Children's Data Under DPDPA

DPDPA has specific provisions for the personal data of children — defined as individuals under 18 years of age. If your business collects data from or about minors, these provisions apply to you.

Who Is a "Child" Under DPDPA?

The Act defines a child as a person under the age of 18. This is a broad definition — it includes teenagers using your e-commerce platform, students under 18 attending your training institute, and minors whose data is processed by a parent's employer.

The Core Obligation: Verifiable Parental Consent

Section 9 of DPDPA requires that before processing the personal data of a child, a Data Fiduciary must:

• Obtain verifiable consent from a parent or guardian
• Process only data that is in the best interest of the child
• Not undertake tracking or behavioural monitoring of children
• Not target advertising at children based on their personal data

Who Does This Affect?

• Training institutes and coaching centres with students under 18
• EdTech platforms offering courses or content to minors
• D2C brands whose customers may include teenagers
• Healthcare platforms handling minor patient data
• Any employer whose HR processes collect data of employees' minor dependants

What Is "Verifiable Parental Consent"?

The Act requires that parental consent be verifiable — meaning you must take reasonable steps to confirm that the person giving consent is actually the parent or guardian. The DPDP Rules, 2025 specify that age verification must be implemented before processing a child's data, and businesses should apply reasonable technical and procedural checks to verify age and parental identity.

Interim best practice:

• Ask for date of birth at registration; if under 18, require parental consent
• Use a separate consent form addressed to the parent/guardian
• Collect the parent's contact details separately from the minor's
• Consider age-verification mechanisms where feasible

No Behavioural Targeting of Children

If you use analytics tools, remarketing pixels, or personalisation engines that process personal data, you must ensure these are not applied to children. This means:

• Excluding under-18 users from remarketing audiences
• Not building behavioural profiles of children for advertising
• Reviewing whether your tracking tools can distinguish minor users

Penalties for Non-Compliance

Failure to observe special provisions for children's data can attract penalties of up to ₹200 crore under the DPDPA penalty framework.

Practical Steps for Businesses

Training institutes and EdTech:

• Add a date of birth field to admissions/enrollment forms
• For students under 18, use a separate parental consent form
• Ensure your admissions marketing database distinguishes minors from adults
• Review whether placement data and testimonials involve any minors

D2C and E-commerce:

• Include date of birth or age gate at account creation
• Configure your remarketing tools to exclude identified minors
• Review your WhatsApp and SMS marketing lists for known minor users

General:

• Update your Privacy Notice to include a section on children's data
• Train customer-facing staff to identify and escalate when they are dealing with a minor
• Document your parental consent process and record parent/guardian details

Sensitive Use Cases

School management systems processing data of hundreds of minors face elevated scrutiny. If you build or use such systems, verify that your Data Processing Agreements with schools reflect the DPDPA obligations around children's data.

Child health data is a particularly sensitive category — it combines children's data protections with the sensitive nature of health information. Handle with extreme care and document your legal basis for processing.