Children's Data and EdTech Compliance

DPDPA defines a child as any individual below 18 years of age. This threshold is higher than some international frameworks and has significant implications for services targeting teenagers. Any processing of personal data from individuals under 18 triggers the enhanced requirements of Section 9. For startups, this means age determination becomes essential for compliance. Services that may attract users under 18, whether intentionally or incidentally, must implement mechanisms to identify and appropriately handle children's data.

Section 9(1) requires that before processing children's data, Data Fiduciaries must obtain verifiable consent from the child's parent or lawful guardian. Verifiable consent means that the consent mechanism must provide reasonable assurance that the consenting individual is actually the parent or guardian. This is significantly more demanding than standard consent requirements. Methods may include verification through official identification, credit card verification, knowledge-based verification, or other mechanisms that provide reasonable certainty of parental identity.

Section 9(2) prohibits tracking, behavioral monitoring, and targeted advertising directed at children. This prohibition affects common digital practices including personalized content recommendations, usage analytics tied to individual children, and advertising based on observed behavior. For EdTech startups, this requires careful examination of analytics, recommendation algorithms, and any monetization through advertising. Learning platforms must distinguish between necessary educational functions and prohibited monitoring.

Implementing verifiable parental consent requires knowing who is a child. Age verification presents both technical and user experience challenges. Common approaches include age declaration during registration, age gates at content or feature access points, verification through linked parental accounts, and inference from provided information. No single approach is perfect, and startups must balance accuracy with usability. Where children may access services, age verification should err on the side of protection.

Educational technology platforms face particular challenges under Section 9. Core educational functions require processing student data, but the framework requires parental consent and prohibits monitoring. EdTech startups should differentiate between data processing essential for educational delivery and additional processing that may not be permitted. Assessment and progress tracking for educational purposes may be distinguishable from behavioral monitoring for other purposes. School and parent relationships may facilitate consent mechanisms.

Services involving children should apply Privacy by Design principles with heightened attention. Default settings should maximize protection. Data collection should be strictly limited to what is necessary. Retention should be minimized. Sharing should be restricted. Security should be enhanced. User interfaces should be designed for clarity and safety. When children may be users, the entire product design should reflect their protected status and the organization's heightened responsibilities.