A Project by Meridian Bridge Strategy
Book Consultation
Compliance Guide

Children's Data Protection Under DPDP Act 2023

DPDP Section 9 imposes the strictest rules on processing children's data — verifiable parental consent, no behavioral tracking, and no targeted advertising. Here's what businesses must do.

Hey there, fellow business owner!

Let’s chat about a crucial part of India’s new privacy law, the Digital Personal Data Protection (DPDP) Act, 2023, that often trips people up: children’s data protection. If your business interacts with anyone under 18, even indirectly, you need to pay close attention. The rules here are strict, and for good reason – protecting our kids is paramount.

Under the DPDP Act, a “child” is anyone under the age of 18. And when we talk about your business, you’re usually the “Data Fiduciary.” Think of a Data Fiduciary as the boss of the data – the entity (like your company) that decides why and how personal data is processed. These rules apply to you, big time.

This guide will break down what the DPDP Act means for processing children’s data, give you practical steps, and help you avoid hefty penalties – which can go up to ₹200 Crore for serious non-compliance in this area.

What Does DPDP Say About Children’s Data?

Section 9 of the DPDP Act is solely dedicated to children’s data protection. It’s probably the most restrictive part of the entire law. Why? Because children are considered a vulnerable group and need extra layers of protection online.

Here’s the gist of DPDP Section 9:

  • Verifiable Parental Consent is a Must: Before you can process any personal data of a child, you generally need to obtain verifiable consent from their parent or lawful guardian. This isn’t just a simple checkbox; it needs to be an actual, provable step.
  • No Behavioral Monitoring or Tracking: You absolutely cannot track or monitor children’s behavior. This means no cookies to build profiles, no collecting data on their app usage patterns to understand preferences, etc.
  • No Targeted Advertising: Forget about showing ads specifically tailored to a child’s interests or online activity. Targeted advertising to children is strictly prohibited. This impacts businesses relying on ad revenue from younger audiences significantly.
  • No Harmful Processing: The law also says you can’t process a child’s personal data in a way that is “detrimental to the well-being of a child.” This is a broad term, but it essentially means always prioritizing the child’s best interests.

So, if your app, website, or service is likely to be used by children, even if it’s not exclusively for them, these rules apply.

Practical Requirements for Your Business

Okay, so the law is clear, but what does it mean for your operations? It’s about putting those strict rules into action.

  1. Robust Age Verification: You need a way to reasonably determine if a user is a child or an adult. This could involve asking for a date of birth and then using technical checks to ensure the input is plausible. For services exclusively targeting adults, you might need a stronger mechanism.
    • Real-world scenario: An online educational platform offering courses for school children must have an age verification step at registration. If a user inputs an age below 18, the system should then trigger the parental consent process.
  2. Implementing Verifiable Parental Consent: This is where it gets tricky. “Verifiable” means you can prove the parent actually gave consent. Methods could include:
    • Sending an OTP to the parent’s verified phone number or email address.
    • Requiring parents to submit a scanned copy of a government ID to prove guardianship (for high-risk data).
    • Using third-party parental verification services (if available and compliant).
  3. Audit Your Data Practices: Go through all the data you collect, how you collect it, and what you do with it. If any of it comes from children, you need to ensure you’re not tracking their behavior or serving them targeted ads.
    • For more on general compliance, check out our analyses of the Act.

These steps are not optional. Ignoring them isn’t just risky; it’s practically inviting trouble.

Common Mistakes Businesses Make

Even with the best intentions, it’s easy to stumble when dealing with DPDP children data. Here are some common pitfalls:

  1. Assuming All Users Are Adults: Many businesses don’t consider children as part of their user base if their service isn’t “for kids.” But if a child can access your platform, even accidentally, you’re on the hook. Think of a general e-commerce site – kids might use a parent’s device.
  2. Weak Age Verification: A simple checkbox stating “I am 18+” is generally not considered robust enough for children data protection India. The law expects reasonable effort.
  3. Generic Consent Forms: Using the same privacy policy and consent form for adults and children, without specific provisions for parental consent, is a major red flag. DPDP parental consent has unique requirements.
  4. Hidden Tracking: Even if you disable targeted ads for known minors, are your analytics tools still collecting behavioral data? Are third-party plugins tracking their activity? This is often overlooked.
  5. Not Reviewing Third-Party Integrations: Many apps and websites use third-party tools for analytics, advertising, or even payments. If these tools are processing children’s data in non-compliant ways, your business is ultimately responsible.
    • Real-world scenario: A popular gaming app for teenagers collects extensive in-app purchase data and game activity logs. If it fails to implement verifiable parental consent and uses this data to recommend specific in-game items or other games, it directly violates DPDP Section 9’s prohibitions on tracking and targeted advertising.

How to Comply with DPDP Children Data Rules

Compliance isn’t a one-time task; it’s an ongoing commitment. Here’s a structured approach to ensure you’re meeting DPDP children data requirements:

  1. Identify if You Process Children’s Data: Conduct a data mapping exercise. Does your website, app, or service attract users under 18? Even if you don’t target them, could they realistically access and use your platform? If yes, then Section 9 applies.
  2. Implement Strong Age Verification: At the point of data collection (e.g., account registration), add clear age verification. If the user identifies as under 18, immediately trigger the parental consent flow. For services exclusively for adults, implement robust age gates (e.g., requiring ID verification, though this has its own data privacy implications).
  3. Develop a Verifiable Parental Consent Mechanism:
    • Clearly inform parents about the data being collected, why, and how it will be used.
    • Obtain explicit consent, not implied.
    • Methods: email confirmation with a unique link, OTP to parent’s registered mobile, or even linking to an Aadhaar-verified parent account (with strict safeguards).
    • Example: An e-learning platform asks for the child’s age. If under 18, it asks for the parent’s email, sending a verification link to the parent, who must click to approve the child’s account and agree to the platform’s data processing terms.
  4. Review and Restrict Data Processing for Minors:
    • Ensure all analytics and advertising tools are configured to NOT track behavior or serve targeted ads to identified children.
    • Implement data minimization – collect only what is absolutely necessary for the service.
    • If you can’t comply with the strict rules for children’s data, consider whether you need to serve children at all. It might be safer to restrict access to adults.
  5. Update Your Privacy Policy: Make sure your privacy policy clearly outlines how you handle children data protection India, your age verification process, and the parental consent mechanism. Transparency builds trust and is a legal requirement.
  6. Train Your Staff: Ensure anyone interacting with user data or developing your product understands the strict rules around DPDP Section 9 and the consequences of non-compliance.

Data Types & Risk Levels for Children’s Data

Understanding the type of data you collect and its associated risk is crucial, especially for children. Any data that can identify a child or reveal their habits is high risk.

Data TypeExamplesDPDP RelevanceRisk Level for Children
Basic IdentificationName, Date of Birth, Gender, AddressRequires parental consentMedium to High (especially DoB)
Contact InformationEmail, Phone Number (child’s or parent’s)Crucial for parental consent, communicationHigh
Behavioral DataWebsite clicks, App usage patterns, Search history, In-app purchases, IP addressProhibited for tracking/profilingVery High (illegal without consent)
Location DataGPS data, IP address (can infer location)Requires strict parental consentVery High
Biometric DataFingerprints, Facial recognition, Voice printsRequires explicit, verifiable parental consentExtremely High
Educational DataSchool name, Grades, Course progressRequires parental consent, context-specificHigh
Health DataMedical history, Health conditionsSensitive Personal Data, requires explicit parental consentExtremely High

As you can see, almost any personal data related to a child carries a higher risk and stricter requirements under the DPDP Act. The goal is to minimize collection and ensure every step is transparent and consented to by a guardian. For more specific guidance tailored to your industry, check out our industry guides.

Penalties and What’s at Stake

The penalties for non-compliance with the DPDP Act, 2023, particularly regarding children’s data, are severe. Violations can lead to penalties of up to ₹200 Crore. This isn’t just a slap on the wrist; it can be devastating for a business, especially small and medium enterprises. Beyond the financial hit, there’s the irreparable damage to your reputation and trust with your users and their parents.

Quick Actions You Can Start This Week

Don’t wait until it’s too late. Here are 5-7 practical steps you can take this week to start improving your DPDP children data compliance:

  1. Assess Your User Base: Determine if children are likely to use your service. If yes, proceed to the next steps.
  2. Review Age Verification: Check if your current user onboarding process has an adequate age verification step. If not, plan to implement one.
  3. Map Data Collection: Identify all data points you collect from users, especially any that could come from children.
  4. Draft a Parental Consent Flow: Outline how you will obtain verifiable parental consent if a user identifies as a child. What information will you provide the parent? How will you verify them?
  5. Check Third-Party Tools: Audit all third-party analytics, advertising, and tracking tools integrated into your platform. Can they be configured to not collect behavioral data or serve targeted ads to minors?
  6. Update Your Privacy Policy Draft: Start drafting updates to your privacy policy to specifically address how you handle children’s data under the DPDP Act.
  7. Educate Your Team: Briefly inform your key team members (product, marketing, legal, customer support) about the importance of DPDP Section 9 and the new rules.

Taking these steps now will put you on the right path to protecting children’s privacy and safeguarding your business from significant penalties.

Real-World Examples Companies struggling with this issue

EdTech

Classplus

48

Classplus handles sensitive student data but its policy is stuck in the pre-2023 legal era. While its security tech is solid, the lack of verifiable parental consent and granular user controls creates significant legal risk under the new DPDP Act.

⚠️ Relies on outdated IT Act 2000 framework instead of DPDP Act 2023
⚠️ Bundled consent — no option to pick and choose data permissions
+4 more gaps detected
Apr 2026 View Report
E-commerce (Mother & Baby Care)

FirstCry (Brainbees Solutions Ltd.)

48

FirstCry's privacy framework is significantly misaligned with the DPDP Act 2023. As a platform primarily serving parents and children, its reliance on 'implicit' parental consent and the use of children's data (DOB/gender) for behavioral targeting and profiling creates severe regulatory risk. The policy requires a total overhaul to implement verifiable parental consent and unbundled consent mechanisms to avoid the Act's highest tier of penalties.

⚠️ Outdated legal framework — policy remains anchored in the IT Act 2000 and SPDI Rules 2011
⚠️ Lack of Verifiable Parental Consent (VPC) — no robust mechanism to verify age or parental identity per Section 9
+4 more gaps detected
Mar 2026 View Report
EdTech

Unacademy

42

Unacademy tracks learning behaviors, exam preparation patterns, and live class participation for millions of aspirants — many minors. At 42/100, the absence of DPDP Section 9 child protections and indefinite retention of learning data that reveals career ambitions creates significant compliance gaps.

⚠️ No DPDP Act 2023 reference
⚠️ Student learning behavior monitored without DPDP-compliant consent
+5 more gaps detected
Feb 2026 View Report
📞 Free Consultation