Processing Children's Data Under DPDPA

Section 9 imposes heightened obligations when processing personal data of children under 18 years. This includes age verification requirements, verifiable parental consent protocols, and absolute prohibitions on tracking, behavioural monitoring, and targeted advertising. This article examines the compliance framework for platforms serving younger demographics.

Before processing commences, organisations must determine whether the data principal is a child. Rule 10 requires reasonable efforts to verify age. Methods include date of birth declarations, integration with identity verification systems, and age estimation technologies. The verification method must be proportionate to risk and documented for regulatory review.

Section 9(1) requires verifiable consent from the parent—a standard higher than ordinary consent. Verification may involve direct communication with parent via authenticated channel, confirmation through government identity systems, or other mechanisms reasonably establishing parental identity and consent. Simple checkbox declarations are insufficient.

Section 9(3) absolutely prohibits tracking, behavioural monitoring, and targeted advertising directed at children. These prohibitions apply regardless of parental consent obtained. A social media platform cannot obtain parental permission to serve behavioural advertisements to a 16-year-old user. The prohibition is categorical.

Section 9(4) empowers Central Government to exempt certain Data Fiduciaries from parental consent requirements where processing is verifiably safe. Educational platforms and healthcare services may receive exemptions. Organisations should monitor notifications and assess eligibility for exemption pathways relevant to their operations.