Children's Data Under DPDPA
Section 9 obligations for processing children's personal data. Age verification, verifiable parental consent, prohibited activities, and Rules 10-12 compliance.
Children's Data Protection Under DPDPA
Counsel-led DPDPA advisory — 27+ years of regulatory practice across 10 offices
Section 9 of the DPDPA establishes enhanced protections for children's personal data. Before processing personal data of a child, the Data Fiduciary must obtain verifiable consent of the parent or lawful guardian. The section also prohibits tracking, behavioural monitoring, and targeted advertising directed at children.
Rules 10-12 of the DPDP Rules, 2025 prescribe operational details for age verification, verifiable parental consent mechanisms, and exemptions for prescribed categories of Data Fiduciaries. Section 9(3) prohibitions apply subject to Rule 12 exemptions.
Children's Data Obligations
Data Fiduciaries processing children's data must satisfy all of the following:
Age Verification
Section 9(1), Rule 10
Reliable mechanisms to determine whether a Data Principal is a child before processing commences.
Verifiable Parental Consent
Section 9(1), Rule 11
Obtaining consent from the parent or lawful guardian through verifiable means before any processing.
Prohibited Processing
Section 9(3)
No tracking, behavioural monitoring, or targeted advertising directed at children. Subject to Rule 12 exemptions.
Processing Restrictions
Section 9(2)
Processing must not cause detrimental effect on the well-being of the child.
Rule 12 Exemptions
Rule 12
Prescribed categories of Data Fiduciaries may be exempted from certain Section 9 requirements under Rule 12.
Enhanced Safeguards
Section 8(1)
Heightened security safeguards proportionate to the sensitivity of children's data.
Advisory Implementation
Control Matrix Framework
Children's Data Compliance Risk
Contravention of children's data obligations carries heightened regulatory consequences:
Heightened Penalties
The Schedule prescribes penalties up to Rs 200 crore for breach of Section 9 obligations. This reflects the Act's emphasis on protecting children.
Age Verification Failure
If age verification mechanisms are inadequate, processing may occur without proper parental consent, rendering the entire processing basis unlawful.
Tracking Violations
Tracking, behavioural monitoring, and targeted advertising directed at children violate Section 9(3). Ad-tech and ed-tech platforms face particular exposure.
Reputational Risk
Regulatory action involving children's data attracts heightened public and media scrutiny. The reputational damage compounds financial penalties.
AMLEGALS Children's Data Advisory
Comprehensive advisory on Section 9 compliance for organisations processing children's data:
Structured Compliance Methodology
Counsel-led implementation with evidence-ready artefact production
Age Verification Design
Designing reliable age verification mechanisms that satisfy Rule 10 requirements while maintaining user experience.
Parental Consent Architecture
Building verifiable parental consent workflows per Rule 11 requirements with complete audit trail.
Processing Restriction Audit
Auditing processing activities against Section 9(3) prohibitions on tracking, behavioural monitoring, and targeted advertising.
Rule 12 Assessment
Evaluating eligibility for Rule 12 exemptions and documenting the basis for any exemption claimed.
Ed-Tech Compliance
Specialised advisory for educational technology platforms processing children's data in learning contexts.
Policy Development
Children's data protection policies, age-appropriate privacy notices, and parental communication frameworks.
Obligation-Control-Evidence Matrix
| Obligation | Section/Rule | Control | Evidence | Risk |
|---|---|---|---|---|
| Age Verification | Rule 10 | Technical age gate mechanism | Age check logs, mechanism design | Unlawful processing of children's data |
| Parental Consent | Rule 11 | Verifiable consent workflow | Consent records, verification logs | Invalid consent basis |
| Tracking Prohibition | Section 9(3) | Processing restriction configuration | Configuration records, audit logs | Up to Rs 200 Cr |
| Detrimental Processing | Section 9(2) | Impact assessment for children | Assessment reports | Processing causing harm |
| Rule 12 Exemption | Rule 12 | Eligibility documentation | Exemption basis records | Invalid exemption claim |
| Enhanced Security | Section 8(1) | Heightened safeguards | Security assessment | Inadequate protection |
Common Questions
Ensure Children's Data Compliance
Heightened penalties. Heightened scrutiny. Children's data protection demands specialised advisory.
Request a Confidential Briefing
Our data privacy counsel will reach out within one working day.
What practitioners and boards are asking
What special protections exist for children's data under DPDPA?
Section 9 imposes enhanced obligations for processing children's data (below 18 years): verifiable parental consent before any processing, prohibition on tracking, behavioural monitoring, and targeted advertising directed at children, and prohibition on processing that could cause detrimental effect to the child's well-being. Rules 10-12 prescribe detailed operational requirements.
How does DPDPA define a child and what exemptions exist?
A child is defined as an individual below 18 years of age under Section 2(f). The Central Government may, by notification, lower the age threshold for certain Data Fiduciaries or classes of Fiduciaries. Rules 10-12 specify verification mechanisms and provide limited exemptions for processing that is demonstrably in the child's interest, with strict operational guardrails.