Recently, biometric age verification has emerged as a potential way to enforce India’s Digital Personal Data Protection Act (DPDPA), and ensure children are protected from online harms. However this approach has raised a lot of questions about data security and surveillance, with many concerned that it could harm more than it helps.
Similar age verification efforts such as the UK’s Online Safety Act have been mired in controversy, accusations of censorship, and even caused a surge in VPN sign-ups to platforms like ExpressVPN. While the situation in India and the DPDPA is different, the concerns raised are no less real.
The Current Regulatory Landscape
The development of the DPDPA is rooted in India’s recognition of privacy as a fundamental right under Article 21 of the Constitution in 2017. It prohibits any data fiduciaries, including social media platforms or other online services, from processing children’s data without parental consent – and has a penalty of up to INR 250 crore for non-compliance. However its draft rules released in January 2025 do not mandate specific methods for age verification, leaving room for biometrics.
Many speculate that building on the Aadhaar system that has enrolled over 1.3 billion residents with biometric data would allow seamless integration and age verification. The vague rules and guidelines recently prompted the ZEP foundation to petition the Supreme Court of India for social media regulation, and while the court declined to ban children under 13 from social media – it did direct the relevant authorities to consider its representations for mandatory age verification and biometrics.
As of right now, no measures have been taken to clarify the regulations – prompting calls for clearer guidelines to continue.
How Biometric Age Verification can Safeguard Minors
Leveraging biometric age verification will allow the use of AI-driven facial recognition and other methods to estimate the age of users during registration, and thus enforce the DPDPA. It is far more precise than self-reporting ages, and can increase security, reduce the risk of impersonation, and prevent minors from accessing age-restricted content such as pornography, or targeted advertising.
Pilot programs using AI-driven facial recognition for age verification have reported up to a 95% accuracy rate. However this can be improved further by integrating Aadhaar biometrics for additional verification. It could also streamline verification for government-backed services, and reduce fraud in welfare distribution or financial inclusions.
Risks of Biometric Age Verification
Despite its advantages, biometric age verification does pose a substantial risk to privacy. Most notably, the immutable nature of biometric data means that any data breaches or leaks could have a significantly amplified impact. Unlike other leaks, biometric data cannot be changed leaving little or no remedy in the event of a data breach. The fact that the Aadhaar system has a history of data breaches such as the 2018 incident that exposed millions of records, increases concerns further.
Although the DPDPA classifies biometric data as ‘sensitive’, and requires explicit consent and secure processing – its current draft rules are vague and lack specifics. This could not only enable misuse, but undermine the reliability of age verification biometrics as a whole if it leads to the existence of deepfakes and identity theft.
Furthermore, mandating the use of government identification for verification could exacerbate surveillance concerns. For all the strides it has made, digital literacy in India is still low and marginalized communities are likely to be disproportionately impacted by increased surveillance. Some groups have also suggested that allowing third-party vendors even limited access to biometrics from the Aadhaar system could increase the risk of breaches further.
The Path Forward: Striking a Balance
To fully take advantage of the potential of biometrics for age verification, Indian authorities need to refine their approach and take steps to mitigate privacy threats. In recent years many experts have recommended a wide range of measures such as minimizing data storage, using encryption, and leveraging privacy-enhancing technologies such as token-based zero-knowledge proofs that can verify age without disclosing identities.
The ongoing consultations on the 2025 DPDPA draft rules are the perfect opportunity to strengthen data security. It provides stakeholders with the forum to advocate for models that can mitigate the risks involved, or even suggest hybrid models that combine biometrics with less-intrusive options.
Strengthening regulations and the enforcement power of the Data Protection Board could also help establish a firm set of standards for data protection. For example, it could mandate data protection impact assessments for all biometric systems to ensure compliance and reduce the risk of data breaches.
Overall while the DPDPA signifies substantial progress being made towards protecting children, ultimately it requires greater clarity. Drawing from global lessons such as the EU’s GDPR, or the UK’s OSA can help resolve its vulnerabilities and allow it to provide greater protection without eroding trust. As long as it can strike that balance, it can resolve any concerns that it is a double-edged sword.