Children deserve heightened protection. DPDPA recognizes this by requiring verifiable parental consent before processing any personal data of individuals below 18 years. No exceptions for legitimate use. No shortcuts. Parental consent or nothing.
The Age Threshold
Under DPDPA, a child is anyone below 18 years of age. This is higher than GDPR which typically uses 13-16 depending on member state. For any service that might be used by individuals under 18, you must have mechanisms to identify minors and obtain parental consent.
Verifiable Consent Requirement
Parental consent must be verifiable. A checkbox claiming parental approval is insufficient. You must implement mechanisms that provide reasonable assurance that the person consenting is actually the parent or legal guardian. The level of verification should be proportionate to the risks of the processing.
- Age verification before data collection
- Parent or guardian identification
- Consent verification mechanism
- Record of consent with verification method
Prohibited Activities
Section 9 and Rule 10 prohibit certain activities regarding children data. Tracking, behavioral monitoring, and targeted advertising directed at children are restricted. Processing that could cause significant harm to a child is prohibited. These are not matters of consent—they are absolute prohibitions.
EdTech and Educational Services
Rule 11 provides specific provisions for educational institutions and their data processors. Schools can process student data for educational purposes. EdTech providers processing on behalf of schools must adhere to educational purpose limitations. But commercial use of student data requires the full parental consent framework.
Essential Clauses
Age Verification Method
Section 9How you determine if a user is under 18
Parent Identification Process
Rule 10How you verify the consenting adult is a parent or guardian
Consent Verification Mechanism
Rule 10Technical or procedural verification of parental consent
Prohibited Processing Declaration
Section 9(2)Explicit statement of processing activities not conducted for children
Purpose Limitation for Children Data
Section 9Restricted purposes for which children data may be processed
Consent Withdrawal by Parent
Section 6(4)How parents can revoke consent
Child Attaining Majority
Section 9How consent transitions when child turns 18
Implementation Steps
Assess whether your services may be used by individuals under 18
Implement age verification at account creation or data collection
Design parental consent flow triggered for identified minors
Select appropriate consent verification method based on processing risk
Build consent records including verification method used
Implement processing restrictions for children data
Disable prohibited features like behavioral tracking for child accounts
Create process for consent refresh when child turns 18
Frequently Asked Questions
Need This Document Drafted?
Understanding the requirement is the first step. Having it implemented correctly is what protects your organization. Our team drafts DPDPA-compliant documents tailored to your specific operations.
Get in Touch