top of page

How to Protect Children’s Data under DPDPA Act

Feb 255 min read

In today’s digital world, children are more connected than ever, but this also means their personal data is constantly being collected. The Digital Personal Data Protection Act, 2023 (DPDPA) steps in to set stricter rules, ensuring their privacy isn’t left unguarded.


Rooted in the right to privacy, as affirmed by the Supreme Court in the Puttaswamy Judgements, the Act recognizes that control over personal data is fundamental to individual autonomy. For children, whose online presence is growing rapidly, the law takes a strict consent-based approach to data protection. This raises crucial questions—who is considered a child under the Act? Who has the authority to consent on their behalf? What restrictions apply to processing their data?


DPDPA's Framework for Children's Data Protection


Under the DPDPA, a child is defined as any individual under 18 years of age. This threshold is higher than some global counterparts, such as the EU’s GDPR (which allows country-specific age thresholds between 13-16) and the US COPPA (which applies to children under 13).

Key provisions of the DPDPA regarding children include:

  • Section 9: Processing of Children's Data

    • The Act mandates verifiable parental consent before processing any personal data of children under 18 years.

    • Strict prohibitions are placed on tracking, behavioral monitoring, and targeted advertising related to children.

  • Section 10: Duty of Data Fiduciaries Processing Children's Data

    • Entities processing children's data must ensure it does not cause harm to children.

    • Government-recognized “verifiably safe” data fiduciaries may be exempted, though criteria remain unclear.

  • Section 12: Exemptions for Certain Entities

    • Some government-approved entities, educational institutions, or healthcare providers may process children's data without explicit parental consent if it serves the child's welfare.

  • Section 15: Penalties for Non-Compliance

    • Violations related to children's data processing could result in hefty financial penalties (up to ₹250 crores).

    • The Data Protection Board of India (DPBI) has the authority to enforce penalties and issue guidelines.


However, the absence of detailed implementation guidelines poses practical challenges, especially in verifying parental consent and defining what constitutes harmful processing.


Verifiable Parental Consent


The DPDPA mandates parental consent, but does not specify how to verify it, leaving businesses with uncertainties. In the absence of clarity, global best practices provide useful reference points:


Global Standards for Parental Consent Verification

  • GDPR:

    • Encourages a risk-based approach to consent verification.

    • Low-risk processing can rely on parental email confirmation.

    • High-risk cases may require ID-based verification or live parental interactions.

  • COPPA (US Law):

    • Accepts consent verification via government-issued ID upload, credit card transactions, or signed consent forms.

    • Allows phone or video calls with trained personnel to confirm identity.


For Indian businesses, these practices offer interim solutions until the Data Protection Board of India (DPBI) issues clearer guidelines. Adopting AI-driven identity verification tools or multi-step authentication can also enhance accuracy.


Prohibited Data Practices and Their Real-World Impact


Businesses handling children's data, knowing the Act’s restrictions is important for building effective compliance strategies.


Tracking and Behavioral Monitoring

Many apps and platforms collect user data to optimize experiences. However, under DPDPA, tracking children's online behavior (including location tracking or usage patterns) is strictly forbidden.

Example: An ed-tech platform offering free study materials might analyze browsing habits to recommend personalized courses. Under the DPDPA, such tracking would require strong safeguards to ensure compliance.


Targeted Advertising

The Act bans advertisements targeted specifically at children. This is significant because many social media platforms and gaming apps thrive on targeted ads tailored to younger audiences.

Example: A gaming app displaying personalized toy advertisements based on a child's behavior would violate the Act, necessitating fundamental shifts in marketing strategies.


Processing That Harms a Child’s Well-being

The DPDPA prohibits data processing that may have an adverse impact on children, though the specifics remain vague.

Potential Interpretations:

  • Encouraging addictive behavior (e.g., infinite scrolling features in apps)

  • Exposure to inappropriate content due to algorithmic recommendations

  • Collecting excessive personal data that could lead to cyber risks

Businesses must conduct a risk impact assessment to ensure their data practices align with child safety norms.


Exemptions and Special Considerations


While the DPDPA imposes strict requirements, certain exemptions exist:

  • Government Recognized "Safe" Data Fiduciaries: The Indian government may grant exemptions to businesses deemed to process children's data in a "verifiably safe manner". However, the criteria for this classification remain unclear.

  • Healthcare and Educational Institutions: Processing children’s data without parental consent may be allowed for essential services such as medical care or school admissions.

For now, companies should assume full compliance until clearer exemptions are officially published.


Strategies for Compliance


To align with the DPDPA and protect children's data effectively, businesses should consider the following steps:

  1. Develop Comprehensive Data Protection Policies: Craft policies that specifically address the processing of children's data, ensuring they encompass consent mechanisms, data minimization principles, and clear guidelines on prohibited activities.

  2. Implement Age Verification Mechanisms: Utilize methods such as date of birth declarations, supplemented by AI-driven tools that assess user behavior for age estimation. While innovative, these tools must be used responsibly to avoid privacy infringements.

  3. Design Child-Friendly Interfaces: Ensure that privacy notices and consent requests are presented in simple, age-appropriate language. Visual aids and interactive elements can enhance understanding and engagement.

  4. Conduct Regular Data Protection Impact Assessments (DPIAs): Evaluate processing activities to identify potential risks to children's data and implement measures to mitigate them. Regular assessments help in adapting to evolving threats and maintaining compliance.

  5. Stay Informed on Regulatory Updates: The data protection landscape is dynamic. Regularly monitoring updates from the Data Protection Board of India and other relevant authorities ensures that businesses remain compliant with the latest standards and practices.


The Role of the Data Protection Board of India


Established under the DPDPA, the Data Protection Board of India serves as the adjudicating body for disputes related to personal data breaches. While its primary function is to resolve conflicts between data principals (individuals) and data fiduciaries (organizations), it also plays a crucial role in:

  • Issuing Guidelines: Providing clarity on ambiguous provisions within the Act, such as the methods for obtaining verifiable parental consent and defining the scope of targeted advertising.

  • Enforcing Compliance: Monitoring adherence to the Act's provisions and imposing penalties for violations, thereby ensuring that children's data is handled with the utmost care and responsibility.


Conclusion


With the enactment of the DPDPA, India has taken a strong stance on protecting children’s data. However, compliance is not just about following the law—it’s about building trust with parents and young users alike. Businesses must go beyond regulatory mandates and proactively adopt ethical data practices.


As global standards evolve, India’s framework will likely undergo further refinements. Until then, implementing best practices, staying vigilant about legal developments, and prioritizing child safety will be crucial for organizations operating in the digital space. The future of India’s Digital Nagariks depends on how well we protect their rights today.


Worked Cited


  1. https://spiceroutelegal.com/data-protection/indias-new-digital-personal-data-protection-act-processing-personal-data-of-children/#:~:text=II.,lawful%20guardian%20of%20such%20child.

  2. https://www.medianama.com/2025/01/223-data-protection-rules-2025-children-data-india/

  3. https://ssrana.in/articles/safeguarding-childrens-data-under-dpdp-law/?utm_source=mondaq&utm_medium=syndication&utm_content=articleoriginal&utm_campaign=article#_ftn1

  4. https://www.cookieyes.com/blog/india-digital-personal-data-protection-act-dpdpa/

  5. https://fpf.org/wp-content/uploads/2023/11/Verifiably-safe-processing-of-childrens-personal-data-under-the-DPDPA-2023-A-Catalogue-of-Measures2.pdf

  6. https://indiankanoon.org/doc/127517806/

  7. https://jgu.edu.in/child-rights-clinic/implications-on-the-data-of-children-after-the-enactment-of-digital-personal-data-protection-act-2023/

  8. https://corporate.cyrilamarchandblogs.com/2023/08/children-and-consent-under-the-data-protection-act-a-study-in-evolution/

  9. https://legal.economictimes.indiatimes.com/news/law-policy/is-indias-draft-data-protection-rules-enough-to-safeguard-childrens-privacy/116971400#:~:text=The%20DPDP%20Act%20states%2C%20%22child,ascertaining%20the%20validity%20of%20consent.

  10. https://law.asia/indias-data-protection-law-children/#:~:text=The%20DPDPA%20prohibits%20data%20fiduciaries,targeted%20advertising%20directed%20at%20children.


コメント

BharatLaw.AI is revolutionising the way lawyers research cases. We have built a fantastic platform that can help you save up to 90% of your time in your research. Signup is free, and we have a free forever plan that you can use to organise your research. Give it a try.

bottom of page