The Indian government has proposed the Digital Personal Data Protection Rules, 2025 to fortify children’s online safety through robust data protection measures
The digital revolution has profoundly transformed how we live, learn, and connect. While this transformation offers immense opportunities for growth and development, it also poses significant risks, especially for vulnerable populations such as children. The digital world is fraught with challenges, from exposure to inappropriate content to exploitation through targeted advertising. Recognising the urgent need for robust protections, the Indian government has introduced the Digital Personal Data Protection Rules, 2025, under the Digital Personal Data Protection Act, 2023.
These rules, still in draft form, have the potential to safeguard children from falling into digital traps by establishing a comprehensive framework for responsible data handling. A cornerstone of the draft rules is the requirement for verifiable parental consent before processing children’s data. This mandate ensures that entities cannot collect or use data about minors without explicit authorisation from their parents or legal guardians. For example, creating an account on a social media platform or an online gaming service requires parents to verify their identity and approve the data processing activities.
This provision is vital in reducing the risks posed by predatory targeting, identity theft, and unauthorised data collection. By putting parents in control, the rules prevent businesses from exploiting children’s data for financial gain. This safeguard is particularly important in protecting children from behavioural profiling, which can have long-term implications on their psychological development and privacy.
Educational institutions play a critical role in a child’s growth, but they, too, rely heavily on data collection. The draft rules explicitly address this by restricting data processing in schools and allied institutions to activities that are essential for educational purposes or the safety of students. For instance, tracking attendance, monitoring behaviour, and ensuring the security of transportation services are permissible, but excessive or irrelevant data collection is prohibited. These safeguards ensure that children’s data is not misused or repurposed without clear justification.
The digital world can be a double-edged sword. While it offers educational resources and entertainment, it also exposes children to inappropriate or harmful content. The draft rules mandate that data fiduciaries implement measures to ensure that children cannot access content that negatively affects their well-being. This includes filtering out materials related to violence, explicit content, and other age-inappropriate material.
Such provisions are critical in protecting the mental and emotional health of children, who are particularly susceptible to the influence of harmful digital stimuli. Moreover, they underscore the importance of collaboration between regulators and technology companies to create a safer online environment. Consent managers play a pivotal role in the new framework. As intermediaries, they enable data principals—in this case, parents or guardians—to give, manage, review, and withdraw consent for data processing activities. These managers must ensure that the process is transparent and user-friendly, empowering parents to monitor how their children’s data is being utilised.
The draft rules also require consent managers to maintain detailed records of consent given, denied, or withdrawn, enhancing accountability across the board. While the draft rules represent a significant leap forward, their successful implementation hinges on overcoming several challenges. This calls for innovative solutions, such as integrating verified digital IDs like Aadhaar with consent management systems.
(The writer is an adjunct faculty at the National Institute of Advanced Studies; views are personal)
