Anyone below the age of 18 has been defined as “children” in the upcoming Digital Personal Data Protection (DPDP) Bill. The government will “review” this definition one year after enactment of the Act, a senior official told ET.

“We spoke to several stakeholders before coming to this decision. While parents want the age to be kept at 18, children and other stakeholders want it lowered. But right now, the age cut-off will be 18. We may lower it to say 16 a year after the (DPDP) Bill is in place,” the official added. Companies will be required to obtain explicit parental consent before processing any data belonging to this user group.

The official said, if these companies can assure us that they have put in place a proper framework which protects the data of children, prevents any kind of harm from reaching them and does not provide for any sort of targeted advertising, there is no reason why it cannot be lowered (to 16).

The decision by the Ministry of Electronics and Information Technology comes amid a sustained pushback from internet and social media intermediaries who have argued that keeping the age at 18 is not in line with global standards.

Companies such as Meta Inc, Google, Snap, and others, which have users below the age of 18, will have to seek explicit parental consent for processing any data.

Sources in the IT ministry said any decision to lower the age of consent to 16 a year after the DPDP Bill is enacted will be the government’s way of reassuring companies in the ed-tech and other children-content related space. These companies, sources said, have urged the government to lower the age since much of their educational and informative content is targeted at children.

Apart from retaining the current definition, the draft DPDP Bill proposes that companies that deal in such data groups will not process data in any way that harms children. Further, it proposes that data fiduciaries “shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children”.

The obligations prescribed in the draft Bill are a departure from similar norms around the world. For example, the United States (US) and the European Union (EU) recognise varying levels of maturity of young adults and teenagers while prescribing the age of consent and the rules for data processing.

While the US, under the Children’s Online Privacy Protection Act (COPA), prohibits processing data of children below the age of 13, the EU’s General Data Protection Regulation (GDPR) has varied norms for consent between the ages of 13 and 16, depending on the age group adopted by each member state within the Union.

Much of the discussion surrounding the case has focused on the costs to online companies if the court determines they are legally responsible for the hundreds of millions of comments, videos and other content posted by users every day. Google is being sued by the family of Nohemi Gonzalez, a 23-year-old US citizen who was among at least 130 people killed in coordinated attacks by the Islamic State in Paris in November 2015.