Brands targeting under-18s face mounting pressure ahead of India’s comprehensive Personal Data Protection Law

2018 was a defining year for data privacy protection in India. Following the Supreme Court’s landmark judgement to make privacy rights constitutional, the South Asian country drafted a new law to protect its residents’ digital privacy. Under the draft Data Protection Bill it will be illegal to track children online without parental consent. Leading kid-safe digital company in Asia Pacific TotallyAwesome, breaks down what the bill means to advertisers targeting the under-18 demographics.

What does the Bill cover?

The Bill covers all aspects of personal data protection: consent, how and where to store data, and on what grounds personal information can be processed and stored.  It also establishes a Data Protection Authority and defined the penalties for companies who breach the new law. Chapter V specifically regulates kids’ data protection.

What is considered personal data?

As under most new data privacy laws, including Europe’s GDPR, the definition of personal data not only covers name, address, date of birth, email, financial information, health data, etc. It also includes the digital footprints people create on the Internet—location data, search and browsing history, articles read, online purchases, online comments and posts, and so on.

What is the risk and why we should protect our data?

Anyone who goes online creates extensive digital footprints whether they are aware or not. Most of this data and the profiles derived from it are available for sale to the highest bidder: data brokers collect and sell information to other companies for  targeted advertising, credit risk assessment, direct marketing and other reasons. Most consumers are not fully aware of how this may affect their web browsing experience, the pricing of Internet services, what ads they see, even their credit scores or eligibility.

What is more, should a service provider be hacked or share this data with unscrupulous partners (we’ve all heard of the Cambridge Analytica scandal), these profiles could well end up in the wrong hands, and lead to significant harm such as:

• Impersonation and identity fraud
• Deviant profiling from national organisations
• Deviant profiling from private organisations such as banks or insurance companies

The new Bill confirms that people are entitled to the basic right of privacy, which means they should have the opportunity to consent to the collection and processing of personal data, and in particular control over who collects, uses and stores the personal data of children and teenagers in particular.

What does the Bill say for the under-18 demographics?

Chapter V of the draft law (“PERSONAL AND SENSITIVE PERSONAL DATA OF CHILDREN”) says that data has to be processed in a way that protects the interests of the child.

• Any kind of profiling, tracking or behavioural targeting will be prohibited. This means that kids-targeted advertising on platforms which profile and track (think GDN, Facebook, YouTube etc.) will no longer be compliant, very much in line with similar restrictions already in place in the U.S. and the E.U. ;
• Under the Indian law, the age of a ‘child’ is anyone under 18, stricter than, GDPR-K (16) and COPPA (13);
• Online services will need to verify the age of their users in order to apply appropriate data collection practices;
• If a service proposes to collect personal data from  under-18s, it must first obtain parental consent.

Advertisers, get ready now!

Under the Bill, profile-based advertising to children and teens is no longer permitted. Advertisers will be forced to completely rethink their current strategies and shift from behavioral targeting to contextual targeting to stay within the law. Companies engaging with kids online will not be able to retarget consumers or build profiles, or use profile-based data to bid on programmatic inventory. This means that most ‘adult’ technology delivering ads—all of which collect personal data by design—is not useable for kids’ campaigns. TotallyAwesome recommends a zero personal-data collecting policy for any digital campaigns targeted at kids or teens.

Companies found to be in breach of the new law will be exposed to a fine—similar to GDPR—up to fifteen crore rupees (US$ 2 million) or 4% of worldwide turnover, whichever is higher.

What are the options for kids’ advertisers?

TotallyAwesome, the leading kid-safe digital expert in Asia Pacific, operates the only zero-data, kid-safe digital ad network in the world, reaching some 65 million kids in India.  It’s powered by AwesomeAds, which enables direct and programmatic campaigns to be delivered effectively, without any risk of collecting personal data. Extensively tested over years under COPPA and GDPR-K, AwesomeAds is compliant with the new Indian Data Protection Bill out of the box.

We will be publishing five additional information guides to support advertisers through this groundbreaking change, and and explain how to create an effective digital kid-safe communication that is compliant with the law:

• • Digital Advertising – How does ZERO data advertising work
  • Programmatic – automated in the days of ZERO data advertising
  • Influencer Marketing – responsible marketing with a huge impact
  • Managing relationships and building loyalty – with parental consent
  • How does ZERO data collection work for publishers

CEO, Quan Nguyen says: “Advertisers in India face monumental changes if they want to stay on the right side of the law while conducting business. TotallyAwesome, with its wealth of experience and expertise engaging with the  under 18s, may be the only compliant digital advertising platform in the Indian market today. Our marketplace allows brands targeting kids and teens to reach out to and engage with up to 65 million kids in India – all the while staying compliant with the data protection bill.”

The Data Protection Bill is being reviewed by the Ministry of Electronics and Information Technology, which will be followed by a parliamentary discussion and adoption.