The Union Ministry of Electronics and Information Technology (MeitY) released the draft Digital Personal Data Protection Rules, 2025, on January 3, outlining measures aimed at safeguarding children's personal data.

These draft rules are a key component of the Digital Personal Data Protection Act, 2023, which was passed by Parliament in August 2023.

The government has invited objections and suggestions from stakeholders on the draft rules, with a deadline set for February 18, 2025.

Child Protection Measures

Under the proposed rules, social media platforms and online services must obtain verifiable parental consent before processing children's personal data. Parents will need to explicitly approve the collection and use of their child's data by these services.

The draft rules also require data fiduciaries (entities that collect and store personal data) to verify the identity of individuals claiming to be a child's guardian. This verification process may involve checking government-issued IDs or using digital tokens linked to identity services.

For example, if a child wants to create an online account, the data fiduciary must ensure the parent is identified securely before processing the child’s data. An illustration provided in the draft explains that when a child (C) informs a data fiduciary (DF) that they are a child, the parent (P) must identify themselves through the platform, confirming their identity and age details before the child’s data is processed.

State Processing of Personal Data

The rules permit state entities to process personal data when providing subsidies, benefits, or services. This ensures that such processing adheres to established standards and safeguards, enhancing accountability in the public sector's handling of data.

Security Measures

To protect personal data from breaches, data fiduciaries are required to implement reasonable security safeguards, including:

• Encryption and securing of personal data
• Controlling access to computer systems used for processing
• Maintaining logs and monitoring access to detect unauthorized use

Breach Notification Requirements

In the event of a data breach, data fiduciaries must promptly notify affected individuals, detailing:

• The nature and extent of the breach
• Potential consequences for the individuals involved
• Measures taken to mitigate risks

Data fiduciaries must also report breaches to the regulatory board within a specified timeframe, ensuring transparency and accountability in breach management.

Data Retention Policies

The draft rules mandate that personal data be erased within a set period if it is not being used for its intended purpose. This encourages organizations to regularly review data retention practices and prevent the indefinite storage of unnecessary data.