23. Processing of personal data and sensitive personal data of children. —

(1) Every data fiduciary shall process personal data of children in a manner that protects and advances the rights and best interests of the child.

(2) Appropriate mechanisms for age verification and parental consent shall be incorporated by data fiduciaries in order to process personal data of children.

(3) Appropriateness of an age verification mechanism incorporated by a data fiduciary shall be determined on the basis of—

(a) volume of personal data processed;
(b) proportion of such personal data likely to be that of children;
(c) possibility of harm to children arising out of processing of personal data; and
(d) such other factors as may be specified by the Authority.

(4) The Authority shall notify the following as guardian data fiduciaries—

(a) data fiduciaries who operate commercial websites or online services directed at children; or
(b) data fiduciaries who process large volumes of personal data of children.

(5) Guardian data fiduciaries shall be barred from profiling, tracking, or behavioural monitoring of, or targeted advertising directed at, children and undertaking any other processing of personal data that can cause significant harm to the child.

(6) Sub-section (5) may apply in such modified form, to data fiduciaries offering counseling or child protection services to a child, as the Authority may specify.

(7) Where a guardian data fiduciary notified under sub-section (4)exclusively provides counseling or child protection services to a child, as under sub-section (6), then such guardian data fiduciary will not be required to obtain parental consent as set out under sub-section (2).