Rule 10

10. Verifiable consent for processing of personal data of child 

(1) A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child and shall observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable if required in connection with compliance with any law for the time being in force in India, by reference to—

(a) reliable details of identity and age of the individual available with the Data Fiduciary; or

(b) details of identity and age, voluntarily provided —

(i) by the individual; or
(ii) through a virtual token mapped to such details, which is issued by an authorised entity.

(2) In this rule, the expression—

(a) “adult” shall mean an individual who has completed the age of eighteen years;

(b) “authorised entity" shall mean —

(i) an entity entrusted by law or by the Central Government or by the State Government with the issuance of details of the identity and age or a virtual token mapped to such details; or
(ii) a person appointed or permitted by the entity specified under clause (i), for such issuance, and also includes details of identity and age or token made available and verified by a Digital Locker Service Provider;

(c) “Digital Locker service provider” shall mean such intermediary, including a body corporate or an agency of the appropriate Government, as may be notified by the Central Government, in accordance with the rules made in this regard under the Information Technology Act, 2000 (21 of 2000);