Social media companies list out worries as Centre readies data protection rules

Social media intermediaries have pointed to undoing behavioural tracking of children, verifiable parental consent (VPC) and targeted advertisements as the biggest concerns with the data law.

The Rules for the Digital Personal Data Protection (DPDP) Act, which will provide teeth for enforcement of the law, are expected soon, and companies are hoping the government will address their concerns.

Section 9 of the DPDP Act, which was notified in the Gazette in August last year disallows behavioural tracking of children on digital platforms.

This prohibits companies from keeping track of a child’s activity online which in turn has an impact on the effectiveness of their safety features.

A social media intermediary’s executives told ET, “There are some signals we must pick up of our users, of adults and children, to inform the effectiveness of our safety features.”


“We’re working with the ministry of electronics and information technology (MeitY) and other stakeholders to figure out a pragmatic, balanced approach to ensure privacy and safety of teenagers. We should be able to do as platforms do, the things that protect young users,” the executive said.

Google, Google-owned YouTube, Meta, X (formerly Twitter), and Snap did not respond to ET’s requests for a comment.

Social media companies track teenagers’ behaviour on their respective platforms to protect them from predatory behaviour and paedophiles, they claimed.

Also read | 'Data Protection Act will make digital companies handle data of Indians under legal obligation'

Protecting the Vulnerable

“We had made an unequivocal representation to Meity that a wholesale ban on behavioural tracking is counterproductive to the government’s own objectives. We have made that case to the government repeatedly. The caveat for exemptions however leaves room for advocacy,” the official said.

Another social media intermediary’s executives told ET, “Turning off behavioural tracking compromises safety, integrity, and security for children on the platform.”

They gave the example of the monitoring and tracking e-privacy directive in the European Union which had a similar provision.

As part of compliance, companies had to suspend a range of classifiers on the platform and the regulator there had been updated of these suspensions.

In response, the regulator provided an exception for companies to reinitiate the classifiers.

“The unintended consequence for not having an exemption for security remains of very high concern. It is important for us and any other platform to prevent predators and unrelated adults from approaching and communicating with children,” the executives said.

However, the Act gives the government the ability to either exempt certain data fiduciaries or to exempt certain types of data processes from undoing behavioural tracking and this has made companies hopeful.

“In future, even after the notification of the rules, it is possible for the government to introduce such exemptions. If not, the safety features will have to be turned off, which happened briefly in Europe,” they said.

Parental Consent

Another clause of Section 9 requires companies to take permission from parents before processing a child’s data.

Companies are at loggerheads on arriving at a mechanism to take this permission and are hoping that the Rules would provide more clarity on the same.

They are expecting the government to identify third parties who can do VPC as companies can’t do it completely on their own.

“In the Rules, the government must tell us who those third parties are going to be. Once that is done, we will work closely with those third parties to comply,” the executives from the second company said.

Many respected policy experts have suggested that a token-based solution will be safer than having parents share their IDs with multiple companies, they said.

“Also, if it is not possible for us to provide age-appropriate advertising, several dangers emerge like children getting inappropriate ads like that for adult diapers or hygiene products which are not right for kids,” executives said.

“In our stack rank of problems with the law, the biggest problem is section 9 of the DPDP Act on verifiable parental consent, behavioural monitoring and tracking, and targeted advertisements. These are important issues,” executives from the first company said.

“If these three are resolved, there won’t be as much consternation. The P0 (Priority 0) impact to our company in the form of product changes, revenue and user growth is verifiable parental consent, and behavioural monitoring and tracking,” they added.