guardian, as the case may be, in such manner as may be prescribed.
Explanation.—For the purpose of this sub-section, the expression “consent of the
parent” includes the consent of lawful guardian, wherever applicable.
(2) A Data Fiduciary shall not undertake such processing of personal data that is
likely to cause any detrimental effect on the well-being of a child.
(3) A Data Fiduciary shall not undertake tracking or behavioural monitoring of children
or targeted advertising directed at children.
(4) The provisions of sub-sections (1) and (3) shall not be applicable to processing of
personal data of a child by such classes of Data Fiduciaries or for such purposes, and
subject to such conditions, as may be prescribed.
(5) The Central Government may, if satisfied that a Data Fiduciary has ensured that its
processing of personal data of children is done in a manner that is verifiably safe, notify for
such processing by such Data Fiduciary the age above which that Data Fiduciary shall be
exempt from the applicability of all or any of the obligations under sub-sections (1) and (3)
in respect of processing by that Data Fiduciary as the notification may specify.
Explanation of Section 9 DPDP
Section 9 of the Digital Personal Data Protection Act (DPDP) regulates how personal data of children and persons with disabilities (with lawful guardians) is processed by Data Fiduciaries.
- Consent Requirement (Sub-section 1): Before processing personal data of a child, Data Fiduciaries must obtain verifiable consent from the child’s parent or lawful guardian. The law provides flexibility in the form of the consent but mandates verification for safeguarding the child’s interests.
- Detrimental Effects (Sub-section 2): Data Fiduciaries must avoid processing data that could harm or affect the well-being of a child. This includes preventing activities that may have an adverse impact on a child’s mental, emotional, or social health.
- Tracking and Targeted Advertising (Sub-section 3): The section explicitly bans any tracking or behavioural monitoring of children or any form of targeted advertising aimed at children, ensuring their data is protected from commercial exploitation.
- Exceptions (Sub-section 4): There may be specific categories of Data Fiduciaries or specific use cases where these provisions might not apply, subject to conditions and regulations that could be prescribed by the authorities.
- Age Exemption (Sub-section 5): The Central Government has the authority to notify specific age limits. If a Data Fiduciary demonstrates that its processing methods are safe for children, the government can specify an age threshold where the obligations regarding consent and targeting no longer apply.
Illustration
Example 1: Parental Consent for Data Processing
A mobile app designed for educational purposes seeks to process the personal data of children under 13. Before collecting any personal data, the app must obtain verifiable consent from the parents of the children in question. The consent must be given in a manner that meets the prescribed requirements, ensuring that the child’s data is handled appropriately.
Example 2: Prohibition of Targeted Advertising
A website that uses cookies for tracking visitors cannot use that data to target advertisements to children under 13. According to Section 9(3), the processing of personal data for such targeted advertising is prohibited to protect the privacy and well-being of children.
Common Questions and Answers on Section 9 DPDP
1. Why does Section 9 require verifiable consent from the parent or guardian before processing a child’s data?
- Answer: Section 9 ensures that children’s data is only processed with appropriate parental or guardian approval to safeguard their privacy and well-being. This is particularly important as children may not fully understand the implications of their personal data being processed.
2. Can a Data Fiduciary engage in behavioural monitoring of children under this law?
- Answer: No, Section 9(3) specifically prohibits tracking, behavioural monitoring, and targeted advertising directed at children. This is to protect children from commercial exploitation and privacy violations.
3. Are there any exceptions to the restrictions on processing children’s data?
- Answer: Yes, Section 9(4) allows for exceptions in specific cases, where certain Data Fiduciaries or use cases may not be subject to these provisions, but only under specific conditions and as prescribed by the government.
4. How does the government set an age limit for exemptions from these rules?
- Answer: Under Section 9(5), the government can specify an age threshold above which certain Data Fiduciaries may not have to comply with the full set of obligations under this section if they demonstrate safe processing practices for children’s data.
Conclusion
Section 9 of the Digital Personal Data Protection Act (DPDP) focuses on the protection of children’s personal data, ensuring that data processing is done with parental consent and in a manner that safeguards their well-being. This provision restricts harmful practices such as tracking and targeted advertising directed at children, while also allowing for flexibility through prescribed exemptions under certain conditions.
