Children's Data Under the DPDP Act: Verifiable Parental Consent Explained

Section 9 of India's Digital Personal Data Protection Act, 2023 contains some of the strictest obligations in the entire law — and they apply to far more companies than just children's brands. If a minor can use your product, these rules are yours to solve. For edtech, gaming, and any consumer platform with young users, this is the highest-stakes part of DPDP.

A child is anyone under 18

The Act defines a child as an individual under 18 years of age — a notably higher threshold than GDPR (13–16, set by each member state) or the US COPPA regime (under 13). The same protections extend to a person with a disability who has a lawful guardian.

What to do: Wherever your systems reference a "minor," set the boundary at 18, not 13 or 16. Importing a COPPA-tuned age gate from a global product will under-protect Indian users.

Verifiable parental consent comes first

Before processing any personal data of a child, a Data Fiduciary must obtain verifiable consent from the parent or lawful guardian (§9). "Verifiable" is the operative word: a checkbox claiming "I am a parent" is not enough. The Rules require you to take measures to confirm the person giving consent is an identifiable adult (Rule 10), and describe acceptable approaches:

• Relying on reliable identity and age information the fiduciary already holds about the adult
• Relying on identity and age details the adult voluntarily provides
• Using a token or virtual credential issued by the Government or an authorised entity (for example, a DigiLocker-style verified credential)

What to do: Pick a verification path proportionate to your risk and document it. A free content app and a platform handling location or payments warrant different rigour — but both need a real, recorded verification step, not a self-declaration.

The absolute prohibitions

Two restrictions in §9 are not waivable by parental consent. A Data Fiduciary shall not:

• Undertake tracking or behavioural monitoring of children, or targeted advertising directed at children
• Carry out processing likely to cause any detrimental effect on the well-being of a child

These bite even if the parent agreed, even if the child wants the feature, and even if behavioural advertising is core to your business model.

What to do: Turn off behavioural analytics, profiling, and ad targeting for any account flagged as a child — by design, not by policy promise. If your monetisation depends on tracking minors, it needs to change.

The exemptions exist, but read them narrowly

The Rules contemplate limited exemptions from some §9 restrictions for certain classes of fiduciaries and specified purposes — for example, processing necessary in the interests of a child's health, safety, or education can be treated differently. These are bounded carve-outs, not a general escape hatch.

[VERIFY: confirm the exact list of exempted classes/purposes and conditions in the Fourth Schedule / Rule 11 of the DPDP Rules, 2025 before relying on any specific exemption in published copy.]

What to do: Do not assume your sector is exempt. Treat any exemption as something to confirm with counsel against the notified Schedule, not to claim from a blog summary.

The penalty is real

Breaching the children's-data obligations attracts a penalty of up to ₹200 crore under the Act's penalty schedule. Combined with the reputational damage of mishandling minors' data, this is a board-level risk for edtech and gaming.

The hard part: age determination

Here is the honest tension. Section 9's machinery assumes you know a user is a child. But most Indian signups — a phone number and an OTP — reveal nothing about age. Robust, privacy-preserving age verification at population scale is an unsolved problem, and over-collecting identity documents to check age creates its own DPDP exposure.

There is no perfect answer yet. What regulators will expect is a defensible, documented age-assurance posture: an age-affirmation step, signals you use to detect likely minors, conservative defaults (no behavioural targeting where age is unknown), and an escalation to verifiable parental consent when a user is identified as a child.

What to do: Write your age-assurance approach down as a policy, apply conservative defaults, and revisit it as verified-credential infrastructure matures. General-audience brands face this too — see DPDP for D2C and e-commerce.

A children's-data build checklist

• Set the child threshold at 18 across all systems
• Add a verifiable parental-consent flow (Rule 10) before processing a child's data
• Hard-disable tracking, profiling, and targeted ads for child accounts (§9)
• Suppress behavioural targeting wherever age is unknown
• Document your age-assurance posture and your reliance on any exemption
• Record every parental consent to an immutable, auditable ledger

This commences with the rest of the substantive obligations on 13 May 2027 — see the compliance timeline.

Sector spotlight: edtech, gaming, and kids' content

Three sectors carry the most §9 exposure, and each fails differently if it gets this wrong.

• Edtech. Your users are students, many under 18 by definition. Verifiable parental consent is the entry gate, and engagement-maximising behavioural analytics on minors is off the table. Build the parental-consent journey into enrolment, not as an afterthought.
• Online gaming. Age-gating is routine elsewhere but rarely rigorous in India. Leaderboards, personalised offers, and behavioural retention loops aimed at minors collide directly with the ban on tracking and targeted advertising to children.
• Kids' content and apps. If your product is *designed* for children, you cannot claim ignorance of your users' ages. The whole §9 regime applies by default, and "we assumed parents set it up" is not a verification method.

What to do: If your audience skews young, assume minors are present and design the parental-consent flow and child-safe defaults first. Retro-fitting age controls onto a product built for engagement is far harder than building them in.

Frequently asked questions

What age counts as a child under DPDP?

Anyone under 18. This is higher than GDPR (13–16, set per member state) or the US COPPA threshold (under 13), so age logic imported from a global product will under-protect Indian users.

Is parental consent enough to run targeted ads to a minor?

No. The bans on tracking, behavioural monitoring, and targeted advertising directed at children are absolute under §9 — parental consent does not unlock them. Only the *processing* of a child's data is gated by verifiable parental consent; these specific activities are prohibited outright.

How do we verify that the consenting adult is really the parent?

Rule 10 describes acceptable approaches: relying on reliable identity and age details you already hold, on details the adult voluntarily provides, or on a token or virtual credential issued by the Government or an authorised entity. Choose a method proportionate to your risk and record it.

We genuinely cannot detect every minor — what will regulators expect?

A defensible, documented age-assurance posture: an age-affirmation step, conservative defaults (no behavioural targeting where age is unknown), and escalation to verifiable parental consent once a user is identified as a child. Perfect detection is not yet achievable at scale; a thought-through, written approach is.

Are any uses of children's data exempted?

The Rules contemplate limited exemptions for certain classes and purposes (for example, a child's health, safety, or education). Treat these narrowly. [VERIFY: confirm the exact exempted classes/purposes in the Fourth Schedule / Rule 11 with counsel before relying on one.]

How Sammati helps

Sammati is a consent management platform (CMP) and Data Processor — not a registered Consent Manager — with children's-data flows built in:

• A configurable verifiable-parental-consent journey with adult-verification checkpoints
• Child-account flags that switch off behavioural analytics and ad targeting downstream
• Immutable, hash-chained records of every parental consent, ready for audit
• Consent notices in all 22 Eighth Schedule languages

Take the free DPDP assessment or talk to us about children's-data compliance.