Processing Children's Data Under DPDPA

Section 9 imposes heightened obligations when processing personal data of children under 18 years. This includes age verification requirements, verifiable parental consent protocols, and restrictions on tracking, behavioural monitoring, and targeted advertising. Rule 12 of the DPDP Rules, 2025 provides specific exemptions from certain obligations. This article examines the compliance framework for platforms serving younger demographics.

Before processing commences, organisations must determine whether the data principal is a child. Rule 10 requires reasonable efforts to verify age. Methods include date of birth declarations, integration with identity verification systems, and age estimation technologies. The verification method must be proportionate to risk and documented for regulatory review.

Section 9(1) requires verifiable consent from the parent—a standard higher than ordinary consent. Verification may involve direct communication with parent via authenticated channel, confirmation through government identity systems, or other mechanisms reasonably establishing parental identity and consent. Simple checkbox declarations are insufficient.

Section 9(3) prohibits tracking, behavioural monitoring, and targeted advertising directed at children. These restrictions apply subject to Rule 12 of the DPDP Rules, 2025, which provides specific exemptions from certain obligations for prescribed categories of Data Fiduciaries. A social media platform cannot obtain parental permission to serve behavioural advertisements to a 16-year-old user unless a Rule 12 exemption applies.

Section 9(4) empowers Central Government to exempt certain Data Fiduciaries from parental consent requirements where processing is verifiably safe. Educational platforms and healthcare services may receive exemptions. Organisations should monitor notifications and assess eligibility for exemption pathways relevant to their operations.