‘Verifiable Consent’ – India’s Data Law Knows What It Wants but Not How It Wants to Do It


India’s recently enacted (and much awaited) data protection legislation, known as the Digital Personal Data Protection Act (DPDPA) of 2023, has introduced several significant mandates. One of the most talked-about aspects is the requirement for companies to verify the age of minors via parental consent. While the objective is clear—protect the data of vulnerable individuals—the operational aspects are causing quite a stir among businesses and legal experts. So what’s the issue exactly?

Which Sectors Does It Apply To?

The directive is far-reaching, affecting a multitude of industries ranging from telecommunications and banking to e-commerce platforms. Unlike the common perception that only social media companies need to worry about age restrictions, the Legal industry generally agrees that this law’s scope is far wider. Legal professionals are cautioning that businesses of all kinds must be prepared to verify the ages of their users, which is likely to be a resource-intensive undertaking.

Practical Considerations and Cost Implications

The mandate has sparked concerns around both the time and financial resources required for compliance. Implementing age verification mechanisms is neither straightforward nor economical. Companies are finding themselves perplexed not only by the looming costs but also by the practicalities of complying with this age-gating clause. Even if one were to factor in the costs, there are also practical issues that no one, including lawyers have solutions to at the moment, primarily due to a lack of clarity.

The Ambiguity of ‘Verifiable Consent’

One of the primary challenges businesses face is the undefined concept of ‘verifiable consent’. The DPDPA states that the personal data of minors and individuals with disabilities can only be processed with the consent of a parent or lawful guardian. However, what constitutes ‘verifiable’ consent is not specified, leaving room for interpretation and confusion.

The Dilemma of Identification

A rather peculiar challenge is the identification of the correct parent or guardian to whom the consent notice should be sent. Existing identification records, which often list only the father as the parent, present an additional layer of complexity.

The Issue of Establishing a Relationship

There’s also the issue of establishing the relationship between the minor and the parent / lawful guardian – even if one were to get through the hurdles of age-gating and identifying methods to obtain ‘verifiable consent’, the last link of establishing that the right person is providing the consent is another angle that presents vast operational difficulties for businesses and their lawyers.

Official Uncertainty

Interestingly, even government officials are yet to solidify their stance on the issue. They are wrestling with the intricacies of this three-step verification process that involves establishing a child’s age, verifying the identity of the parent or guardian, and confirming their relationship to the minor.

What’s the Way Forward?

As the stakeholders, including parents, students, and the wider industry, await further clarification, the quest for ‘verifiable consent’ remains a complicated endeavor.

The general response one can expect for now from lawyers?

“We need to wait for the Rules to come out”.

Indeed, indeed.