2025 年數位個人資料保護規則草案引發了人們對是否所有用戶都必須驗證其年齡和身分才能存取線上服務的困惑。

根據 2023 年《數位個人資料保護法》（此規則尋求實施），線上平台必須獲得可驗證的家長同意

The draft Digital Personal Data Protection Rules, 2025 have led to confusion about whether or not all users will have to verify their age and identity to access online services. Under the Digital Personal Data Protection Act, 2023 (which the rules seek to operationalise) online platforms have to obtain verifiable parental consent before processing the data of anyone under 18 years of age.

2025 年數位個人資料保護規則草案引發了人們對是否所有用戶都必須驗證其年齡和身分才能存取線上服務的困惑。根據《2023 年數位個人資料保護法》（該規則尋求實施），線上平台在處理 18 歲以下任何人的資料之前必須獲得可驗證的父母同意。

The rules then elaborate that platforms have to verify the age and identity of anyone claiming to be a parent and giving consent on behalf of a child. While the rules specify what platforms can do when an under-18 user declares themself as a child and when a parent comes forward, they don’t take note of situations where a child inputs the wrong information and claims to be an adult.

該規則隨後詳細說明，平台必須驗證任何自稱是父母並代表孩子表示同意的人的年齡和身份。雖然這些規則規定了當 18 歲以下用戶聲稱自己是兒童以及家長挺身而出時平台可以做什麼，但他們沒有註意到兒童輸入錯誤訊息並聲稱自己是成年人的情況。

In such cases, platforms will have to verify everyone’s age, some like MediaNama’s editor Nikhil Pahwa argue. On the other hand, some, like Aparajita Bharti, the co-founder of Quantum Hub Consulting believe that the way the rules read right now, companies could use self-declaration measures as a means to determine whether the person signing up is a child or not. “The illustrations 1 & 2 seem to suggest if the user indicates they are a child then the platform has to take steps to gather verifiable parental consent,” she explained in a post on X (formerly Twitter).

MediaNama 的編輯 Nikhil Pahwa 等人認為，在這種情況下，平台必須驗證每個人的年齡。另一方面，量子中心顧問公司聯合創始人阿帕拉吉塔·巴蒂(Aparajita Bharti)等一些人認為，按照目前的規定，公司可以使用自我聲明措施來確定註冊人是否為兒童或兒童。 。 「插圖 1 和 2 似乎表明，如果用戶表明自己是孩子，那麼平台必須採取措施來收集可驗證的家長同意，」她在 X（以前稱為 Twitter）上的一篇貼文中解釋道。

Similarly, the founder of social media impact consulting Space2Grow, also told MediaNama that the DPDP Rules “do not explicitly require mandatory age verification unless the user’s data triggers any sign of them being a child”.

同樣，社群媒體影響力顧問公司 Space2Grow 的創辦人也告訴 MediaNama，DPDP 規則「沒有明確要求強制年齡驗證，除非用戶的數據觸發了他們是兒童的任何跡象」。

How consent provisions could cause user drop-offs:

同意條款如何導致用戶流失：

When a parent comes forward to give consent on behalf of a child, the platform has to verify their age and identity as well. The rules provide two ways in which platforms can approach this verification—

當家長代表孩子出面表示同意時，平台也必須驗證他們的年齡和身分。這些規則提供了平台進行驗證的兩種方式：

Bharti expressed concern that getting synchronous consent (consent right before a child uses the platform) will be operationally difficult. She explained that it would lead to “huge drop-offs (especially among low-income/rural households) and increased costs of compliance.” Talking about the synchronicity of consent, she said that there could be circumstances where the parent isn’t available to give consent when the child needs to access a specific online service.

巴蒂表示擔心獲得同步同意（在孩子使用平台之前獲得同意）在操作上會很困難。她解釋說，這將導致“大幅下降（尤其是低收入/農村家庭）和合規成本增加。”談到同意的同步性，她說，在某些情況下，當孩子需要訪問特定的線上服務時，父母可能無法給予同意。

During a spaces discussion on X, Bharti explained that her organisation Young Leaders for Active Citizenship (YLAC) works with rural communities where there is a lot of shared device usage. “Children [in these communities] are way more sophisticated users of technology than their parents. Parents on the other hand ask children for help to navigate the tech world,” she explained. She said that while children do need to be safe online, cutting their access to the internet off is a bigger harm to them.

在 X 的空間討論中，巴蒂解釋說，她的組織積極公民青年領袖 (YLAC) 與大量使用共享設備的農村社區合作。 「[這些社區中的]兒童比他們的父母更熟練地使用科技。另一方面，父母則要求孩子們幫助他們駕馭科技世界，」她解釋道。她說，雖然孩子們確實需要安全上網，但切斷他們對網路的訪問對他們來說是更大的傷害。

The grey area for establishing parent-child relationships:

建立親子關係的灰色地帶：

One of the age verification scenarios under the rules is where a person comes forward identifying themself as child’s parent. The platform then verifies the age and identity of the parent. The rules do not specify how platforms have to go about verifying this parent and child relationship.

根據規則，年齡驗證場景之一是一個人挺身而出，表明自己是孩子的父母。然後，平台會驗證家長的年齡和身分。這些規則沒有指定平台必須如何驗證這種父子關係。

“The ‘due diligence’ methods expected of data fiduciaries to establish relationship with the minor is a grey area – in effect indicating that people have to surrender more data about themselves, their relationships, and online behaviour to either platforms or the government,” Nidhi Sudhan, co-founder of Citizen Digital Foundation told MediaNama. According to her, the rules appear to favour the interests of businesses and the Government more than the people whose data it was meant to protect.

“數據受託人與未成年人建立關係所期望的'盡職調查'方法是一個灰色地帶——實際上表明人們必須向平台或政府提交更多有關他們自己、他們的關係和在線行為的數據，” Nidhi公民數位基金會聯合創始人 Sudhan 告訴 MediaNama。她表示，這些規則似乎更有利於企業和政府的利益，而不是其資料要保護的個人的利益。

Other key comments about the rules:

有關規則的其他重要評論：

Missing out room for positive behavioral monitoring of children:

錯過了對兒童進行積極行為監測的空間：

Besides parental consent, the act also restricts platforms from carrying out tracking/behavioral monitoring of children. It says that the government can exempt certain platforms from these restrictions as well as verification restrictions provided that they process a child’s data in a verifiably safe manner.

除了父母同意外，該法案還限制平台對兒童進行追蹤/行為監控。它表示，政府可以免除某些平台的這些限制以及驗證限制，前提是它們以可驗證的安全方式處理兒童的資料。

While the rules list a range of different services that the government allows to carry out behavioral monitoring/exempts from verifiable consent, Sidharth Deb from Quantum Hub Consulting mentioned that they “seem to miss out on an opportunity to incentivise positive/beneficial processing activities that can preserve meaningful internet experiences for under 18 users.” He adds that the rules could have initiated a discussion around what standards companies must meet to qualify as verifiably safe so that the Government allows them to curate digital products for under 18 users.

雖然這些規則列出了政府允許進行行為監控/免除可驗證同意的一系列不同服務，但Quantum Hub Consulting 的Sidharth Deb 提到，他們「似乎錯過了一個激勵積極/有益的處理活動的機會，這些活動可以為 18 歲以下的用戶保留有意義的網路體驗。他補充說，這些規則本可以引發一場討論，討論公司必須滿足哪些標準才能獲得可驗證安全的資格，以便政府允許他們為 18 歲以下用戶策劃數位產品。

Lack of inclusion of vicarious consent:

缺乏替代同意：

The Data Protection Act says that companies can only process the personal data of an Indian citizen for purposes to which the citizen has specifically consented or for legitimate uses as specified under the act such as court orders, medical emergencies, epidemics, employment and so on. Bharti says that in certain situations like sending gifts to friends or family, or fraud prevention require vicarious consent.

《資料保護法》規定，公司只能出於公民明確同意的目的或該法規定的合法用途（例如法院命令、醫療緊急情況、流行病、就業等）處理印度公民的個人資料。巴蒂表示，在某些情況下，例如向朋友或家人送禮物或預防欺詐，需要獲得替代同意。

Now that I have had the time to sleep over them for a (very) few hours, here are some observations:

現在我有時間在它們身上睡了（非常）幾個小時，以下是一些觀察：

1) At

1) 在