Google, Whatsapp, Facebook, Instagram, X can open account of below 18yrs age with parent’s consent, delete data in 3yrs: Draft Digital Personal Data Protection Rules 2025!

Published By : sanjeev | January 4, 2025 5:50 PM

Bhubaneswar: in pursuance to the passing of the Digital Personal Data Protection (DPDP) Act 2023, the Ministry of Electronics and Information Technology ((MEIT) has Friday notified the Draft Digital Personal Data Protection Rules 2025.

As per the draft DPDP rules, henceforth data fiduciaries, who are social media intermediaries, like Google, Whastapp, Facebook, instagram and X, cannot open account of any minor – means who are less than 18-years of age.

For opening accounts of minors, such Data Fiduciaries have to take consent of parents of the minors.

Moreover, they have to delete the personal data of all users (Data Principal) after three years.

As per Rule 10 of the draft DPDP, a Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child.

It further said, they have to observe due diligence by checking that

If the parent of minor informs the Data Fiduciaries (DF) that s/he is a registered user of the DF platform and had previously made available identity and age details to the DF, the DF has to verify the details to find out whether parent is adult or not.
If the parent of minor informs that s/he is not a registered user, then to ascertain that the individual is an identifiable adult, DF shall refer to identity and age details issued by an entity entrusted by law or the Government with maintenance of the said details or to a virtual token mapped to the individual.
Read the rule 10 below.

TIME LINE FIXED FOR STORING PERSONAL DATA

In pursuance to Rule 8 (1), the draft DPDP Rules 2025 in its third schedule, has clearly outlined who are social media intermediaries in India and has set a timeline to store personal data. It says:

Social media intermediary (DF) having not less than two crore registered users in India can keep the data for a time period of is Three Years from the date on which the user last approached it for the performance of the specified purpose or exercise of her rights, or the commencement of the Digital Personal Data Protection Rules, 2025, whichever is latest.
However, the DF is exempted from erasing personal data if it is essential for the user to access its personal account OR
Essential for user to access any virtual token that issued by or on behalf of the DF to avail transactions of money, goods or services.
The above rules show data of all inactive accounts may stand deleted post notification of DDP Rules 2025, which are more than 3-years old.

See the Table below:

CLASS OF DATA FIDUACIARIES

PURPOSES

TIME PERIOD

Data Fiduciary who is a social media intermediary having not less than two crore registered users in India

For all purposes, except for the following:

(a) Enabling the Data Principal to access her user account; and (b) Enabling the Data Principal to access any virtual token that is issued by or on behalf of the Data Fiduciary, is stored on the digital facility or platform of such Data Fiduciary, and may be used to get money, goods or services

Three years from the date on which the Data Principal last approached the Data Fiduciary for the performance of the specified purpose or exercise of her rights, or the commencement of the Digital Personal Data Protection Rules, 2025, whichever is latest

Tags: prameyanews