Rule 10: Verifiable Consent for Processing of Personal Data of Child
10. Verifiable Consent for Processing of Personal Data of Child
(1) A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child and shall observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable if required in connection with compliance with any law for the time being in force in India, by reference to—
(a) reliable details of identity and age of the individual available with the Data Fiduciary; or
(b) details of identity and age, voluntarily provided—
(i) by the individual; or
(ii) through a virtual token mapped to such details, which is issued by an authorised entity.
(2) In this rule, the expression—
(a) “adult” shall mean an individual who has completed the age of eighteen years;
(b) “authorised entity" shall mean—
(i) an entity entrusted by law or by the Central Government or by the State Government with the issuance of details of the identity and age or a virtual token mapped to such details; or
(ii) a person appointed or permitted by the entity specified under clause (i), for such issuance,
and also includes details of identity and age or token made available and verified by a Digital Locker Service Provider;
(c) “Digital Locker service provider” shall mean such intermediary, including a body corporate or an agency of the appropriate Government, as may be notified by the Central Government, in accordance with the rules made in this regard under the Information Technology Act, 2000 (21 of 2000).
Illustration.
C is a child, P is a parent, and DF is a Data Fiduciary. A user account of C is sought to be created on the online platform of DF, by processing the personal data of C.
Case 1:
C informs DF that she is a child and declares P as her parent. DF shall enable P to identify herself through its website, app or other appropriate means. P identifies herself as the parent and informs DF that she is a registered user on DF’s platform and has previously made available her identity and age details to DF.
Before processing C’s personal data for the creation of her user account, DF shall check to confirm that it holds reliable identity and age details of P and that P is an identifiable adult.
Case 2:
C informs DF that she is a child and declares P as her parent. DF shall enable P to identify herself through its website, app or other appropriate means. P identifies herself as the parent and informs DF that she herself is not a registered user on DF’s platform.
Before processing C’s personal data for the creation of her user account, DF shall, by reference to identity and age details issued by an entity entrusted by law or the Government with maintenance of the said details or to a virtual token mapped to the identity and age, check that P is an identifiable adult.
P may voluntarily make such details available using the services of a Digital Locker service provider.
Case 3:
P is opening an account for C and identifies herself as C’s parent and informs DF that she is a registered user on DF’s platform and has previously made available her identity and age details to DF.
Before processing C’s personal data for the creation of her user account, DF shall check to confirm that it holds reliable identity and age details of P and that P is an identifiable adult.
Case 4:
P is opening an account for C and identifies herself as C’s parent and informs DF that she herself is not a registered user on DF’s platform.
Before processing C’s personal data for the creation of her user account, DF shall, by reference to identity and age details issued by an entity entrusted by law or the Government with maintenance of the said details or to a virtual token mapped to the identity and age, check that P is an identifiable adult.
P may voluntarily make such details available using the services of a Digital Locker service provider.
Rule 10 establishes a strict framework for processing the personal data of children by requiring verifiable parental consent. Its purpose is to ensure that a child’s personal data is not accessed, collected, or used without the informed approval of an identifiable adult who is legally responsible for them. This rule creates accountability for Data Fiduciaries and ensures that digital platforms do not rely on assumptions or unverified declarations when processing a minor’s data.
1. Purpose and Legal Intent of Rule 10
Rule 10 is framed to protect minors, who are considered vulnerable data principals under the law. The rule recognises that children cannot provide legally valid consent on their own, and therefore mandates that only a verified parent or lawful guardian may authorise processing of their personal data.
The rule has three critical objectives.
- First, it ensures that consent is traceable to a real, identifiable adult, not an online username or a self-declared guardian.
- Second, it requires Data Fiduciaries to verify the age and identity of the person claiming to be the parent, so that consent cannot be fabricated or provided by another minor.
- Third, it prohibits any form of processing—whether account creation, behavioural tracking, storage, or profiling—until the DF has completed this verification.
Rule 10 does not permit any form of “assumed consent,” “default consent,” or “self-declared parental consent.” The DF must have objective and verifiable proof that the parent is an identifiable adult.
2. The Core Requirement: Verifiable Parental Consent
Rule 10(1) mandates that before a Data Fiduciary processes any personal data of a child, it must adopt technical and organisational measures to ensure the parent’s consent is both authentic and verifiable. This requirement applies to every stage of processing, including registration, login processes, identity creation, analytics, storage, or any form of data handling.
The DF must be able to demonstrate that:
- The person providing consent is genuinely the child’s parent.
- The parent is an adult who has completed eighteen years of age.
- The parent is identifiable under Indian law if required for compliance or investigation.
- The verification is based on reliable identity and age details.
This imposes a legal obligation on the DF to design verification workflows that are not superficial. The DF must be able to present verifiable evidence during audits, inquiries, or investigations conducted by the Data Protection Board.
3. Recognised Methods of Verifying the Parent
Rule 10 allows two lawful pathways to verify the parent’s identity and age. Both require the DF to use objective, reliable, and traceable information.
3.1 Verification Based on Information Already Available With the Data Fiduciary
If the parent is already a user of the platform, and if the DF has previously collected reliable identity and age data during the parent’s onboarding, the DF may rely on such information. However, this is only acceptable if the existing data:
- Is accurate and has been previously verified,
- Reflects the parent’s true identity and date of birth, and
- Is sufficient to identify the adult in connection with any law in India.
In such cases, the DF must re-check the parent’s identity and age at the time of providing consent for the child. The DF cannot simply assume earlier records are valid; it must reconfirm that the stored identity evidence is both reliable and complete.
3.2 Verification Using New Identity Details or Virtual Tokens Provided by the Parent
If the parent is not a registered user, or if existing data is insufficient, the DF must verify identity and age using information that the parent voluntarily provides at the time of consent. This may include:
- Identity documents or records issued by an authorised governmental body,
- Age-proof issued by an entity authorised by law,
- A virtual token mapped to identity and age details, issued by an authorised entity such as a Digital Locker Service Provider.
A virtual token is a secure digital identifier that confirms the adult’s identity and age without requiring the DF to store physical identity documents. This supports compliance while reducing security risks.
Digital Locker plays an important role because it allows parents to share verified documents or tokens that are legally recognised and electronically verifiable, ensuring high reliability and reduced administrative burden.
4. Definitions Under Sub-rule (2)
Rule 10 provides precise legal definitions to ensure clarity in the verification process.
4.1 Definition of “Adult”
An “adult” is an individual who has completed eighteen years of age. This definition is strict; it does not permit approximations or partial years. The DF must ensure that the parent has already completed the eighteenth year, not merely that they will do so in the current calendar year.
4.2 Definition of “Authorised Entity”
An authorised entity includes:
- Any government-authorised body entrusted with issuing or verifying identity and age details,
- Any entity allowed to issue a virtual token mapped to identity and age,
- Digital Locker Service Providers, which are explicitly included by the rule.
This ensures that identity verification is based on systems that carry legal authority and are capable of supporting investigations or compliance inquiries.
4.3 Definition of “Digital Locker Service Provider”
A Digital Locker Service Provider is an intermediary authorised under the Information Technology Act, 2000, empowered to issue, store, verify, and transmit identity documents and virtual tokens. It is a trusted identity infrastructure under Indian law.
5. Practical Application: Explanation of the Four Official Illustrations
The rule provides four case examples demonstrating how a DF must implement verification in real scenarios.
CASE 1 — Child Initiates the Request; Parent Already Registered
In this scenario, the child (C) declares she is a minor and identifies her parent (P). P is an existing registered user whose identity and age details are already verified.
The DF must provide a mechanism for P to authenticate herself, confirm that previously collected identity and age data is reliable, and ensure that P is an identifiable adult. Only then may the DF process the child’s personal data.
CASE 2 — Child Initiates; Parent Not Registered
C identifies P as the parent, but P does not have an existing account.
Here, the DF must verify P’s identity and age using identity details or a virtual token issued by an authorised entity. P may submit the information voluntarily or use Digital Locker.
Processing of the child’s data can begin only after the DF confirms that P is an identifiable adult through an authorised verification mechanism.
CASE 3 — Parent Initiates the Process; Parent Already Registered
P initiates creation of the child’s account using an already verified account.
The DF must confirm the reliability of stored identity and age information and ensure that P is an identifiable adult.
Only then is the DF permitted to begin processing the child’s personal data.
CASE 4 — Parent Initiates; Parent Not Registered
P starts the account creation process but does not have an existing account.
The DF must conduct identity and age verification using authorised identity data or a Digital Locker token before any processing of the child’s data begins.
This ensures that the DF does not rely on self-declared parental claims.
6. Organisational and Technical Implementation Measures
For meaningful compliance, organisations must design structured workflows, not ad-hoc adjustments. A compliant system must incorporate:
Age-Gating and Parental Verification Workflows
If an individual indicates they are under 18, or if the system identifies an account likely to belong to a minor, the DF must immediately trigger a parental verification flow. This ensures that no data is collected until consent is validated.
Authentication and Verification Logic
The DF must support two paths—one for existing verified parents and another for new parents requiring fresh verification. Both flows must produce auditable evidence of verification.
Record-Keeping and Audit Trails
Verified identity details or token reference IDs, timestamps, parental declarations, and verification logs must be securely stored. These records form the evidence required to prove compliance.
Security Controls
Identity and consent records must be encrypted, access-controlled, and monitored. The DF must maintain logs of access to these records to prevent misuse.
Transition at Age 18
Upon reaching adulthood, the child must be recognised as a full data principal, and parental consent should no longer govern processing. The DF should implement procedures to refresh consent directly from the now-adult individual.
7. Compliance Assurance and Documentation
A Data Fiduciary must be able to provide clear, objective evidence of compliance with Rule 10. This includes:
- Documentation of the parental verification workflow,
- Evidence of how identity and age were validated,
- Logs showing that verification occurred before processing began,
- References to authorised entities or digital tokens used for verification,
- Policies and SOPs governing the protection of children's data.
If a DF cannot demonstrate how it verified the adult’s identity and age, the parental consent may be treated as invalid—even if a consent form exists. In such cases, the DF may be found in violation of the DPDPA.
Rule 10 creates a strong legal obligation on Data Fiduciaries to ensure that data belonging to children is processed only with verifiable, identity-backed parental consent. It demands structured workflows, legally recognised verification mechanisms, secure record-keeping, and demonstrable compliance capability. Through these requirements, the rule ensures that minors are safeguarded within India’s digital ecosystem.