Rule 10: Verifiable Consent for Children and Persons with Disabilities
10. Verifiable consent for processing of personal data of child or of person with disability who has lawful guardian
(1) A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child and shall observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable if required in connection with compliance with any law for the time being in force in India, by reference to—
(a) reliable details of identity and age available with the Data Fiduciary; or
(b) voluntarily provided details of identity and age or a virtual token mapped to the same, which is issued by an entity entrusted by law or the Central Government or a State Government with the maintenance of such details or a person appointed or permitted by such entity for such issuance, and includes such details or token verified and made available by a Digital Locker service provider.
Illustration:
C is a child, P is her parent, and DF is a Data Fiduciary. A user account of C is sought to be created on the online platform of DF, by processing the personal data of C.
Case 1:
C informs DF that she is a child. DF shall enable C’s parent to identify herself through its website, app or other appropriate means.
P identifies herself as the parent and informs DF that she is a registered user on DF’s platform and has previously made available her identity and age details to DF.
Before processing C’s personal data for the creation of her user account, DF shall check to confirm that it holds reliable identity and age details of P.
Case 2:
C informs DF that she is a child. DF shall enable C’s parent to identify herself through its website, app or other appropriate means.
P identifies herself as the parent and informs DF that she herself is not a registered user on DF’s platform.
Before processing C’s personal data for the creation of her user account, DF shall, by reference to identity and age details issued by an entity entrusted by law or the Government with maintenance of the said details or to a virtual token mapped to the same, check that P is an identifiable adult.
P may voluntarily make such details available using the services of a Digital Locker service provider.
Case 3:
P identifies herself as C’s parent and informs DF that she is a registered user on DF’s platform and has previously made available her identity and age details to DF.
Before processing C’s personal data for the creation of her user account, DF shall check to confirm that it holds reliable identity and age details of P.
Case 4:
P identifies herself as C’s parent and informs DF that she herself is not a registered user on DF’s platform.
Before processing C’s personal data for the creation of her user account, DF shall, by reference to identity and age details issued by an entity entrusted by law or the Government with maintenance of the said details or to a virtual token mapped to the same, check that P is an identifiable adult.
P may voluntarily make such details available using the services of a Digital Locker service provider.
(2) A Data Fiduciary, while obtaining verifiable consent from an individual identifying herself as the lawful guardian of a person with disability, shall observe due diligence to verify that such guardian is appointed by a court of law, a designated authority or a local level committee, under the law applicable to guardianship.
(3) In this rule, the expression—
(a) “adult” shall mean an individual who has completed the age of eighteen years;
(b) “Digital Locker service provider” shall mean such intermediary, including a body corporate or an agency of the appropriate Government, as may be notified by the Central Government, in accordance with the rules made in this regard under the Information Technology Act, 2000 (21 of 2000);
(c) “designated authority” shall mean an authority designated under section 15 of the Rights of Persons with Disabilities Act, 2016 (49 of 2016) to support persons with disabilities in exercise of their legal capacity;
(d) “law applicable to guardianship” shall mean,—
(i) in relation to an individual who has long term physical, mental, intellectual or sensory impairment which, in interaction with barriers, hinders her full and effective participation in society equally with others and who despite being provided adequate and appropriate support is unable to take legally binding decisions, the provisions of law contained in Rights of Persons with Disabilities Act, 2016 (49 of 2016) and the rules made thereunder; and
(ii) in relation to a person who is suffering from any of the conditions relating to autism, cerebral palsy, mental retardation or a combination of such conditions and includes a person suffering from severe multiple disability, the provisions of law of the National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999 (44 of 1999) and the rules made thereunder;
(e) “local level committee” shall mean a local level committee constituted under section 13 of the National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999 (44 of 1999);
(f) “person with disability” shall mean and include—
(i) an individual who has long term physical, mental, intellectual or sensory impairment which, in interaction with barriers, hinders her full and effective participation in society equally with others and who, despite being provided adequate and appropriate support, is unable to take legally binding decisions; and
(ii) an individual who is suffering from any of the conditions relating to autism, cerebral palsy, mental retardation or a combination of any two or more of such conditions and includes an individual suffering from severe multiple disability.
Rule 10 ensures that personal data belonging to children and persons with disabilities is processed only after obtaining verifiable consent from their lawful guardian. This provision protects vulnerable individuals from exploitation, misuse, or accidental exposure of their data on digital platforms.
1. Consent for Processing a Child’s Personal Data
Before collecting or using a child’s data, a Data Fiduciary must implement technical and organisational measures to confirm that:
- The person giving consent is actually the child’s parent or lawful guardian, and
- The parent is an adult identifiable individual, whose age and identity can be verified if needed under Indian law.
The Rule explicitly allows two verification routes:
- Using reliable details of identity and age already available with the Data Fiduciary (for example, if the parent already has an account with verified KYC).
- Using government-issued identity information or a virtual token (such as a token from the Digital Locker service or any authorised identity system) to confirm the adult’s credentials.
These measures prevent situations where a minor could create an account or give consent without genuine parental involvement.
2. Illustration of Scenarios
The Rule provides four cases that clarify what compliance looks like in practice.
A child (C) declares she is a minor while creating an account. The parent (P) is already a verified user on the platform.
→ The Data Fiduciary must confirm that it still holds reliable age and identity details of P before activating C’s account.
C is a child, P is not a registered user. The platform must verify P’s adult identity using data issued by an authorised entity or a virtual token mapped to government identity— for instance, via Digital Locker.
Only after confirming that P is an identifiable adult may C’s data be processed.
Similar to Case 1, but initiated by the parent: P logs in to create C’s account using her existing verified credentials.
The Data Fiduciary should re-check its stored proof of P’s identity and age before proceeding.
Parent P is not registered; the platform must use government-verified identity data or a Digital Locker token to confirm that P is an identifiable adult.
In each example, no processing of the child’s personal data may begin until verification is complete.
3. Consent for Persons with Disabilities
When the Data Fiduciary receives consent from a person claiming to be the lawful guardian of a person with disability, it must exercise due diligence to confirm that the guardian is legally authorised.
Verification should be done against documentation issued under:
- The Rights of Persons with Disabilities Act, 2016, or
- The National Trust Act, 1999, covering autism, cerebral palsy, mental retardation, and multiple disabilities.
This Act ensures equal rights and opportunities for persons with disabilities. It defines 21 types of disabilities and provides for their education, employment, accessibility, and social inclusion. It also mandates governments and organizations to create barrier-free environments and prohibits discrimination.
This Act focuses on the welfare of persons with autism, cerebral palsy, mental retardation, and multiple disabilities. It establishes a national trust and local level committees to support such individuals and their families through guardianship, care, and empowerment initiatives.
Authorised guardians may be appointed by a court, a designated authority, or a local-level committee constituted under these laws. The Data Fiduciary should retain verified copies or tokens referencing these authorisations in secure, auditable form.
4. Practical Implementation Measures
To comply with Rule 10, organisations should adopt a mix of policy controls and technology safeguards:
- Build a parental-verification flow within onboarding or registration journeys that requests proof of adult identity via trusted e-KYC or Digital Locker APIs.
- Maintain encrypted records of parental consent with timestamps and verification source.
- Apply age-gating mechanisms (e.g., mandatory age field with validation) and AI-based age estimation only as a supportive measure, never as sole proof.
- Prevent children from re-entering falsified dates of birth by enforcing two-step verification.
- Establish clear procedures to revoke consent when a child reaches adulthood (18 years).
For disability cases, ensure the workflow allows uploading or referencing the guardianship certificate from an approved authority before processing begins.
5. Examples of Industry Context
Before creating a student account, the platform requests parental verification via OTP linked to the parent’s Aadhaar-based Digital Locker ID. Processing of attendance data or quiz scores begins only after successful validation.
When collecting health data of a minor, the hospital portal validates the guardian’s identity using a verified patient-management ID or government-issued proof stored securely in compliance logs.
A financial app blocks account creation for users declaring age < 18 unless the parent provides verified consent using e-KYC. Transactions remain disabled until confirmation.
For users with cognitive disabilities, the platform requires the lawful guardian’s appointment order issued under the Rights of Persons with Disabilities Act. The consent record is digitally signed and retained for audit.
6. Key Terms Explained
- Adult: Person aged 18 years or above.
- Digital Locker Service Provider: An intermediary authorised under the Information Technology Act 2000 to issue and verify virtual identity tokens.
- Designated Authority / Local Level Committee: Bodies created under the Rights of Persons with Disabilities Act 2016 or the National Trust Act 1999 responsible for guardianship and welfare authorisations.
- Person with Disability: Individuals with long-term physical, mental, intellectual, or sensory impairment who are unable to take legally binding decisions even with adequate support.
7. Compliance Assurance
Organisations should maintain an auditable record of:
- The consent obtained, method of verification, and date/time stamps.
- The identity verification reference (e.g., Digital Locker token ID).
- Any revocation of parental or guardian consent.
Such records demonstrate due diligence if questioned by the Data Protection Board of India.
Automating age verification and Digital Locker-based parental authentication ensures accuracy and reduces friction.
Securze assists organisations in designing secure consent-management APIs and child-data protection frameworks compliant with Rule 10.
Learn more.
Rule 10 places a strong emphasis on verifiable, auditable consent mechanisms for minors and persons with disabilities.
By combining legal verification, identity-token validation, and transparent parental communication, Data Fiduciaries can responsibly process sensitive personal data while aligning with both the DPDPA 2023 and India’s disability-rights framework.