👶 Processing Children's Data under DPDP
The DPDP Act defines a 'child' as any individual under 18 years of age — higher than GDPR's default of 16. Given India's young population demographics (approximately 40% of the population is under 18), this provision has massive implications. Sections 9 of the Act imposes strict requirements for processing children's data, with penalties of up to Rs 200 Crore for non-compliance.
Key Requirements
Obtain verifiable parental consent before processing any child's personal data
Section 9(1)Implement age verification at the point of data collection. When a user is identified as under 18, trigger a parental consent workflow: collect the parent's details, verify the parent's identity (using Aadhaar-based verification, DigiLocker, or other prescribed methods), and obtain their explicit consent before processing the child's data.
💡 You cannot just ask 'Are you over 18?' with a Yes/No button — that is not verifiable. You need a mechanism to confirm the parent's identity. Watch the Rules for prescribed verification methods.
Do not track, behaviourally monitor, or target advertisements at children
Section 9(3)For all users identified as under 18: disable behavioural tracking pixels and cookies, exclude from behavioural analytics pipelines, disable targeted/personalized advertising, remove from remarketing audiences, and disable any profiling or scoring systems.
💡 This means no Google Analytics tracking, no Facebook Pixel, no personalised ad serving for child users. Switch to contextual advertising only. This is a strict prohibition with no exceptions.
Do not process children's data in a manner detrimental to their well-being
Section 9(4)Conduct a child impact assessment for all processing involving children's data. Evaluate whether any processing could harm the child's physical safety, mental health, social development, or educational outcomes. If harm is possible, do not process.
💡 Think about it from the child's perspective: Could this processing embarrass them? Put them at risk? Manipulate them? If the answer to any of these is 'maybe,' do not do it.
Parental consent required for persons with disabilities acting through lawful guardians
Section 9(1)Extend the verifiable consent mechanism to cover lawful guardians of persons with disabilities. The guardian must be verified in the same way as a parent.
💡 The DPDP Act treats guardians of persons with disabilities similarly to parents of children. Your consent workflow should accommodate both scenarios.
Central Government may exempt certain Data Fiduciaries from children's data provisions
Section 9(5)Monitor government notifications for any exemptions. Even if exempt from some requirements, maintain high standards for children's data protection as a best practice.
💡 Some companies (e.g., those providing verified safe services for children) may get exemptions. But do not build your compliance plan around hoped-for exemptions — prepare for full compliance.
❌ Prohibited Activities
- ❌ Tracking children's online behaviour across websites or apps
- ❌ Building behavioural profiles of children
- ❌ Serving targeted or personalised advertisements to children
- ❌ Processing that could cause detrimental effects on a child's well-being
- ❌ Collecting children's data without verifiable parental consent
- ❌ Using children's data for purposes beyond what the parent consented to
- ❌ Selling or sharing children's data with third parties for advertising purposes