Age-gating the Internet: Data Privacy Laws and Age of Consent

Age-gating the Internet: Data Privacy Laws and Age of Consent



Data privacy in India has a contested past. After a long and protracted history of consultations, the yearly iteration of the draft Digital Personal Data Protection Bill, 2022 (hereinafter, ‘the draft Bill’) was published by the Ministry of Electronics and Information Technology on November 18, 2022. The draft Bill aims to create a robust framework for the processing of ‘digital personal data’. However, this analysis is limited to the treatment of children’s digital personal data under the proposed Bill. On a first look, the draft Bill appears to be well intentioned in attempting to protect the digital personal data of the “Digital Nagrik”, however, it remains fairly paternalistic in its approach.

Child as under the draft Digital Personal Data Protection Bill, 2022

This draft Bill defines “child” vide Section 2(3) as “an individual who has not completed eighteen years of age”. This definition effectively does not distinguish between the internet usage of a younger child aged 6 to that of a 17 year old teenager. The proposed Bill vide Section 10 imposes additional obligations on Data Fiduciaries. Sub-section 1 of this Section requires the Data Fiduciary to obtain “verifiable parental consent” before processing any personal data of children. The proposed Bill does not contemplate upon the concept of “verifiable parental consent” further. This provision instates requirements of age verification as well as parental consent for accessing the internet, thus impairing the seamless internet navigation as we know it. Sub-section 2 further prohibits the processing of personal data of children if the same is likely to cause harm to them. Lastly, sub-section 3 prohibits the Data Fiduciary from undertaking targeted advertisements aimed at children, tracking, and behavioural monitoring. Interestingly, Section 10(4) provides that the provisions of sub-sections 1 and 3 will not be applicable for such processing of a child’s personal data for purposes that may be prescribed in rules made under this proposed Bill. These provisions, in my view, find themselves in ignorance of the functioning of the digital ecosystem and of the internet age itself. It is undeniable that the commercial use of data, particularly children’s data, is on the rise, and consent to the same remains a contested knot. However, the solution does not lie in such broad age based restrictions as in the proposed Bill.

Children today are the true digital natives. While they may not be capable of fully understanding the meaning and extent of data privacy, their lived experiences must not be ignored. In my view, it is imperative to take account of children’s understanding of the digital landscape, their adeptness to the same and most importantly their capacity to consent while formulating regulations and policies. The proposed Bill thus errs on the side of overzealous caution.

Further, it is not entirely correct to entrust the management of children’s privacy to the parents or guardians. The report of a survey conducted by the University of Michigan[1] has found that as many as 56% of the parents surveyed shared potentially embarrassing information about their children online while 51% shared information that could lead to potentially identifying the location of the child. This evidences the fact that Children arguably have a better understanding of the potential dangers on the internet. Closer home, a 2019 report[2] notes that nearly two-thirds of India’s internet users are in the 12 – 29 years age bracket. This proposed Bill errs in chalking the determination of children’s privacy as an issue to be resolved by their guardians and is in ignorance of the need for creating a balance between the right to privacy of children and practices such as sharenting[3].

Blanket age restrictions as in the draft Bill are not in synchronisation with the standards world over either. The United States of America has a specific legislation governing children’s data privacy. The Children’s Online Privacy Protection Act, 1990 and the rules thereto consider an individual below the age of 13 as a “child” and require verifiable parental consent before processing of such individuals’ data[4]. Even the European Union takes a judicious approach by considering agreements for processing of personal data as a legal artefact different from a contract and as such vide Article 8 of the General Data Protection Regulation provides member states with a range to set the age of consent between 13 to 16 years of age. Thus recognising the difference in the internet usage of a child from that of an adolescent.

The proposed Indian approach also potentially creates a situation where deception in age may be resorted to by children, often with support from their parents thus leaving them vulnerable. Age verification requirements and compliance thereof may also discourage online service providers from investing in products/services directed at children. In certain cases, it may even restrict the critical development of an adolescent by conditioning their access to information about religion, sexuality and sexual health, as well as politics to parental approval which may not be given.

Way Forward

Data protection in India is still at a relatively nascent stage. Any attempt at regulation of the same cannot remain divorced from the reality of internet usage and stakeholders thereof. Hampering the experience of a sizable amount of internet users by instating such broad age requirements does not present as a tenable solution.

A look at the United Kingdom’s data protection framework gleans a practicable approach to protecting the privacy of children. The Data Protection Act, 2018 in the UK also defines a child as an individual under the age of 18, however, it has instated age 13 as the age of consent[5]. It thus follows that individuals from ages 13 to 18 will not only be empowered to consent and exert autonomy but also be afforded the protections available to children. This creates an ecosystem of increased protection where a child is able to exercise their right to consent.

Lastly, depriving the internet generation of autonomy on the internet is not practicable as it does not only serve as a medium for entertainment but also as a medium to connect with friends and explore educational opportunities. The approach of bright-lining a numeric age as a restriction may well and truly devastate the experience of these digital natives. While it is not argued that the internet is an abyss, however, the legislative approach of blanket restrictions and age-gating rather than shining a guiding light must not be resorted to.

[1] Clark SJ, Kauffman AD, Singer DC, Matos-Moreno A, Davis MM. Parents on social media: Likes and dislikes of sharenting. C.S. Mott Children’s Hospital National Poll on Children’s Health, University of Michigan. Vol 23, Issue 2, March 2015. Available at:

[2] Digital in India 2019 Round 2 Report, Internet and Mobile Association of India, Available at:

[3] supra note 1.

[4] Rule 312.2, Children’s Online Privacy Protection Rule, 1998.

[5] Section 9, Data Protection Act, 2018.

Share this post with your friends

Subscribe to our Newsletter