Companies such as Snap, the parent company behind Snapchat, on Tuesday told the government that the draft rules for implementing the Digital Personal Data Protection (DPDP) Act could place smaller platforms at a disadvantage compared to established tech players when it comes to securing verifiable parental consent for processing children’s data and verifying the identity of parents.
Prominent platforms like Meta’s Facebook and Instagram, Google, and Amazon already possess extensive user data that they can leverage to streamline the verification process for parental consent. In contrast, smaller platforms, including educational apps and emerging social media platforms, may need to depend on virtual tokens and other alternative methods to verify identities and obtain parental consent for minors to access their services.
This concern was raised during industry consultations organised by the ministry of electronics and IT (MeitY) on Tuesday to gather feedback on the draft DPDP rules. The session, attended by over 200 stakeholders, saw participation from tech giants such as Google, Meta, OpenAI, SAP, and advocacy groups like Ficci, Broadband India Forum, and CUTS. Electronics and IT minister Ashwini Vaishnaw, MeitY secretary S Krishnan, and additional secretary Bhuvnesh Kumar, were present. Industry sources indicated that the government might consider extending the consultation period to address the stakeholders’ feedback comprehensively.
Vaishnaw said that the government’s intent is to strike a balance between fostering innovation and ensuring robust regulation. “The objective that we had set for ourselves was to keep it simple, be principle-based rather than prescriptive. Let the law and rules evolve rather than casting everything in stone, trust-based approach rather than a cynical one,” he said.
Rule 10 of the draft DPDP rules outlines the procedures for obtaining verifiable parental consent. It stipulates that companies can verify parents’ identities and manage their consent for children using reliable identity and age information from the data fiduciary, voluntarily provided details, or a virtual token mapped to the same.
However, stakeholders voiced several concerns during the consultation. These included potential overlaps between sectoral regulations and the DPDP Act, the implications of data localisation restrictions on significant data fiduciaries, clarity on exemptions for commercial statistical and research purposes, and ambiguities surrounding data retention and deletion timelines for fiduciaries not explicitly addressed in the draft.
A Snapchat executive highlighted how Rule 10 could inadvertently create a “data moat,” favouring larger companies already equipped with vast user datasets. This, they argued, grants an inherent competitive advantage to established players in the market, leaving smaller firms struggling to meet compliance requirements without similar resources.
Kamesh Shekar, senior programme manager for privacy, data governance, and AI at The Dialogue, pointed out that the methods for verifiable parental consent need to remain open-ended to accommodate various operational models. He advocated for the inclusion of international best practices and industry standards to allow businesses to manage consent effectively without creating undue compliance burdens for smaller enterprises.
Asheef Iqubbal, senior research associate at CUTS International, echoed similar concerns, emphasising the lack of clarity in the current provisions. According to Iqubbal, this ambiguity could significantly increase compliance costs, especially for smaller platforms. He noted that these expenses might eventually be transferred to consumers, exacerbating affordability issues. He further suggested that innovation and competition in third-party consent management services could help reduce compliance costs while fostering a more equitable ecosystem.
Some stakeholders felt that many of their concerns were not adequately addressed during the consultation.
Venkatesh Krishnamoorthy, country manager for India at the Business Software Alliance (BSA), critiqued the draft rules for missing an opportunity to address critical issues in the DPDP Act. He cited overly broad data breach notification requirements, the absence of a transparent process for designating a significant data fiduciary, and an over-reliance on consent for personal data processing as key areas of concern.
Krishnamoorthy argued for a more transparent mechanism to identify significant data fiduciaries and called for a risk-based threshold for determining notifiable data breaches. He also urged the government to recognise legitimate uses of personal data more broadly, especially in the context of AI systems, to ensure that innovation is not stifled by overly rigid regulatory requirements.
Some stakeholders sought greater clarity on issues such as breach reporting mechanisms, the necessity of appointing consent managers if an automated consent management system is already in place, the scope of audit mechanisms, and the practicalities of virtual token implementation.
