2025 年《数字个人数据保护规则》草案引发了人们对是否所有用户都必须验证其年龄和身份才能访问在线服务的困惑。

根据 2023 年《数字个人数据保护法》（该规则旨在实施），在线平台必须获得可验证的家长同意

The draft Digital Personal Data Protection Rules, 2025 have led to confusion about whether or not all users will have to verify their age and identity to access online services. Under the Digital Personal Data Protection Act, 2023 (which the rules seek to operationalise) online platforms have to obtain verifiable parental consent before processing the data of anyone under 18 years of age.

2025 年数字个人数据保护规则草案引发了人们对是否所有用户都必须验证其年龄和身份才能访问在线服务的困惑。根据《2023 年数字个人数据保护法》（该规则寻求实施），在线平台在处理 18 岁以下任何人的数据之前必须获得可验证的父母同意。

The rules then elaborate that platforms have to verify the age and identity of anyone claiming to be a parent and giving consent on behalf of a child. While the rules specify what platforms can do when an under-18 user declares themself as a child and when a parent comes forward, they don’t take note of situations where a child inputs the wrong information and claims to be an adult.

该规则随后详细说明，平台必须验证任何自称是父母并代表孩子表示同意的人的年龄和身份。虽然这些规则规定了当 18 岁以下用户声称自己是儿童以及家长挺身而出时平台可以做什么，但他们没有注意到儿童输入错误信息并声称自己是成年人的情况。

In such cases, platforms will have to verify everyone’s age, some like MediaNama’s editor Nikhil Pahwa argue. On the other hand, some, like Aparajita Bharti, the co-founder of Quantum Hub Consulting believe that the way the rules read right now, companies could use self-declaration measures as a means to determine whether the person signing up is a child or not. “The illustrations 1 & 2 seem to suggest if the user indicates they are a child then the platform has to take steps to gather verifiable parental consent,” she explained in a post on X (formerly Twitter).

MediaNama 的编辑 Nikhil Pahwa 等人认为，在这种情况下，平台必须验证每个人的年龄。另一方面，Quantum Hub Consulting 联合创始人阿帕拉吉塔·巴蒂 (Aparajita Bharti) 等人认为，按照目前的规定，公司可以使用自我声明措施来确定注册人是否为儿童或儿童。不是。 “插图 1 和 2 似乎表明，如果用户表明自己是孩子，那么平台必须采取措施来收集可验证的家长同意，”她在 X（以前称为 Twitter）上的一篇帖子中解释道。

Similarly, the founder of social media impact consulting Space2Grow, also told MediaNama that the DPDP Rules “do not explicitly require mandatory age verification unless the user’s data triggers any sign of them being a child”.

同样，社交媒体影响力咨询公司 Space2Grow 的创始人也告诉 MediaNama，DPDP 规则“没有明确要求强制年龄验证，除非用户的数据触发了他们是儿童的任何迹象”。

How consent provisions could cause user drop-offs:

同意条款如何导致用户流失：

When a parent comes forward to give consent on behalf of a child, the platform has to verify their age and identity as well. The rules provide two ways in which platforms can approach this verification—

当家长代表孩子出面表示同意时，平台还必须验证他们的年龄和身份。这些规则提供了平台进行验证的两种方式：

Bharti expressed concern that getting synchronous consent (consent right before a child uses the platform) will be operationally difficult. She explained that it would lead to “huge drop-offs (especially among low-income/rural households) and increased costs of compliance.” Talking about the synchronicity of consent, she said that there could be circumstances where the parent isn’t available to give consent when the child needs to access a specific online service.

巴蒂表示担心获得同步同意（在孩子使用平台之前获得同意）在操作上会很困难。她解释说，这将导致“大幅下降（尤其是低收入/农村家庭）和合规成本增加。”谈到同意的同步性，她说，在某些情况下，当孩子需要访问特定的在线服务时，父母可能无法给予同意。

During a spaces discussion on X, Bharti explained that her organisation Young Leaders for Active Citizenship (YLAC) works with rural communities where there is a lot of shared device usage. “Children [in these communities] are way more sophisticated users of technology than their parents. Parents on the other hand ask children for help to navigate the tech world,” she explained. She said that while children do need to be safe online, cutting their access to the internet off is a bigger harm to them.

在 X 的空间讨论中，巴蒂解释说，她的组织积极公民青年领袖 (YLAC) 与大量使用共享设备的农村社区合作。 “[这些社区中的]儿童比他们的父母更熟练地使用技术。另一方面，父母则要求孩子们帮助他们驾驭科技世界，”她解释道。她说，虽然孩子们确实需要安全上网，但切断他们对互联网的访问对他们来说是更大的伤害。

The grey area for establishing parent-child relationships:

建立亲子关系的灰色地带：

One of the age verification scenarios under the rules is where a person comes forward identifying themself as child’s parent. The platform then verifies the age and identity of the parent. The rules do not specify how platforms have to go about verifying this parent and child relationship.

根据规则，年龄验证场景之一是一个人挺身而出，表明自己是孩子的父母。然后，该平台会验证家长的年龄和身份。这些规则没有指定平台必须如何验证这种父子关系。

“The ‘due diligence’ methods expected of data fiduciaries to establish relationship with the minor is a grey area – in effect indicating that people have to surrender more data about themselves, their relationships, and online behaviour to either platforms or the government,” Nidhi Sudhan, co-founder of Citizen Digital Foundation told MediaNama. According to her, the rules appear to favour the interests of businesses and the Government more than the people whose data it was meant to protect.

“数据受托人与未成年人建立关系所期望的‘尽职调查’方法是一个灰色地带——实际上表明人们必须向平台或政府提交更多关于自己、他们的关系和在线行为的数据，”尼迪公民数字基金会联合创始人 Sudhan 告诉 MediaNama。她表示，这些规则似乎更有利于企业和政府的利益，而不是其数据旨在保护的个人的利益。

Other key comments about the rules:

有关规则的其他重要评论：

Missing out room for positive behavioral monitoring of children:

错过了对儿童进行积极行为监测的空间：

Besides parental consent, the act also restricts platforms from carrying out tracking/behavioral monitoring of children. It says that the government can exempt certain platforms from these restrictions as well as verification restrictions provided that they process a child’s data in a verifiably safe manner.

除了父母同意外，该法案还限制平台对儿童进行跟踪/行为监控。它表示，政府可以免除某些平台的这些限制以及验证限制，前提是它们以可验证的安全方式处理儿童的数据。

While the rules list a range of different services that the government allows to carry out behavioral monitoring/exempts from verifiable consent, Sidharth Deb from Quantum Hub Consulting mentioned that they “seem to miss out on an opportunity to incentivise positive/beneficial processing activities that can preserve meaningful internet experiences for under 18 users.” He adds that the rules could have initiated a discussion around what standards companies must meet to qualify as verifiably safe so that the Government allows them to curate digital products for under 18 users.

虽然这些规则列出了政府允许进行行为监控/免除可验证同意的一系列不同服务，但 Quantum Hub Consulting 的 Sidharth Deb 提到，他们“似乎错过了一个激励积极/有益的处理活动的机会，这些活动可以为 18 岁以下的用户保留有意义的互联网体验。”他补充说，这些规则本可以引发一场讨论，讨论公司必须满足哪些标准才能获得可验证安全的资格，以便政府允许他们为 18 岁以下用户策划数字产品。

Lack of inclusion of vicarious consent:

缺乏替代同意：

The Data Protection Act says that companies can only process the personal data of an Indian citizen for purposes to which the citizen has specifically consented or for legitimate uses as specified under the act such as court orders, medical emergencies, epidemics, employment and so on. Bharti says that in certain situations like sending gifts to friends or family, or fraud prevention require vicarious consent.

《数据保护法》规定，公司只能出于公民明确同意的目的或该法规定的合法用途（例如法院命令、医疗紧急情况、流行病、就业等）处理印度公民的个人数据。巴蒂表示，在某些情况下，例如向朋友或家人送礼物或预防欺诈，需要获得替代同意。

Now that I have had the time to sleep over them for a (very) few hours, here are some observations:

现在我有时间在它们身上睡了（非常）几个小时，以下是一些观察结果：

1) At

1) 在