Children under 18 years of age will require parental consent to create social media accounts, as per the draft rules of the Digital Personal Data Protection Act, 2023, published by the Centre on Friday.
The Ministry of Electronics and Information Technology (MeitY) has invited public feedback on the draft rules via the government’s citizen engagement platform, MyGov.in.
The feedback window will remain open until 18 February 2025.
The draft rules aim to tighten data protection measures, with a focus on safeguarding the personal data of children and individuals with disabilities under lawful guardianship.

Data fiduciaries – entities entrusted with handling personal data – will be required to obtain the consent of a parent or guardian before processing any personal data of minors.
To verify the consent, the rules stipulate that fiduciaries must use government-issued identification or digital identity tokens, such as those linked to Digital Lockers.
However, educational institutions and child welfare organisations may be exempt from certain provisions of the rules.
In addition to provisions for children’s data, the draft rules introduce enhanced consumer rights, including the ability to request the deletion of personal data and demand transparency from companies regarding the reasons for data collection.
The proposed rules also include strict penalties for non-compliance, with data fiduciaries facing fines of up to Rs 250 crore for data breaches.
Consumers will also have the right to challenge companies’ data collection practices and seek clear explanations regarding the usage of their data.
The rules aim to provide clearer guidelines for critical digital intermediaries, such as e-commerce platforms, online gaming intermediaries, and social media platforms, which facilitate user interaction, sharing, and dissemination of information.
A key element of the draft is the establishment of a Data Protection Board to oversee compliance.
The Board will be a fully digital body responsible for conducting remote hearings, investigating breaches, enforcing penalties, and registering consent managers – entities responsible for managing data permissions.
Consent managers will be required to register with the Board and maintain a minimum net worth of Rs 12 crore.
These comprehensive measures are designed to ensure that data fiduciaries implement strong technical and organisational safeguards, particularly when dealing with vulnerable groups such as children.
The draft rules of the Digital Personal Data Protection Act require children under 18 to obtain parental consent before creating social media accounts.
The rules also propose penalties for data breaches, enhanced consumer rights, and the establishment of a Data Protection Board to oversee compliance.