Consent & Obligations
How the DPDP Act Protects Children's Data
The DPDP Act treats anyone under 18 as a child. Processing a child's personal data requires verifiable consent from a parent or lawful guardian, and the Act bans tracking, behavioural monitoring, and targeted advertising directed at children. Limited exemptions exist for healthcare, education, and child safety under the DPDP Rules 2025.
How Is Children's Data Protected?
Section 9 of the DPDP Act 2023; Rules 10–12 of the DPDP Rules 2025
A child is anyone under 18. Processing a child's data requires verifiable parental consent. Tracking, behavioural monitoring, and targeted advertising directed at children are prohibited — with specific exemptions for healthcare, education, and government functions.
Section 9 establishes a protective regime for children's personal data. Under the Act, a child is any person under the age of 18.
Verifiable parental consent is required. Before processing a child's personal data, the Data Fiduciary must obtain verifiable consent from the child's parent. Rule 10 specifies how this verification works: the parent's identity and age must be confirmed using reliable details, which may come from the Data Fiduciary's own records, details voluntarily provided by the parent, or verification through an authorised entity such as Digital Locker.
For persons with disability, Rule 11 requires that the Data Fiduciary verify the identity of a lawful guardian who has been appointed by a court or a designated authority.
Harm prevention. Section 9(2) prohibits processing of data that is likely to cause a detrimental effect on a child's well-being. This is a broad standard — it applies regardless of the type of data or the purpose of processing.
Tracking and advertising ban. Section 9(3) prohibits three specific activities in relation to children: tracking, behavioural monitoring, and targeted advertising. This means a Data Fiduciary cannot use a child's data to build a behavioural profile, monitor their online activity for commercial purposes, or serve them personalised advertisements.
Exemptions exist. Sections 9(4) and 9(5) allow the Central Government to grant exemptions. The requirement for verifiable parental consent and the tracking and advertising ban may be relaxed for prescribed classes of Data Fiduciaries or for prescribed purposes. Additionally, the Central Government may lower the age threshold below 18 for specific Data Fiduciaries that process children's data in a verifiably safe manner.
Rule 12 lists the specific exemptions currently in place. The following categories are exempt from the child-specific provisions: clinical establishments, mental health professionals, and allied health professionals (for healthcare purposes); educational institutions (for tracking student progress and ensuring safety); childcare centres; and child transport services. Exempt purposes include: government functions that benefit children, State provision of subsidies, creation of email accounts, restricting access to harmful content, and age verification processes.
Key Points
- A child is defined as any person under 18 years of age.
- Verifiable parental consent is required before processing a child's data.
- Verification uses reliable identity and age details — from own records, voluntary provision, or an authorised entity like Digital Locker.
- For persons with disability, a lawful guardian appointed by a court or designated authority must be verified.
- Processing likely to cause a detrimental effect on a child's well-being is prohibited.
- Tracking, behavioural monitoring, and targeted advertising directed at children are banned.
- The Central Government may exempt specific Data Fiduciaries or purposes from the parental consent and tracking rules.
- The Central Government may lower the age threshold below 18 for Data Fiduciaries that process children's data in a verifiably safe manner.
- Current exemptions (Rule 12): healthcare providers, educational institutions, childcare centres, child transport services, government functions for children, email account creation, content restriction, and age verification.
Not sure if you meet these requirements?
Take the free DPDP Readiness Assessment to get an instant compliance score and a detailed gap analysis report.
Disclaimer: This guide is for informational purposes only and does not constitute legal advice. It is a plain-English interpretation of the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025. The official gazette text is the only authoritative source. Consult qualified legal counsel before making compliance decisions.