Advertisment

New regulations under DPDP Act may compel online platforms to erase inactive user information

The government could impose data deletion rules on e-commerce companies, online marketplaces, gaming intermediaries and all social media intermediaries, irrespective of the number of users they have in India.

author-image
Social Samosa
New Update
DPDP Act inactive user information

The government may compel online platforms to permanently erase the personal data of users who have remained inactive on their accounts for a consecutive period of three years, as reported by The Indian Express.

This directive, yet to be officially released, is part of the proposed executive rules of the Digital Personal Data Protection (DPDP) Act, which was enacted as law in August of this year. The scope of these data deletion regulations is anticipated to cover e-commerce companies, online marketplaces, gaming intermediaries, and all social media intermediaries, irrespective of their user base in India.

To operationalize the DPDP Act, at least 25 rules need to be formulated, and the government holds the authority to establish rules for any provision it deems necessary. Among these regulations is the creation of a consent framework to authenticate the age of a child before granting them access to online services. The Act mandates companies to obtain "verifiable parental consent" for individuals under 18 years old to use their platforms. However, the Act does not prescribe specific methods for platforms to implement age-gating, posing a challenge for the industry.

The forthcoming rules are expected to propose two methods for age verification. One approach involves using a digital locker system linked to a government ID, such as Aadhaar. The second method suggests the industry could develop an electronic token system, subject to government authorization. Certain entities, including healthcare and educational institutions, might be exempted from the requirement to obtain verifiable parental consent and adhere to age-gating regulations.

Furthermore, it has been reported that some entities may be granted exemptions from norms on a limited basis, contingent on the specific purpose for which they need to process a child's data.

data online platforms government rules DPDP Digital Personal Data Protection consent framework