Executive Summary
The DPDP Act provides enhanced protection for children's personal data, recognizing their vulnerability and limited capacity to consent:
- Age threshold: Below 18 years
- Parental consent: Verifiable consent required
- Prohibited processing: Tracking, behavioral monitoring banned
- Verification obligation: Age and guardian verification
- Exemptions: Limited educational and safety exceptions
- Penalties: Highest penalty category (Rs. 200 crores)
This guide examines children's data protection requirements and compliance strategies.
1. Statutory Framework
Section 9 - Processing of Children's Data
Key provisions:
| Requirement |
Specification |
| Parental consent |
Before any processing |
| Verification |
Of age and guardian |
| Prohibited activities |
Behavioral monitoring |
| Harm prevention |
No detrimental processing |
Definition of Child
| Aspect |
Provision |
| Age |
Below 18 years |
| No tiered approach |
Unlike GDPR (16 years) |
| Uniform standard |
Applies to all children |
2. Parental Consent Requirements
Verifiable Parental Consent
| Element |
Requirement |
| Parent/guardian |
Legal guardian's consent |
| Verification |
Identity confirmation |
| Before processing |
Prior to data collection |
| Free and informed |
Same standards as adult |
Verification Methods
| Method |
Suitability |
| Parent account |
High assurance |
| Credit card |
Moderate assurance |
| Video verification |
High assurance |
| Knowledge-based |
May be insufficient |
| Government ID |
High assurance |
Consent Records
| Record |
Retention |
| Consent form |
Throughout processing |
| Verification evidence |
With consent record |
| Parent details |
Contact information |
| Date and method |
Consent mechanism used |
3. Prohibited Processing
Behavioral Monitoring Ban
| Activity |
Status |
| Tracking |
Prohibited |
| Behavioral advertising |
Banned |
| Profiling |
Not permitted |
| Automated decisions |
Restricted |
What is Covered
| Example |
Prohibition |
| Cookie tracking |
For behavioral ads |
| Location tracking |
For profiling |
| Usage patterns |
For targeted content |
| Preference analysis |
For personalization |
Exceptions
| Exception |
Scope |
| Safety purposes |
Child protection |
| Educational |
Learning platforms |
| Medical |
Healthcare services |
4. Age Verification
Verification Obligation
| Requirement |
Implementation |
| Age check |
Before processing |
| Method |
Reasonable measures |
| Documentation |
Verification records |
| Periodic review |
Age changes |
Verification Approaches
| Approach |
Application |
| Self-declaration |
Low-risk services |
| Parent confirmation |
Moderate risk |
| ID verification |
Higher risk |
| Neutral age estimation |
Technical solutions |
5. Harm Prevention
Detrimental Effect Standard
| Consideration |
Assessment |
| Physical harm |
Safety risks |
| Mental harm |
Psychological impact |
| Wellbeing |
Overall welfare |
| Development |
Age-appropriate |
Design Considerations
| Principle |
Implementation |
| Age-appropriate |
Content and features |
| Safety by design |
Built-in protections |
| Minimal data |
Only necessary collection |
| Limited retention |
Shorter periods |
Child-Focused Services
| Service Type |
Requirements |
| Educational apps |
Parental consent + safety |
| Gaming platforms |
Age verification + consent |
| Social media |
Enhanced safeguards |
| E-commerce |
Purchase restrictions |
Safety Features
| Feature |
Purpose |
| Parental controls |
Guardian oversight |
| Privacy settings |
Default to restrictive |
| Contact restrictions |
Limit stranger contact |
| Content filters |
Age-appropriate content |
7. Exemptions
Educational Exception
| Permitted |
Conditions |
| School platforms |
Educational purposes |
| Learning apps |
Curriculum-related |
| Assessment tools |
Academic evaluation |
Safety Exception
| Permitted |
Conditions |
| Emergency contact |
Safety situations |
| Location sharing |
Parent monitoring |
| Harm prevention |
Child protection |
8. Penalty Framework
Enhanced Penalties
| Violation |
Maximum Penalty |
| Children's data breach |
Rs. 200 crores |
| Consent violations |
Rs. 200 crores |
| Prohibited processing |
Rs. 200 crores |
Enforcement Priority
| Factor |
Weight |
| Vulnerability |
High priority |
| Scale |
Number of children affected |
| Harm |
Actual detriment caused |
| Intent |
Deliberate violations |
9. Implementation Strategies
Technical Measures
| Measure |
Implementation |
| Age gates |
At registration/access |
| Consent workflows |
Parent verification |
| Data segregation |
Separate children's data |
| Access controls |
Limited staff access |
Organizational Measures
| Measure |
Implementation |
| Policies |
Children's data handling |
| Training |
Staff awareness |
| Audits |
Compliance verification |
| Incident response |
Children-specific protocols |
10. Global Comparison
India vs. Other Jurisdictions
| Aspect |
India (DPDP) |
US (COPPA) |
EU (GDPR) |
| Age |
18 |
13 |
16 (variable) |
| Consent |
Parental |
Parental |
Varies by age |
| Tracking |
Banned |
Regulated |
Restricted |
| Penalties |
Rs. 200 Cr |
$50,000/violation |
4% turnover |
11. Compliance Checklist
Pre-Launch
Ongoing Operations
12. Key Takeaways for Practitioners
High Bar: 18-year threshold is higher than most jurisdictions.
Verifiable Consent: Parental consent must be genuinely verified.
Behavioral Ads Banned: No tracking or profiling of children.
Highest Penalties: Rs. 200 crore maximum for violations.
Design for Safety: Build protections into platform design.
Document Everything: Consent and verification records essential.
Exemptions are Narrow: Educational and safety purposes only.
Conclusion
Children's data protection under DPDP requires comprehensive safeguards reflecting children's vulnerability. The prohibition on behavioral monitoring and high penalty framework demonstrate regulatory priority. Organizations processing children's data must implement robust age verification, parental consent mechanisms, and safety-by-design principles.
