Nandinii Tandon and Mehul Sharma

Source: The Wall Street Journal

In an era where parents are overwhelmed by endless digital consent and verification demands, the Common Consent Mechanism under the US COPPA offers a unified solution to ease this burden under the DPDPA, 2023. This article explores how this mechanism reduces identity verification fatigue while retaining informed and explicit parental consent, thus making children’s privacy protection more meaningful and more manageable.

Introduction

In 2008, a study estimated that if Americans read privacy policies word-for-word, it would take 201 hours and $3,534 per user each year, costing the nation more than $781 billion annually. A price tag this high makes clear that privacy policies were never meant to be read, only accepted. The inevitable outcome is consent fatigue, a phenomenon where individuals, overwhelmed by incessant and complex consent requests, mechanically agree without truly engaging with or understanding them. For parents, this fatigue is two-fold. Firstly, there is identity verification fatigue: each time a child signs up for a new app or service, parents must repeatedly prove their identity, often through cumbersome verification steps. Secondly, there is consent fatigue: even after verification, they must continually review and accept privacy notices across apps and platforms. The stakes are higher too, since every such choice directly shapes a child’s safety and digital footprint. Further, consent fatigue is not merely a user-side challenge; it has also proved detrimental to businesses. Studies show that repetitive verification processes are cumbersome and often cause customers to abandon the process altogether. In this article, the authors explore how a Common Consent Mechanism (‘CCM’) could ease parental verification burden under the data protection regime and reduce the compliance obligations on businesses.

The Burden of Parental Identity Verification

Section 9 of the Digital Personal Data Protection Act, 2023 (‘DPDPA’) lays down a special provision in reference to children, requiring data fiduciaries to obtain parental consent before processing the personal data of the child. Importantly, this consent must be verifiable, i.e., capable of being authenticated in a prescribed manner to ensure that it is genuinely given by the parent or lawful guardian. Verifiable parental consent (‘VPC’), therefore, is essentially an added layer of protection, requiring a parent or guardian’s affirmative involvement before a child’s data can be processed. The requirement of VPC operates on the consent framework specified under Section 6, which requires that data fiduciaries collect affirmative consent that needs to be “free, specific, informed, unconditional and unambiguous”. To operationalise such a form of consent, the principle of granularity (pg. 5) becomes paramount, allowing data principals to accept or refuse consent for each specified purpose separately. However, presenting users (here, parents) with too many granular options may end up overwhelming them, resulting in consent fatigue rather than genuinely informed choices. So, what is the solution to this conundrum? The United Kingdom Information Commissioner’s Office recognises the use of multi-layered notices as an effective technique to address consent fatigue. By adopting multi-layered notices, businesses demonstrate transparency and respect for user autonomy, thus going beyond mere compliance to proactively show how data is collected, processed, and protected. This layered approach presents users with a short, simple notice highlighting primary details in its first layer, such as the identity of the data fiduciary and how they process the collected personal data, while the second layer delineates the full text of the notice for those who wish to access more comprehensive information. While this technique helps reduce the complexity of privacy notices that users must read, it does not resolve a distinct challenge in the case of children’s personal data, namely, that parents are still required to provide verification of parental identity separately for each service provider. That repetition can become overwhelming and, in some cases, even costly. To address this gap, we propose the adoption of a CCM, similar to the approach recognised and practiced in the United States of America (‘US’).

Making The Case for Common Consent Mechanism

The CCM allows multiple service providers to rely on a single, shared platform for providing privacy notices and obtaining VPC, thereby reducing duplicative requests and easing the compliance burden on parents and operators alike. The Children’s Online Privacy Protection Act (‘COPPA’), the primary US legislation on children’s privacy, does not explicitly provide for a CCM in its rules or regulations. However, the Federal Trade Commission (‘FTC’) acknowledged and recognised such a mechanism in its 2013 Statement of Basis and Purpose (pg. 19). This position was later reaffirmed in its response to Question I.10 of the COPPA’s Frequently Asked Questions. The FTC has further endorsed its support for CCM, clarifying that operators are free to use it, provided it complies with the COPPA’s basic notice and consent requirements. But how does such a mechanism actually work in practice?

To understand this, let us take an example of Google Play Store,  where several apps are listed and available for download. In the case of a child, after an app is downloaded, it is necessary for the parent to provide VPC to enable the child to use the app. Suppose there are 3 apps that the child wishes to download: App X, App Y, App Z. For each app, under the current DPDPA framework, not only will the parent have to read and provide informed consent to the privacy notices, they will also have to provide verification of their parental identity directly to X, Y and Z, respectively. It is clarified that, in the current scenario, Google Play does not obtain verification of identity on behalf of every app developer. This repetitive process can quickly lead to consent fatigue for parents, which can be mitigated through the use of a CCM. Under that mechanism, Google Play will act as a single trusted platform which would collect and verify identification once, then share that verified status across multiple child-directed apps (here X, Y, and Z). When the account of the child is created, the parent verifies their identity using an approved method. These approved methods might include a nominal charge of INR 1 through their credit card, Aadhaar/PAN Card ID check, or print-and-send form, etc. Once the verification of identification is obtained, it is stored with Google Play. It is clarified that even with CCM, parents retain control over app-specific consent to privacy notices. Such privacy notices have to be multi-layered to reduce consent fatigue, as explained above. Now, when the child wishes to download App X, the app does not have to separately ask for identity verification of the parent in order for the child to use the app. The only contingency on which the child will be able to use the app would be whether the parent accepts or rejects the privacy policy of App X. To reiterate, for App X, the VPC obtained through Google Play’s CCM acts solely as a verification of the parent’s identity, it does not automatically mean the parent has accepted App X’s privacy policy. Consequently, after verification of the identity of the parent is received by App X, the parent receives a notification stating, “App X requires your consent to process your child’s data.” They can choose to either “accept,” “reject,” or “request the full text of the privacy policy” of the app. Thus, while the responsibility to obtain the verification of parental identity shifts to Google Play, the obligation to obtain informed consent through privacy notice as per the requirements of Section 5 and 6 of the DPDPA continues to rest with the data fiduciary (i.e., App X). In this way, CCM saves parents from becoming an echo in the digital wilderness, endlessly repeating their identity across apps in a slew of verifications. With layered notices, it reduces consent fatigue and identity verification fatigue.

CCM-Induced Business Ripples

At this stage, one pressing question demands attention: do app stores bear liability under CCM? The FTC clarified that third-party platforms, such as app stores, will not face liability under COPPA solely for developing or offering “platform-based” or “multi-operator” parental consent mechanisms. In the Indian context, app stores, qualifying as intermediaries, are immune from such liability due to the existence of Section 79 of the Information Technology Act, 2000. Section 79 grants safe harbour protection to intermediaries as long as they do not initiate transmission, select the receiver or modify the information. In the case of Google India Private Limited v. M/s Visakha Industries, the Supreme Court held that “intermediaries stand on a different footing being only facilitators of exchanges of information or sales”. In the context of CCM, as app stores are merely performing a facilitative role of obtaining verification of identity from parents and providing it to particular app developers, they cannot be held liable for the underlying processing of children’s data or for any defects in the parental consent collected on behalf of individual app developers, as the role of the app stores is that of a mere facilitator and the CCM does not render them data fiduciaries. This clarification is also commercially crucial, as exposing app stores to liability would not only disrupt their business models but also discourage them from investing in developing scalable verification models.

Adoption of the CCM within the DPDPA framework would prove beneficial for all stakeholders. For parents, it would eliminate the repetitive task of verifying their identity each time their child wishes to download an app. At the same time, for the sake of practicality, the requirement of renewing verification every six months is suggested as it would ensure that verification remains valid, up to date, and reflective of the parents’ continuing choice, ensuring compliance with the DPDPA. For businesses, particularly smaller app developers, this would significantly cut compliance costs, as such processes are technologically convoluted and resource intensive. CCM shifts a portion of this compliance burden to app stores, effectively positioning them as verification intermediaries. The mechanism would mirror the Account Aggregator framework in India’s fintech ecosystem, where accredited private entities act as trusted intermediaries for data sharing. Similarly, app stores could function as accredited verification managers, offering a one-time parental verification that seamlessly works across all apps. Further, CCM can serve as a shared compliance infrastructure, by creating uniform verification standards and allowing for a clear allocation of responsibility, certainty and greater trust between platforms, developers, and users.

Conclusion

In an era where data defines childhood, the question is no longer whether children should be protected online, but how much we are willing to trade for that protection. On one hand, parents face the dual burdens of identity verification fatigue and consent fatigue, which nullify what remains of any meaningful choice in the digital era. On the other hand, businesses, particularly smaller developers, struggle with the costs and intricacies of building separate verification infrastructures. A CCM, operated by app stores, offers a simplistic and practical way forward by optimising parental verification to reduce redundancy, while preserving app-specific control over privacy notices. However, its adoption is not without risks. Curiously enough, the success of any CCM will hinge on a simple question: can we protect children without exhausting parents when every step becomes one consent box, one verification loop, one choice too many?

Nandinii Tandon is a 4^th year BA LLB (Business Law Hons.) student at the Rajiv Gandhi National University of Law, Punjab.
Mehul Sharma is a 3^rd year BA LLB (Hons.) student at the Rajiv Gandhi National University of Law, Punjab.