Draft Digital Personal Data Protection Rules-2025 provides for the ‘Verifiable Consent for Processing Personal Data of Children and Persons with Disabilities’

The draft Digital Personal Data Protection Rules-2025 (DPDPR-2025) includes provisions for obtaining 'Verifiable Consent for Processing Personal Data of Children and Persons with Disabilities', outlining the requirements for acquiring parental or legal guardian consent before processing the personal data of children or persons with disabilities.

As per the draft rules, a 'Data Fiduciary' is required to implement measures to ensure that the person providing consent for a child's data processing is indeed the child's parent or legal guardian and that they can be properly identified.

"To verify that the parent is an adult, the Data Fiduciary must use reliable identity details or a virtual token linked to such details. This verification is essential to ensure that consent is granted by a responsible adult, as defined by relevant laws," the rules state.

However, the draft rules also provide for exemptions from the obligations in processing the personal data of children. Section 9 of the Act outlines the standards required for processing the personal data of the children. It also laid down specific purposes and conditions for which the data has to be processed.

"Specific classes of Data Fiduciaries, such as healthcare professionals, educational institutions, and childcare providers, are exempt from certain provisions related to children's data," the rules state.

These entities are permitted to process children's personal data, but this is limited to specific activities such as health services, educational activities, safety monitoring, and transportation tracking.

These activities must be necessary for the well-being and safety of the child, ensuring that data processing is conducted within a defined and limited scope.

The Act provides for Part A and Part B, and Part B of the schedule says what are the particular purposes for which the exemptions apply, including processing for legal duties, issuing subsidies or benefits to children, "creating user accounts for communication, or ensuring that a child does not access harmful information. In these cases, processing is restricted to what is necessary to perform the function, service, or duty, with a strong emphasis on protecting the child’s best interests."

The provision also recognises that certain activities, such as verifying the age of a data subject to confirm they are not a child, fall under this exemption, as long as the processing remains limited to what is necessary.

These exemptions aim to strike a balance between safeguarding children's personal data and allowing essential activities for their health, education, and safety.