Is there no solution for Age-gating?

Posted on July 20, 2024 by Vijayashankar Na

India provided legal recognition to electronic documents through the Information Technology Act 2000 (ITA 2000). This gave legal recognition to electronic documents. ITA 2000 also introduced the Digital Signature and later on the Electronic Signature (e-Sign) as a means of authentication of an electronic document. The two together enabled “Electronic Offer and Acceptance to conclude an Electronic Contract valid in a Court of law” subject to exclusions in Section 1(4) of ITA 2000 and the Schedule I of ITA 2000.

Now the DPDPA has been enacted and the “Issue of a Notice and obtaining Consent” in a legally valid form has become relevant. The “Consent” as per Section 6 of DPDPA 2023 is expected to be an agreement meant to be enforced in law by a Data Principal against a Data Fiduciary.

The need for a legally acceptable online Consent Contract poses the following legal challenges.

1.Consent needs to be authenticated by a Digital/Electronic Signature and a mere Click-Wrap consent may be disputable.

2. If Consent is a Contract, its validity after the death of a data principal is disputed and hence the “Nomination” clause may be disputed.

3. If Consent is a Contract the validity of consent provided by minors or mentally disabled persons for whom a Court has granted a legal guardian may also be disputed and it is necessary to establish that every consent was given by a person of above 18 years of age and every consent of a person less than 18 years of age (or a mentally disabled person) was given by his guardian.

We now need to find a solution to each of these problems while implementing DPDPA 2023 and formulating DPDPA Rules.

In this connection, I draw the attention of readers to two of my earlier writings on this topic indicating that I have been trying to find a solution to this issue for a long time and the thoughts expressed in the underlying articles need to be pursued by the Government.

1.What is an “Adult Pass”? – naavi.org (July 13, 2005)

2.“Personal Digital Age” needs to be given a legal recognition (February 20, 2023)

A few days back, in a discussion between MeitY and the Face Book/Google representatives on DPDPA Draft Rules, the press reports have emerged to the effect that the meeting concluded that no solution is acceptable to the industry in this regard and they should be given the freedom to determine their own method to identify “Minors”. They have also asked for exemption on regulating “Behavioural Monitoring and Targeted advertising” of minors.

In summary the Face Book and Google have asked for complete exemption on any regulation of their activities on Minors and the Government seems to be yielding to this demand. Without the acceptance of the draft rules by Face Book and Google, they are unlikely to be adopted by the Government.

In this context I also draw the attention of the readers to the article in Mint published on 23rd November 2023 (Link here) which provides useful information on the use of Social Media by minors in India. According to this article about 35 % of users are minors and spend more than 3 hours per day. I leave it to the sociologists to quantify the adverse impact of this with the development of the minors which the busy parents of the day are unable to control. The article also records that more than 73% of the parents do prefer to exercise control through parental consent but the services donot enable them. As a result, it is not only the adult content but unauthorized E Commerce purchases, possible drug purchases, possible crime information etc are also easily accessible to minors causing a threat to the society.

Regulating content to Minors is therefore a social responsibility of the Government and there is no need to tune the regulations to protect the commercial interests of Face Book or Google. It is even more surprising that these same organizations are in the forefront of litigating against the Government whenever they donot like the law. It would have been fair if the Government had kept them at a distance till the cases they have filed against the Union of India in respect of ITA 2000 rules are not withdrawn instead of seeking their consensus on the proposed DPDPA rules. The reason why a more robust PDPB 2018/PDPB 2019/DPB 2021 was replaced with the DPDPA 2023 was the objections of these organizations and now they are not allowing the Government freedom to make the regulations also.

Under these circumstances the giving up of the age-gating regulations is not a wise move and needs to be re-visited.

It is not correct to say that there is no solution or that any solution is not scalable etc (Refer here) . These are the same agencies who have filed objections to the ITA rules on identification of “Originator of a WhatsApp Message” on unsustainable technical excuses. Their views are not final and Government needs to honestly try alternatives even if they serve the purpose partially.

Some of the solutions that can be tried are indicated below.

1.Use of “Age Certificates” to be issued by UIDAI to every Aadhaar holder which can be produced for every consent.

This will also serve the purpose of curtailing fake accounts in social media.

There will be the “Privacy Objections” but as long as release of identifiable data behind the Age Certificate is subject to valid legal process, there is no violation of Privacy principles.

This is the easiest and most effective manner and only India can do this and perhaps not USA.

Aadhaar information of a minor is also associated with the name of the parent which can be used for matching the name declared by the minor. There may be exceptions when a mother wants to provide consent instead of the father whose name is in the Aadhar but such exceptions can be handled through escalation of the requests.

It is for UIDAI to confirm if they are not able to meet the scaling requirements and what should they do to use the services of subsidiary agencies to scale up the requirements.

“Age Pass” and “Guardian Pass” can be two ancillary services that can be issued by UIDAI and would be of great use to the community. As long as the link to identity is regulated by a proper legal process, this should be acceptable to Supreme Court also though an initial objection would definitely be filed by the “Andolan Jeevies”.

2. DPDPA has introduced the concept of “Consent Managers”. These consent managers can maintain a KYC of their customers and hence age-gating responsibility can be undertaken by them. There can be specialized Consent Managers to manage Minor’s consents who may be Authorized User Agencies of UIDAI.

3. Another method of partial satisfaction of confirming whether a consent giver is an adult or not is through the TRAI and the OTP system. Whenever an OTP is given through a number X, TRAI can ensure that the owner of the OTP authenticating SIM is an adult and his name is so and so… which can be matched with the name of the guardian stated by the minor.

4.The problem of legal guardians of mentally disabled persons is different. I am not aware if Aadhaar has a system of recording this information and if not, it needs to be introduced. Secondly the Courts have to develop a data base of legal guardianship certificates issued by any Court across India and make it available to authorized agencies like UIDAI or an accredited Consent Manager of DPDPA.

5. MeitY can also check with RBI if Banks will be willing to issue an ID Card “I am Not a Minor” or “I am a minor till ….. and my guardian is …….”

I would also urge the Ministry of Consumer Affairs to incorporate some of these suggestions as a part of the regulation of E Commerce Transactions by minors. Regulating e-commerce transactions of minors can also be attempted with the cooperation of RBI by creating a “Minor Payment Card” associated with any Credit/Debit card which the Banks can issue after a KYC process.

I invite suggestions from others to improve the above thoughts.

If MeitY authorizes, Naavi would be working with some of the technology partners to develop a prototype for one or more of the above suggestions.

I reiterate that there is a solution for Age-gating and we only need to discover it with some effort. If MeitY can assure that they will stand by the principle, technology players can invest their time and effort to find a solution.

If however, the “Minor Consent system” is ruled by the Face Book and Google, then no Indian technology company may be interested in investing for such development. The ball is now in the court of MeitY whether they want indigenous efforts to be invested in fining a solution to the Age-gating problem.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.