Regulation of Children’s Data under DPDP Act

Regulation of Children’s Data under DPDP Act

India’s Digital Personal Data Protection Act, 2023 (DPDP Act) [1] introduced a remarkable new law that regulates the handling of digital personal data comprehensively. Even though the Act is built on a rights-based principle, children’s data is more protected than that of the other categories of individuals since they are more vulnerable and have a smaller ability to give meaningful consent. The obligations established by this Act in the above-mentioned context are discussed ahead.

Statutory Scope and the Child-Centric Framework

The DPDP Act, as per S.2(f), characterises a child as “an individual who is not yet eighteen years old”. This is in accordance with Indian legal frameworks like the Juvenile Justice Act and the Indian Majority Act but goes against the trend of most international privacy laws like the GDPR [2], which allows some digital consent at ages 13-16, depending on the country.

The Act applies to all data fiduciaries that deal with children’s personal data, regardless of their location, as long as the data is about individuals in India [3]. The law highlights the need for informed consent, accountability, and the prevention of harm; thus, children are granted extra protection. Apart from restrictions on tracking, behavioural monitoring, and advertising targeting minors, these extra protections also include limitations on such activities directed at children.

Verifiable Parental Consent

The Act necessitates that data fiduciaries get the verifiable consent of a parent or legal guardian before they can process any personal data of a child [4]. The term “verifiable” consent sets apart a simple parent’s statement from proof that can be objectively confirmed. This consent is needed unless the processing relates to essential services such as healthcare, education, or real-time safety [5].

The Act, similarly to the Draft [6], still requires a parent or legal guardian (“Parent”) to give verifiable consent for every processing of a child’s personal data [7], with the way of verification to be specified in the rules (“Consent”) [8]. Nevertheless, it extends this obligation by making it a requirement for Data Fiduciaries [9] to obtain such verifiable consent not just for children but also before processing the personal data of persons with disabilities who have a guardian appointed.

The industry viewpoints propose that the Act should differentiate between high-risk processing (e.g. profiling for social media purposes) and low-risk processing (e.g. providing necessary educational services) so that proportional requirements can be applied. Nevertheless, the DPDP regime remains strict and uniform across all sectors as it has one precautionary compliance threshold.

Age-Verification Mechanisms and Implications

The Data Protection Act enforces Data Fiduciaries to ascertain the age of the child before obtaining the parent’s consent, and the Draft Rules offer alternatives like self-declaration along with parental checks, government-ID verification, third-party verification services, and AI-based inference tools.

Each method has advantages and disadvantages. Self-declaration is inexpensive but unreliable; ID-based verification increases accuracy but also raises concerns about excessive data collection and dependence on digital IDs; centralised third-party systems raise security risks in case of a data breach; and AI-based estimation tools are subject to variability and bias issues.

Such verification requirements could have a negative effect on the ability of teenagers to express themselves freely and maintain anonymity. While international regimes such as the UK’s Age-Appropriate Design Code and the EU’s GDPR highlight the importance of flexibility and data minimisation, India chooses a more stringent KYC-style compliance approach.

Exemptions and the Limits of Parental Consent

The DPDP Act provides certain processing exemptions that are crucial in contexts where delays in obtaining parental consent could impede essential services. The Act also prohibits tracking, monitoring of behaviour, and advertising tailored to children [10].

While this is consistent with global best practices, it also creates operational difficulties for platforms that rely on personalisation to deliver adaptive learning content. The major challenge the Act poses is the lack of a digital guardianship system, thereby creating difficulty in identifying the proper consent-giver.

Enforcement, Penalties, and Compliance Best Practices

The Data Protection Board of India (DPB) has been given the authority to execute the Act, issue orders, and impose heavy fines. The most serious violations involving children’s data may attract severe penalties, including bans on processing, removal of illegally collected data, or mandatory changes in internal policies.

The Draft Rules also call for privacy-by-design, meaning that products must have built-in safeguards from the very beginning of development. While companies are grappling with operational uncertainty, industry bodies have urged the government to clarify acceptable verification methods, certify third-party verifiers, and provide simplified compliance pathways for low-risk services.

Conclusion

The DPDP Act is a major step in protecting children’s data. This data protection regime hinges on age-verification and verifiable parental consent mechanisms. While the protective intent of the law is clear, its practical implementation raises serious concerns regarding inclusivity, privacy, and feasibility. India now has the opportunity to build a data governance model that is child-centric, power-respecting, privacy-protective, and innovation-enabling.

References

[1] DPDP Act 2023; Ministry of Electronics and Information Technology (MeitY), 2024; PRS, 2023
[2] Article 8, General Data Protection Regulation, European Union
[3] Section 2, DPDP Act 2023
[4] Section 9, DPDP Act 2023
[5] DPDP Rules, 2025 Notified, A Citizen-Centric Framework for Privacy Protection and Responsible Data Use, November 17, 2025
[6] Section 10(1), Draft 2023
[7] Section 2(t), DPDP Act
[8] Section 9(1), DPDP Act 2023
[9] Section 2(i), DPDP Act
[10] Section 9(5), DPDP Act 2023

Article Written by 
Nimisha Berry
B.B.A LL.B (Hons.) 3rd Year
Narsee Monjee Institute of Management Studies, Chandigarh Campus