Children's Data Protection Under the DPDPA

The DPDPA's children's data provisions affect a wide range of organisations: educational technology platforms, gaming companies, social media services, healthcare providers treating minors, and any consumer-facing business whose user base includes individuals under 18. The requirement for verifiable parental consent means that standard consent mechanisms, such as click-through agreements, are insufficient.

The prohibition on tracking and behavioural monitoring under Section 9(3) has architectural implications. Platforms that serve both adults and children must implement age-gating mechanisms and ensure that their analytics, recommendation, and advertising systems can exclude users identified as children. This is not a policy change. It is a systems engineering requirement. Rule 12 provides specific exemptions for prescribed categories of Data Fiduciaries, but the burden of demonstrating eligibility for these exemptions rests with the organisation.

Verifiable Parental Consent

Consent for processing a child's data must be obtained from the parent or lawful guardian, verified through mechanisms that provide reasonable assurance of the consenting individual's identity and parental authority.

Tracking and Monitoring Prohibition

Data Fiduciaries must not track, conduct behavioural monitoring of, or direct targeted advertising at children. This prohibition applies subject to Rule 12 exemptions for prescribed categories of Data Fiduciaries.

Age Verification

Organisations must implement mechanisms to determine whether a Data Principal is a child. Age verification must be proportionate and effective, balancing accuracy with the privacy of the verification process itself.

Detrimental Processing Prohibition

No processing of a child's personal data may be undertaken if it is likely to cause any detrimental effect on the well-being of the child. This requires proactive risk assessment of processing activities.

Ed-Tech and Gaming Compliance

Educational technology platforms and gaming companies must redesign their data collection, analytics, and advertising systems to comply with children's data restrictions or demonstrate eligibility for Rule 12 exemptions.

Exemption Documentation

Organisations claiming exemptions under Rule 12 must maintain documentary evidence of their eligibility, including the basis for their classification as a prescribed category of Data Fiduciary.

The Architecture of Age-Gating and Consent Verification

Age verification and parental consent verification are not solved problems. Every mechanism involves trade-offs between accuracy, user experience, and the privacy of the verification process itself. Organisations must design systems that are proportionate to the risk, effective at identifying children, and capable of demonstrating compliance under audit. The DPDPA does not prescribe specific technical methods, which means organisations bear the responsibility of selecting and defending their chosen approach.

"The DPDPA treats children as India's most vulnerable data principals. Organisations that fail to build compliance infrastructure for this category face both regulatory penalties and reputational consequences that extend beyond the statutory framework."

What is the age threshold for children under the DPDPA?

Under the DPDPA, a child is defined as an individual who has not completed 18 years of age. This applies uniformly across all sectors and types of data processing. Organisations must implement mechanisms to verify age and obtain verifiable parental consent before processing a child's personal data.

Can ed-tech platforms continue to collect student data under the DPDPA?

Yes, but with significant restrictions. Ed-tech platforms must obtain verifiable parental consent before processing student data. They are prohibited from tracking, behavioural monitoring, and targeted advertising directed at child users. Rule 12 provides exemptions for prescribed categories of Data Fiduciaries, and eligible ed-tech platforms must document their basis for claiming these exemptions.

What constitutes verifiable parental consent?

The DPDPA requires that consent from a parent or lawful guardian be verifiable, meaning the Data Fiduciary must have reasonable assurance that the individual providing consent is indeed the child's parent or guardian. The Act does not prescribe specific verification methods, allowing organisations to implement mechanisms proportionate to the risk and context of their processing activities.

Are there exemptions to the children's data restrictions?

Rule 12 of the DPDP Rules, 2025 provides exemptions for prescribed categories of Data Fiduciaries from certain children's data restrictions, including the prohibition on tracking and behavioural monitoring. However, the exemptions are narrow, and organisations must maintain documentation supporting their eligibility for these categories.

Get the Children's Data Compliance Brief

This brief provides a structured framework for operationalising children's data protections across technology platforms, educational services, and consumer-facing businesses.