Children's Data Protection Under DPDP Act India: Complete Guide 2025 | KavachOne

🧒 Section 9 — Children's Data

Children's Data
Protection Under
India's DPDP Act
2023

Section 9 of India's DPDP Act imposes the strictest obligations in the entire legislation — requiring verifiable parental consent before processing any child's personal data, banning all behavioural tracking of minors, and prohibiting targeted advertising directed at children. Non-compliance carries penalties up to ₹200 crore.

🧒 Achieve 9 Compliance See 9 Obligations ↓

⚖️ DPDP Children's Threshold

18 Years

✍️ Verifiable parental consent required Must

🎯 Targeted advertising to children Banned

📊 Behavioural tracking of children Banned

🔍 Age verification before processing Must

🧒 Age-appropriate processing design Must

✅ Exemption for age-appropriate services Possible

18Years — DPDP Age Threshold for Children

₹200 CrMax Penalty for Children's Data Violations

100%Verifiable Parental Consent Required

0Exceptions to the Targeted Advertising Ban

9Most Stringent DPDP Section

Who Is a Child?

Defining "Child" Under India's DPDP Act 9

The DPDP Act draws a clear line at 18 years old — significantly stricter than the GDPR's 16-year threshold and broader than the US COPPA standard of 13. Understanding exactly who qualifies as a child determines your consent and processing obligations.

⚠️ Requires 9 Compliance

Any person under 18 years of age anywhere in India, regardless of jurisdiction of the platform

A 17-year-old student using an EdTech platform

A 15-year-old using a social media application

A 16-year-old using a health & fitness tracking app

A 12-year-old using a gaming or entertainment platform

Any minor whose age is unknown or unverified at time of consent

Any minor for whom only self-declared age is available (not verified)

✓ Standard Processing Applies

Persons 18 years or older — standard DPDP consent and processing rules apply

An 18-year-old or older individual who has given valid consent

An adult using a verified age-gated platform or service

A person whose age has been verified through a reliable mechanism

An adult nominating themselves as guardian/parent for a child's consent

Organisations processing employee data of adults (standard rules apply)

Services explicitly and verifiably restricted to adults only

9 Obligations

Six Core 9 Obligations for Every Data Fiduciary

Section 9 of the DPDP Act imposes specific, non-negotiable obligations on every Data Fiduciary that knowingly or unknowingly processes children's personal data.

Mandatory ✅

Verifiable Parental Consent

Before processing any personal data of a child, the Data Fiduciary must obtain verifiable consent from the parent or lawful guardian — not just the child themselves. The consent must meet all DPDP 6 standards and be documented.

Practical: Age gate → parent consent form → parental identity verification → consent record stored in ConsentiQo

Mandatory 🔍

Age Verification Before Processing

Data Fiduciaries must implement mechanisms to verify the age of users before collecting or processing their personal data. Self-declaration alone is insufficient — reliable, proportionate verification is required for platforms likely to have child users.

Practical: Date-of-birth capture with secondary verification for users under 18; ID verification for borderline ages; parental email/phone verification

Banned 🚫

No Targeted Advertising to Children

The DPDP Act completely bans targeting advertising at children — including interest-based, behavioural, and demographic advertising directed at users identified or suspected to be under 18. This applies regardless of whether parental consent has been obtained.

Banned: Personalised ad delivery to children's accounts; interest-profiling children for ad targeting; lookalike audience creation from child data

Banned 📊

No Tracking or Behavioural Monitoring

Behavioural tracking of children — monitoring their online activity, location patterns, interests, or engagement over time — is prohibited. This includes most analytics and engagement tracking tools that may passively collect children's behavioural data.

Banned: Session recording of children; engagement analytics profiling child users; cross-site/cross-app tracking of minors

Mandatory 🧒

Age-Appropriate Design

Data Fiduciaries must design their products and services to be appropriate for children — including privacy-by-default settings, age-appropriate privacy notices, and ensuring processing is in the child's best interests, not against them.

Required: Privacy-protective default settings for child accounts; child-readable privacy notices; DPO review of features impacting child users

SDF Obligation 📋

DPIA for Child Data Processing

Processing children's personal data is a high-risk processing activity under the DPDP Act — automatically triggering a mandatory DPIA requirement, especially for Significant Data Fiduciaries. The DPIA must assess harm to children specifically.

Required: DPIA conducted before launch of any feature processing children's data; child harm impact assessment included in DPIA methodology

Age Verification

Four Age Verification Approaches for DPDP Compliance

Self-declaration of age alone does not satisfy DPDP 9. Here are the four approaches to age verification — from lightest-touch to most robust — and when each is appropriate.

📅

Date-of-Birth + OTP

User provides date of birth at registration. Minors are identified and a parental OTP is sent to a parent's verified mobile number before processing commences.

✓ Low friction for adults

✗ Child may misrepresent DOB

📱

Aadhaar-Linked Mobile OTP

Age verified through the parent's Aadhaar-linked mobile number — leveraging UIDAI's pre-verified identity infrastructure for reliable parental verification without ID document upload.

✓ India-native, reliable, widely available

✗ Requires parent Aadhaar linkage

🪪

DigiLocker / Document Verification

Parent verifies identity through DigiLocker, PAN card, or Aadhaar — providing cryptographic proof of identity and establishing the guardian relationship with the child user.

✓ Highest confidence verification

✗ Friction — best for high-risk platforms

📧

Parental Email Verification

Child provides parent's email. Parent receives consent request, confirms they are the child's parent/guardian via email link, and completes the consent form. Suitable for lower-risk, non-sensitive platforms.

✓ Low friction, widely accessible

✗ Lower assurance — not for sensitive data

Prohibited Activities

What Is Absolutely Banned
for Children's Data Under DPDP

These activities are completely prohibited under 9 — no exemption, no consent override, no business justification can permit them.

🚫

Targeted Advertising Directed at Children

Delivering personalised, interest-based, or demographically targeted advertising to users identified or known to be under 18 years old. This includes any form of ad personalisation using the child's personal data.

Examples: Age-targeted ads on social media; personalised product recommendations to child users; sponsored content targeting based on children's interests

🚫

Behavioural Tracking of Children

Monitoring, recording, or profiling children's online behaviour, usage patterns, interests, or engagement over time — including through analytics tools, tracking pixels, cookies, and session recording.

Examples: Click-stream analytics profiling child users; cross-platform tracking of minors; interest profiling from children's browsing or app usage

🚫

Processing Harmful to Children's Well-Being

Any processing of children's personal data that is detrimental to their wellbeing — including processing that creates psychological pressure, encourages harmful behaviour, or exploits children's data for commercial gain against their interests.

Examples: Gamification using children's data to maximise engagement at the expense of wellbeing; dark patterns targeting children; selling children's data for marketing profiling

🚫

Processing Without Verifiable Parental Consent

Any processing of a child's personal data without first obtaining and verifying parental or guardian consent — including platforms that accept self-declared ages without verification, or platforms that knowingly bypass age gates.

Examples: Allowing children to create accounts with self-declared DOB only; processing data collected before parental consent is confirmed; ignoring age signals and processing as adult data

By Sector

9 Compliance by Industry

Different sectors face different 9 challenges. Here is what each major industry must address to achieve children's data compliance under the DPDP Act.

📚

EdTech & Online Learning

Highest-risk sector — most users are under 18, and detailed learning analytics create deep child data profiles.

Parental consent for all students under 18 before platform access
Learning analytics restricted — no behavioural profiling for advertising
Child-appropriate privacy notices in simple language
DPIA mandatory before any new feature processing child data

🎮

Gaming & Entertainment

Significant behavioural tracking risks — engagement mechanics designed to maximise usage may conflict with children's wellbeing obligations.

Age gate with parental verification for any game with likely child users
In-app purchases requiring parental consent for child accounts
Engagement-maximising mechanics reviewed for child wellbeing impact
No personalised advertising in child-accessible game modes

📱

Social Media & Messaging

Highest scrutiny — data collection at scale, pervasive behavioural tracking, and targeted advertising are core to the business model.

Robust age verification — self-declaration alone insufficient
Child accounts: no ad targeting, no interest profiling whatsoever
Privacy-protective defaults for all accounts until age verified
Parental controls and consent withdrawal mechanisms mandatory

🏥

Healthcare & Wellness Apps

Processing sensitive health data of minors — maximum protection obligations apply.

Parental consent AND separate DPIA for any child health data
Strictly limited data sharing — health data of children never shared for advertising
Child accounts: strict data minimisation — only data necessary for care
Regular DPO review of all features processing child health data

🛍️

E-Commerce & Retail

Children browsing and purchasing — parental consent and advertising restrictions apply to child users of e-commerce platforms.

Age verification at account creation — DOB + parental OTP for under 18
No personalised recommendations or targeted ads to child accounts
Purchase consent mechanism for child account transactions
Child browsing/purchase data not used for any profiling activity

💰

BFSI & Fintech

Minor accounts and minors accessing financial products — strong parental oversight and financial safeguards required.

Minor accounts require parent/guardian consent linked to account
Financial product recommendations to minors: strictly non-targeted
Transaction monitoring for minor accounts — no profiling for marketing
Clear parental visibility and control over minor account activity

Penalties

The Cost of 9 Non-Compliance

Children's data violations attract some of the highest penalties in the DPDP Act — reflecting the legislature's intent to give maximum protection to the most vulnerable data principals.

Violation	DPDP Section	Maximum Penalty	Mitigation Factor
Processing child data without verifiable parental consent	9(1)	₹200 Crore	Good-faith 9 compliance programme; documented age verification; immediate cessation on discovery
Targeting advertising at a child	9(3)	₹200 Crore	Immediate suppression of child targeting; refund of any revenue generated from prohibited advertising
Behavioural tracking or monitoring of a child	9(3)	₹200 Crore	Deletion of all tracked data; evidence of tracking suppression by account type
Processing detrimental to a child's wellbeing	9(2)	₹200 Crore	DPIA evidence showing child wellbeing assessment; product changes removing harmful features
Failure to implement adequate security for children's data	8(5) + 9	₹250 Crore	Evidence of enhanced security measures; breach response and notification completed

Achieve Children's Data Compliance
with KavachOne

KavachOne's ConsentiQo platform includes purpose-built parental consent workflows, age-gated consent management, and child account safeguards — designed specifically for DPDP 9 compliance. Our experts help you implement age verification, DPIA assessments, and child-appropriate design across your products.

🧒 Achieve 9 Compliance Explore ConsentiQo →

FAQs

Common Questions About Children's Data Under DPDP

Does 9 apply to B2B EdTech platforms where schools are the customer — not parents? ▾

Yes — 9 applies to any processing of children's personal data, regardless of the business model. When a school contracts with an EdTech platform to provide services to students, the EdTech platform is the Data Processor for the school (Data Fiduciary) — and the school must ensure the platform operates in compliance with 9. The school is responsible for obtaining appropriate parental consent for platform use, and the platform must be contractually bound to process children's data only in ways that comply with 9.

Can platforms obtain parental consent via a simple tick-box on a parent sign-up form? ▾

No. The DPDP Act requires "verifiable" parental consent — meaning the platform must take reasonable steps to ensure the person giving consent is actually the child's parent or lawful guardian. A simple tick-box that anyone could complete does not meet this standard. At minimum, the verification should involve a confirmed parent/guardian contact detail (email or phone OTP) that demonstrates the consenting adult actually received and responded to the consent request. Higher-risk platforms processing sensitive child data should implement stronger verification such as Aadhaar-linked mobile OTP or DigiLocker.

Are there any exemptions from 9 for services specifically designed for children? ▾

The DPDP Act provides for the Central Government to notify categories of Data Fiduciaries or services that may be exempt from the parental consent requirement — primarily for services that are designed in a manner that protects children's interests and wellbeing, and where age verification and parental consent create a disproportionate barrier to access. However, no such exemptions have been notified as of 2025. Until formal exemptions are announced, all processing of children's personal data requires verifiable parental consent.

How should platforms handle a user who turns 18 after initial parental consent? ▾

When a child user turns 18, they transition from 9 children's data rules to standard DPDP adult rules. Best practice is to proactively contact the newly-adult user near their 18th birthday, inform them that their account will transition from parental consent to direct consent, and obtain fresh direct consent from them for all processing purposes. The child's processing should continue under the existing parental consent until fresh adult consent is obtained, after which the parental consent is superseded. If the now-adult declines to provide direct consent, processing under the child's purposes should cease.

Does the 9 targeted advertising ban apply to contextual advertising (non-personalised)? ▾

The DPDP Act 9(3) specifically prohibits "targeting of advertising" at children — which is understood to mean personalised, behavioural, and interest-based advertising. Purely contextual advertising — ads served based on the content being viewed, with no use of the child's personal data for targeting — is generally considered to fall outside the 9 ban, since it does not involve the processing of children's personal data for targeting purposes. However, any advertising system that uses the child's profile, history, or inferred interests to select or personalise ads would be prohibited, even if the mechanism is described as "contextual."

Children's Data Protection India DPDP Act Children Data DPDP Parental Consent India Section 9 DPDP Age Verification DPDP India Minor Data Protection India Children Privacy India DPDP Targeted Advertising Ban Children India KavachOne Children Compliance ConsentiQo Parental Consent Child Data Fiduciary Obligations DPDP Compliance 2025 DPDP Act 2023 Behavioural Tracking Children Ban Children DSAR India