Strengthening Age Verification Under the Digital Personal Data Protection Act, 2023

Introduction:

The Digital Personal Data Protection Act (DPDP Act) of 2023 aims to safeguard individuals' personal data, particularly that of minors.

With the release of draft rules for public consultation on January 3, 2025, the Act mandates that platforms cannot process the data of individuals under 18 without verifiable parental consent. While this is a significant step toward protecting children’s data, it raises important questions about the effectiveness of existing age verification mechanisms.

Imagine a child signing up for a social media account, claiming to be 21. The platform believes the claim without question, and the minor gains access to a world they’re not prepared for. This scenario—all too common—exposes the need for a stricter approach to verifying user age.

The DPDP Act requires data fiduciaries to ensure appropriate age verification mechanisms are in place. However, it does not explicitly address the issue of falsified age information. Without robust systems to verify a user's age, platforms risk non-compliance with the Act, which could lead to significant penalties—up to ₹250 crore per contravention. This lack of clarity in the current draft DPDP rules has created a pressing need for more detailed guidelines to address the legal implications of falsified age data.

In the Indian context, the prevalence of ‘jugaad’ (improvisation) often leads to children providing false age information to access online services. The existing rules impose only a modest ₹10,000 fine on data principals for falsified information, leaving significant gaps in accountability and enforcement. To effectively protect children’s data, the draft DPDP rules of 2025 must incorporate clearer provisions and stricter measures.

Illustration:

A 16-year-old fabricates their age to access a platform. Months later, the platform’s data is compromised, and sensitive information is leaked. The resulting fallout exposes the platform to massive fines and public outcry. This scenario highlights why robust age verification mechanisms are not just a legal requirement but a moral imperative.

Limitations of Current Age Verification Methods:

Currently, social media platforms rely on self-reported age information during registration, with no accompanying documentation or verification processes. This approach is insufficient to ensure compliance with the DPDP Act and inadvertently promotes falsified age information. The lack of mechanisms to verify the accuracy of user-provided data calls for a fundamental overhaul of age verification practices.

Recommendations for Enhanced Age Verification Mechanisms:

To address these challenges, alternative and supplementary measures must be implemented under the draft DPDP rules. Below are some actionable recommendations to enhance the accuracy and reliability of age verification mechanisms:

1. Government-Issued Identification: 

   Platforms should require users to upload valid government-issued IDs (e.g., Aadhaar card, passport, or driving license) during registration. These documents must be processed securely and in compliance with data protection standards.

2. AI-Powered Verification: 

   AI-driven facial recognition systems can estimate a user’s age during registration. However, these systems must adhere to strict privacy standards and avoid storing biometric data without explicit consent.

3. Two-Step Verification: 

   Implement a two-step age verification process that includes self-declared information followed by an OTP (One-Time Password) sent to a government-registered mobile number or email ID linked to a verified identity.

4. Randomized Post-Registration Checks: 

   Platforms should conduct periodic, randomized checks to verify users' ages after registration. Users flagged for suspicious activity can be asked to revalidate their age with additional documentation.

5. Parental Consent Mechanisms: 

   For users under 18, platforms must mandate verifiable parental or guardian consent. This could involve digitally signed forms or authenticated government IDs of the guardians.

6. Data Minimization Practices: 

   Platforms should adopt data minimization principles, collecting only the data strictly necessary for age verification and retaining it for a predefined period.

7. User Education: 

   Platforms must educate users on the importance of accurate age information and the legal consequences of falsifying data through onboarding tutorials, pop-ups, and community guidelines.

8. Strict Penalties for Non-Compliance: 

   The DPDP rules should outline stringent penalties for platforms failing to implement robust age verification measures. These could include monetary fines or suspension of services.

9. Third-Party Verification Agencies: 

   Collaborating with certified third-party age verification agencies can reduce the burden on individual platforms and ensure uniformity in verification processes.

10. Annual Compliance Reports: 

    Platforms must submit annual compliance reports detailing their age verification mechanisms, challenges, and resolutions to the Data Protection Board of India.

11. Blockchain for Transparency: 

    Exploring blockchain technology to create tamper-proof age verification records can ensure data immutability and secure storage.

12. Regulated Minors’ Platforms: 

    Platforms should offer a separate, highly regulated version of their services for minors, featuring stricter content controls, advertising restrictions, and monitoring.

13. Independent Oversight: 

    Regulatory bodies or auditors must periodically monitor and evaluate the age verification practices of social media platforms.

    
    

Balancing Technology and Privacy:

Technologies like facial recognition and voice analysis have the potential to improve age verification processes. However, their adoption must address privacy concerns and limitations, including the risk of deepfake technologies and falsified KYC data. Furthermore, these technologies must respect the fundamental right to privacy under Article 21 of the Indian Constitution.

Conclusion:

To strengthen the accountability of social media platforms and ensure compliance with the DPDP Act, the draft DPDP rules must provide clear and actionable guidelines for age verification. Sustainable, secure, and privacy-compliant verification methods should be prioritized to create a safer digital ecosystem for users of all ages. By addressing these challenges, the DPDP framework can better protect children’s data and uphold the principles of data protection and privacy.

A child’s data is precious gold,

Protect it well, be firm and bold.

For every loophole we must seal,

A safer internet’s our common deal.

The Women Data Protection Foundation remains committed to advocating for stronger data protection policies and fostering awareness about the importance of privacy in today’s digital age.

Written by: Advocate Jaanvi Sharma