India’s Digital Personal Data Protection Act (DPDPA) marks a significant step in safeguarding the privacy of individuals and ensuring that personal data is managed responsibly. It can be compared to the EU’s General Data Protection Regulation (GDPR).
Regulatory compliance with the DPDPA will be crucial in the coming months and years for any organization that processes personal data related to providing goods or services to Data Principals in India.
The Act introduces a range of provisions that aim to protect the rights of Data Principals in India, and two of its critical aspects are verifiable parental consent for children under the age of 18 and data localization.
Both elements are crucial to the framework. However, even with the release of the draft DPDP Rules in January 2025, the implementation of these elements presents major challenges for organizations, regulators, and individuals alike. In today’s article, Silverse’s experts take you through these challenges so your business can be better prepared for compliance.
Many parents in India are not digitally literate, and will have difficulty providing verifiable consent as required by the DPDPA.
The DPDPA mandates that a Data Fiduciary adopts measures to ensure verifiable consent of a parent before processing the personal data of a child. The Data Fiduciary is also obliged to conduct due diligence and check that individuals identifying themselves as parents are adults who are identifiable if required by any current law.
This may be done by reference to “reliable details” of age and identity that are available with the Data Fiduciary, details that are voluntarily provided, or a virtual token mapped to these details.
While other countries, including the US and UK, have leveraged methods such as signed consent forms, digital signatures, video calls, and credit card transactions, these may be more difficult to execute in a country like India, which faces hurdles such as a large population, high illiteracy rates, and a wide digital divide.
Bearing this in mind, the implementation of verifiable consent for parents presents the following major challenges.
Difficulty in Verification
One of the key challenges in implementing verifiable parental consent is ensuring that the process is reliable and accurate. Online platforms, especially social media sites and gaming platforms, often have millions of users, many of whom are minors.
To comply with the DPDPA, these platforms would need to establish robust systems to confirm that consent is obtained from a child’s parent or guardian before collecting any personal data.
However, creating such systems presents logistical and technological difficulties. Simply asking a parent to check a box or provide a consent form is often not sufficient to verify consent with high confidence, especially considering the potential for fraudulent consent or the manipulation of verification methods.
While it can be tempting to assume that Aadhaar can provide an easy solution to this, the Aadhaar system does not inherently capture or confirm family relationships. This becomes problematic when trying to ensure that the individual giving consent for a child’s personal data is the actual parent or guardian, and not just any person with access to the Aadhaar number.
Furthermore, platforms would need to be able to handle a range of consent requests for users in different jurisdictions and types of services, adding complexity to their existing user management systems.
Lack of Digital Literacy and Accessibility
As per the NSS 78th round of the Multiple Indicator Survey, conducted in 2020–21, only 24.7% of individuals aged 15 and above in India are computer literate, where computer literacy is defined as the knowledge and ability to efficiently use a computer as well as related technologies and applications.
As many parents in India are not digitally literate, they will have difficulty providing verifiable consent as required by the DPDPA. Hence, the mandate could inadvertently widen the digital divide.
Children without proactive, tech-savvy parents might not have as much access to online platforms and services, such as social media apps, online gaming platforms, and educational websites. This, in effect, could further limit or hinder their educational and social development.
Heavy Reliance on Government Infrastructure
The requirement of verifiable parental consent may over-rely on government-backed verification systems such as Digi Locker.
These systems are effective, but have limited reach in rural and underserved areas, where many parents may not be able to use them due to a lack of the necessary documents or knowledge. Some of these parents may not even know these systems exist.
The issue is both educational and infrastructural – parents need to not only access these tools, but be informed about them and trained to use them. For this, significant investments will be required in outreach and digital literacy programs.
Enforcement and Compliance by Service Providers
For verifiable parental consent to be effective, there must be stringent enforcement mechanisms in place. Many online platforms, especially smaller ones, may struggle to comply with the DPDPA’s requirements. This presents a challenge for regulators, who must ensure that all platforms, regardless of their size or reach, are adhering to the law.
Additionally, the large scale of online platforms complicates enforcement. Ensuring that every platform complies with parental consent rules is a monumental task that will require considerable resources and regulatory oversight.
Possible Solutions
To address the major challenges presented by the requirement of verifiable consent, the DPDPA could consider the following:
Under the DPDPA, certain types of personal data must be stored and processed within India. The overarching intent behind this provision is to retain control over the data, ensuring that it is subject to Indian laws and regulations.
However, despite its significance, data localization presents several challenges for businesses and policymakers. Before we dive into these challenges, let us first define both data localization and a relevant related concept: cross-border data transfers.
What is Data Localization?
Data localization is the practice of storing and processing data within the borders of a particular region or country. This is typically done to comply with national laws and regulations that require certain types of data (e.g., personal, sensitive, or critical data) to remain within the country’s jurisdiction.
The aim is to enhance data security, protect privacy, and ensure that governments have access to data when required for legal, security, or regulatory reasons.
What is Cross-Border Data Transfer?
Cross-border data transfer refers to the movement of data from one country to another. In the digital era, companies often need to transfer data across borders for processing, storage, or analysis.
Many countries impose specific rules or restrictions on cross-border data transfers, requiring businesses to ensure that the destination country provides an adequate level of data protection.
For example, under the GDPR, data transfers outside the EU are only permitted if the recipient country offers comparable data protection standards, or the company implements adequate safeguards like standard contractual clauses.
Disruption of Cloud-Based Services
The rise of cloud solutions and data storage has paved the way for a globalized data ecosystem.
Cloud providers, including major players like Amazon Web Services (AWS) and Microsoft Azure, operate large-scale infrastructure across numerous countries. These services typically store data in multiple locations for performance optimization, redundancy, and compliance with different regulatory requirements.
The data localization mandate under the DPDPA may disrupt this model. This is because it forces cloud providers and other service providers to create separate localized infrastructure to cater to the Indian market.
Industry-Specific Challenges
The DPDPA’s data localization requirements are likely to disproportionately affect industries that heavily depend on cross-border data transfers or manage vast volumes of personal data, especially data that could be considered sensitive. Such industries include but are not limited to healthcare, financial services, telecommunications, and eCommerce.
Furthermore, businesses that rely on foreign CRM systems and payment gateways, such as many retail and eCommerce businesses, may need to overhaul their strategies for compliance.
Financial and Operational Impact
Stringent data localization requirements could potentially hinder foreign investments and innovation by disrupting global data flows and requiring costly infrastructure adaptations.
Stringent data localization requirements could potentially hinder foreign investments and innovation.
For example, companies with global operations often store and process data in various regions to optimize cost, speed, and efficiency. The requirement to localize data means they may have to set up and maintain dedicated infrastructure within India, incurring substantial costs. For multinational companies, this could mean duplicating storage systems and shifting workflows to accommodate India-specific data management rules.
Furthermore, companies will have to comply with the DPDPA while also adhering to international regulations such as the EU’s GDPR and the UAE’s PDPL. This will lead to fragmented and complex data storage and processing systems.
The overall impact of data localization requirements on scalability and global operations could further lead to increased costs for Indian consumers, as companies might pass on expenses related to infrastructure development and maintenance.
Security and Privacy Concerns
The lack of a standardized approach to security across different regions and jurisdictions could expose localized data to risks.
Reliance on a localized infrastructure raises the question of how effectively the Indian government can ensure data security and prevent misuse of personal data by malicious actors. The government will need to invest heavily in infrastructure and regulation to safeguard sensitive data from potential breaches.
Potential Solutions
To address the challenges posed by the requirements of data localization, the DPDPA could consider the following:
In the meantime, businesses can adopt strategies such as regular data audits and monitoring of regulatory changes to more easily meet current data localization requirements.
While the DPDPA introduces vital provisions to protect citizens’ privacy and control over personal data, its implementation is fraught with challenges.
The success of the DPDPA will depend on how well these challenges are addressed by all parties involved. Policymakers must strike a balance between ensuring robust privacy protections for Data Principals and allowing businesses the flexibility to operate efficiently in a globalized digital ecosystem.
For businesses, compliance will be complex and demanding. Silverse’s regulatory compliance services can help you ensure adherence to every requirement of the DPDPA. Contact us now to get started.
Please fill the details below. A representative will contact you shortly after receiving your request.
