16 Processing of personal data and sensitive personal data of children.

(1) Every data fiduciary shall process personal data of a child in such manner that protects the rights of, and is in the best interests of, the child.

(2) The data fiduciary shall, before processing of any personal data of a child, verify his age and obtain the consent of his parent or guardian, in such manner as may be specified by regulations.

(3) The manner for verification of the age of child under sub-section (2) shall be specified by regulations, taking into consideration—

(a) the volume of personal data processed;

(b) the proportion of such personal data likely to be that of child;

(c) possibility of harm to child arising out of processing of personal data; and

(d) such other factors as may be prescribed.

(4) The Authority shall, by regulations, classify any data fiduciary, as guardian data fiduciary, who—

(a) operate commercial websites or online services directed at children; or
(b) process large volumes of personal data of children.

(5) The guardian data fiduciary shall be barred from profiling, tracking or behaviouraly monitoring of, or targeted advertising directed at, children and undertaking any other processing of personal data that can cause significant harm to the child.

(6) The provisions of sub-section (5) shall apply in such modified form to the data fiduciary offering counselling or child protection services to a child, as the Authority may by regulations specify. 

(7) A guardian data fiduciary providing exclusive counselling or child protection services to a child shall not require to obtain the consent of parent or guardian of the child under sub-section (2).

Explanation.—For the purposes of this section, the expression "guardian data fiduciary" means any data fiduciary classified as a guardian data fiduciary under sub-section (4).