Compliance Areas

Children's Data Protection Under the DPDP Act 2023

The DPDP Act imposes strict requirements for processing children's personal data. Verifiable parental consent, advertising restrictions, and tracking prohibitions apply to every business serving minors.

6 min read

The Act Treats Children’s Data as a Distinct Category

The DPDP Act 2023 establishes heightened protections for the personal data of children. Section 9 of the Act creates a separate compliance regime for any business that processes data belonging to individuals under 18 years of age.

These protections are not optional add-ons. They are mandatory requirements with independent penalty exposure. Any business whose products or services are used by minors must implement the full set of children’s data safeguards.

Who Qualifies as a “Child” Under the Act

The DPDP Act defines a child as any individual who has not completed 18 years of age. This is a higher threshold than many international frameworks (the GDPR sets the line at 13-16 years depending on member state, and COPPA in the United States applies to children under 13).

India’s 18-year threshold means the Act covers a significantly larger population. Every EdTech platform serving school students, every gaming application popular with teenagers, and every social media platform with users under 18 falls under these provisions.

The standard consent requirements that apply to adult Data Principals are not sufficient for children. The Act requires verifiable consent from the child’s parent or lawful guardian before any personal data can be processed.

“Verifiable” is the critical word. A simple checkbox stating “I am over 18” does not satisfy this requirement. The Data Fiduciary must implement mechanisms that provide reasonable assurance that the person giving consent is in fact the child’s parent or guardian.

Verifiable consent mechanisms may include:

  • Email verification: Sending a consent request to a parent’s email address and requiring confirmation
  • Identity verification: Requesting government-issued identification from the parent
  • Payment verification: Using a small credit card transaction to confirm parental identity
  • Video verification: Conducting a brief video call with the parent or guardian

The appropriate mechanism depends on the context and risk level. Higher-risk processing (sensitive data, large-scale profiling) demands stronger verification.

Three Absolute Prohibitions

The Act establishes three categories of processing that are prohibited entirely for children’s data, regardless of parental consent:

1. Tracking and Behavioural Monitoring

No Data Fiduciary may track, monitor, or build behavioural profiles of children through automated means. This prohibition targets:

  • Session tracking across websites and applications
  • Behavioural analytics that build individual user profiles
  • Location tracking beyond what is strictly necessary for the service
  • Cross-platform data aggregation for individual profiling

An EdTech platform that tracks a student’s browsing behaviour across its site to build a learning profile must ensure this tracking complies with the Act’s restrictions.

2. Targeted Advertising

Advertising directed specifically at children based on their personal data or behavioural profile is prohibited. This covers:

  • Personalised ad targeting based on a child’s usage patterns
  • Retargeting campaigns following children across platforms
  • Algorithmically selected content designed to increase engagement among minors

General advertising shown to all users (not targeted based on individual data) is not prohibited. The restriction applies to personalisation powered by personal data processing.

3. Processing Detrimental to Well-Being

No processing of a child’s personal data may be undertaken if it could have a detrimental effect on the well-being of the child. This is a broad provision that gives the Data Protection Board significant discretion in enforcement.

“Detrimental effect” is not defined with precision in the Act, leaving room for interpretation through Board decisions and judicial rulings. Businesses should apply a precautionary approach: if a processing activity could reasonably harm a child’s mental health, physical safety, or development, it should not be undertaken.

Age Verification

Compliance with children’s data provisions requires knowing whether a user is a child. This creates an obligation to implement age verification mechanisms.

The Act does not prescribe a specific age verification technology. Options include:

  • Self-declaration with consequences: Asking users to declare their age, with systems that enforce restrictions for declared minors. Self-declaration alone may not constitute “verifiable” assurance.
  • Age estimation technology: AI-powered tools that estimate age from facial analysis or behavioural patterns. These raise their own privacy concerns.
  • Document verification: Requesting age-proving documents (school ID, Aadhaar with date of birth). This is the most reliable but creates friction.
  • Parental account linkage: Requiring children to access services through a parent’s verified account.

The chosen mechanism must balance accuracy against the privacy principle of data minimisation. Collecting extensive verification data to prove a user’s age creates its own compliance burden.

Sectors Most Affected

The children’s data provisions have the greatest impact on:

  • EdTech: Platforms serving school and college students (under 18) must implement full parental consent flows and restrict tracking
  • Gaming: Mobile and online games popular with minors must verify age and obtain parental consent
  • Social media: Any platform with significant under-18 usage faces advertising and tracking restrictions
  • E-commerce: Platforms where minors make purchases or create accounts
  • Healthcare: Paediatric telemedicine and health apps processing children’s health data

Exemptions

The Central Government has the power to exempt certain classes of Data Fiduciaries from specific children’s data provisions. These exemptions are granted through notification and may apply to categories of businesses rather than individual companies.

Until specific exemptions are notified, all Data Fiduciaries processing children’s data must comply with the full set of requirements.

Implementation Checklist

Businesses processing children’s data should implement:

  1. Age gate: A mechanism to identify users under 18 at account creation or first data collection point
  2. Parental consent flow: A verifiable process for obtaining and recording parental or guardian consent
  3. Data segregation: Technical separation of children’s data from adult data to enforce different processing rules
  4. Advertising controls: Systems to exclude children from personalised advertising campaigns
  5. Tracking restrictions: Technical controls preventing behavioural tracking of identified minors
  6. Consent records: Documented proof of parental consent for every child whose data is processed

Assess Your Compliance Position

Children’s data protection is one of five compliance areas covered in the DPDP compliance checklist. To understand where your organisation stands, take the free DPDP Gap Assessment. The assessment identifies specific gaps in your children’s data handling and provides a prioritised action list.