RIGHTFULLY OURS

Introduction

In the technological age, it is common to see children with gadgets in their hands, even before they can walk properly. However, the growing presence of youngsters on the internet sparks concerns for not just their parents, but regulators as well. Data privacy is one such area of concern. Protecting children’s data becomes a challenge that highlights the uncomfortable tension between virtual parentalism and empowering children for their fullest development. The Digital Personal Data Protection Act, 2023 [“the Act”]  and the Draft Digital Personal Data Protection Rules, 2025 [“Draft Rules”] reveal that the Indian government appears to be drifting towards virtual parentalism, fixing the age of consent or ‘bright line’ for data processing at 18. While some recommend following the US or the EU position, this essay argues that the controversy surrounding India’s approach provides lawmakers with an excellent opportunity to re-conceptualise children’s capacity to consent for data processing. The essay focuses on the issues with the Indian approach, and evaluates whether shifting to the US or EU approach is ideal. It ends with a recommendation to re-draw the bright line altogether, based on inspiration from some other jurisdictions. 

Analysing the Indian Position 

Section 9 of the Act states that a data fiduciary before processing the data of a child must obtain verifiable consent of the child’s parents. Section 2(f) defines a child as an individual who has not yet completed 18 years of age. Rule 10 of the Draft Rules requires the data fiduciary has to adopt appropriate technological and organisational measures to ensure that the verifiable consent of parents is obtained, and that the persons identifying themselves as the parents are adults. This can be done by reference to details of age and identity available with the data fiduciary, or those voluntarily provided or a virtual token mapped to the same which is issued by an entity entrusted by the law, the central, or state government. 

Necessitating parental consent for processing of personal data of those under 18-year-old has garnered much criticism. Granted, the age of majority under Indian law for activities such as voting, sexual relations, etc. is 18. However, blindly importing the same requirement to data processing is misconceived. It casts a blanket assumption that those under 18 cannot understand the nature and implications of consenting to the processing of their personal information. However, in a country with poor digital literacy amongst adults, teenagers would often have better knowledge of the internet and data privacy than their parents. Further, due to the prevalence of gender biases, it is likely that boys will find it easier to obtain this parental consent than girls, especially for educational and vocational purposes. Parental consent will also be difficult to obtain for internet services pertaining to topics stigmatised in Indian society, such as sexual orientation, mental health, etc. 

The biggest loophole in the Draft Rules is that they rely on self-declaration of age – illustrations under Rule 10 start with the phrase ‘C informs the Data Fiduciary that she is a child.’ Since the age of consent is 18, crafty teenagers would simply find it easier to misrepresent their age rather than hounding their parents to give consent- defeating the entire purpose of this provision. While exemptions are available from parental consent, they are only for limited purposes such as for  educational institutions, healthcare providers – aspects of children’s lives in which parents are usually directly involved and themselves providing children’s data to the data fiduciary. Thus, even in these ‘exemptions,’ children have no meaningful autonomy. Most importantly, if the decision-making processes pertaining to personal information are gatekept from children during their formative teenage years, how can we empower them to learn to take such decisions for themselves as adults? As a response to these drawbacks, several authors (see, here and here) have suggested adopting a similar approach to the EU and the US, which have their bright lines at 16 and 13, respectively. However, in the next section, this article questions the very desirability of the bright line approach. 

The Bright Line- Should we Erase it?

The United Nations Convention on the Rights of the Child [“UNCRC”], which India has ratified, endorses the principle of evolving capabilities of children in Article 5. This essentially means that the level of protection accorded to children needs to be adjusted as they mature. Setting a fixed bright line directly contradicts this principle since it assumes that children below a certain age completely lack the capacity to consent to the processing of their personal information, and those above it uniformly have the same. However, there is no ‘magic age’ at which children gain the capacity to make such decisions – every child evolves at a different pace. Article 12 of the UNCRC establishes the free speech rights of children – stating that every child who is capable of forming his own views shall have the right to express them freely in all matters affecting him, and such views have to be given weight according to his age and maturity. Imposing a strict bright line deprives children falling under it from a meaningful say in how their personal information is to be processed. 

Further, imposing strict bright lines may contribute towards internet segregation i.e., the demarcation of internet spaces as being for ‘adults’ or ‘children’ exclusively. This is particularly possible for subjects for which parental consent may be hard to obtain and frequently refused, such as mental health and sexual orientation. While internet segregation is justified for areas such as pornography, dissemination of information regarding the previously mentioned subjects amongst children is important. Further, the bright line approach may lead to intrusions into children’s privacy by their parents themselves – in order to provide consent, they may wish to review their children’s accounts, online presence, etc. Thus, there is a real danger of simultaneous internet segregation and intrusion taking place. 

Is the remedy then, to do away with the bright line altogether? Despite all the drawbacks of this approach, the basic rationale behind it has some merit. Adults may not have perfect understanding of data privacy – but it is safe to say that the same is true for a large number of children. Even for those that have such an understanding, they may not have the responsibility to bear the consequences of consenting to processing of their personal data. For instance, if a teenager’s sensitive data pertaining to health, sexual orientation, etc. that she consented to for processing is breached, she may not be equipped to deal with its social consequences or avail the remedies under the relevant data protection law. Every right has a corresponding responsibility, and in that regard, we cannot place children on the same footing as adults, especially when a lot of their decisions are characterised by impulsivity and risk-taking attitudes. Thus, in the conclusion, the essay recommends an alternative approach to ‘redraw’ the bright line without erasing it altogether. 

Conclusion and Recommendations 

While some jurisdictions have a bright line, they simply implement it in a more flexible manner.  In Australia, for instance, children are deemed to have the capacity to consent where they have sufficient maturity to understand what is being proposed. The capacity to consent for those below 18 has to be ascertained via an individualised assessment administered by the data controller on a case-to-case basis. However, since administering an individualised assessment for every child whose data is to be processed may be impractical, guidelines allow for two presumptions where such impracticability exists. First, controllers may assume that those above 15 have the capacity to consent, and those below 15 do not. The Chinese approach is similar- there is an objective bright line of 14 years below which parental consent is usually needed. But this is combined with a subjective capacity determination for 8 to14-year-olds, who may consent provided they have the maturity. The major benefit of such a ‘hybrid’ approach is that it recognises the principle of evolving capacities; it acknowledges that a child’s development is not linear, and guarantees their participatory rights provided they have the maturity. It also lessens the compliance burden and business costs for data controllers by allowing them to go by an age-based presumption of capacity when individualised assessment is impractical, as in the Australian approach. Such an approach is a reasonable compromise between having a hard and fast bright line and the complete lack of one. 

In conclusion, the current bright line being at 18 sets an unworkable position and it is pertinent for the legislature to reconsider the same. As this essay demonstrates, simply lowering the age to a few years will not solve the issue. A balance between protecting and empowering children can only be struck if the bright line is not rigid; it must be redrawn in a manner that recognises children’s evolving capacities. However, any change must be made considering children’s opinions, since that has been missing globally so far. Further, since the law alone cannot achieve all ends, measures such as awareness campaigns, drafting privacy policies in simpler languages, etc. can go a long way in acquainting children with their rights.