DPDP Act Children's Data: Age Verification and Consent
How the DPDP Act 2023 protects children's personal data — the under-18 definition, verifiable parental consent requirements, what processing is prohibited, and penalty exposure.
- Section 9 defines a child as any individual under 18 and requires verifiable parental consent before processing their data.
- Behavioural tracking, targeted advertising, and profiling of children are expressly prohibited.
- Violation of children's data obligations attracts the maximum penalty of ₹250 crore.
- Age verification mechanisms must be genuinely verifiable — a self-declaration checkbox does not qualify.
- Consumer apps, gaming platforms, ed-tech, and social media are at highest risk under this provision.
In this guide
Section 9: Children's Data Protection Framework
Section 9 of the DPDP Act establishes the highest-protection regime for children's personal data, consistent with global best practice (UK GDPR's Age Appropriate Design Code, COPPA in the US, and GDPR's heightened consent standards for children). The penalty for breach — ₹250 crore — is the maximum available under the Act, reflecting Parliament's intent that child data protection be a red-line obligation.
Section 9(1) prohibits processing of children's personal data without obtaining verifiable consent from the child's parent or guardian. Section 9(2) prohibits processing in a manner that may be detrimental to the child's wellbeing. Section 9(3) prohibits tracking, monitoring, or behavioural advertising targeted at children. These are absolute prohibitions — there is no balancing test or public interest override.
The obligations fall on any Data Fiduciary that processes the personal data of children. This includes not just platforms primarily targeted at children (ed-tech apps, gaming platforms) but also general-audience services that may be accessed by under-18 users. If you cannot verify age, you cannot exclude the application of Section 9.
Who Is a Child Under the DPDP Act
Section 2(e) defines a child as any individual who has not completed 18 years of age. This is higher than some international standards — the US COPPA applies to children under 13; the UK's age-appropriate design code applies to under-18s. India's Section 9 applies the protective regime to all users under 18.
For platforms with a predominantly young user base — social media, gaming, ed-tech, OTT entertainment — the 18-year threshold means that a significant proportion of users are protected by Section 9. A platform cannot limit Section 9 obligations only to users under 13 or 16.
The definition of 'parent or guardian' follows the natural meaning: a biological or adoptive parent, or a legally appointed guardian. The Rules may specify what documents or methods are acceptable for verifying parental identity, given the practical challenges of doing so digitally at scale.
Verifiable Parental Consent: The High Bar
Section 9(1) requires "verifiable consent of the parent." "Verifiable" is the critical word — it excludes self-declaration mechanisms where the user simply claims to be an adult or claims to have parental consent. The platform must take active steps to verify that the consenting person is actually the child's parent or guardian.
The Rules will specify acceptable verification mechanisms. Likely candidates based on India's digital identity infrastructure include: Aadhaar-based eKYC or OTP verification; DigiLocker-based credential verification; payment-card verification (a proxy for adult financial account ownership); or a parental email/mobile verification flow with additional identity checks.
Until the Rules specify the verification standard, platforms should implement the highest reasonable verification bar available to them. Storing a record of the verification mechanism used (which Aadhaar ID or which payment card was used to verify parental consent) is essential for demonstrating compliance if a complaint is raised.
Processing Prohibited for Children
Section 9(3) explicitly prohibits: (a) tracking or monitoring of children's personal data; (b) profiling of children's personal data; and (c) targeted advertising directed at children. These prohibitions apply regardless of whether parental consent has been obtained — they are absolute restrictions on the manner of processing, not merely consent requirements.
Behavioural targeting — showing ads based on a child's browsing history, app usage, or inferred interests — is prohibited. This means platforms that display advertising cannot show targeted ads to users under 18. If your platform's revenue model depends on targeted advertising, you either need robust age verification to exclude under-18 users or you need to switch to contextual (non-targeted) advertising for all users.
Location tracking of children — including persistent location sharing features in apps — falls within the tracking prohibition. Features like "find my friend" or persistent background location that serve valid safety purposes for parents need to be carefully designed so that the tracking benefits the child's safety and is parent-controlled, not third-party commercial interests.
Age Verification Mechanisms
Age verification at scale is technically and operationally challenging. Options available to Indian platforms include: Aadhaar eKYC integration (verifies age from Aadhaar data); mobile number verification with TRAI's Know Your Customer (KYC) data; credit card or debit card verification (a proxy for being over 18); or manual document upload with human review.
Each mechanism has trade-offs. Aadhaar eKYC is highly reliable but raises privacy concerns (full Aadhaar integration for all users purely for age verification is disproportionate). Credit card proxies exclude young adults who do not yet have cards. Document upload with human review is expensive at scale. The Rules' specified mechanism will resolve this, but companies should evaluate now.
For platforms that do not wish to implement full age verification, an alternative design approach is to have a children's mode that is active by default and switches to full features only after age verification. This design limits Section 9 exposure while preserving a functional product for non-verified users.
Entities Exempt from Age Verification
Section 9(4) permits the Central Government to exempt certain Data Fiduciaries from the age verification and parental consent requirements where the processing is: (a) for a purpose connected with safeguarding the child's health or wellbeing; or (b) of a specific nature, and subject to such conditions as prescribed.
Healthcare providers, child welfare services, and government education programmes are likely beneficiaries of this exemption. An ed-tech platform delivering government school curriculum under a government contract may argue for exemption from the full parental consent requirement on child wellbeing grounds.
The exemption requires a specific government notification — it is not self-operative. Until your sector receives an exemption notification, full Section 9 obligations apply. Monitor MEITY notifications closely; the first cohort of exemptions will reveal the government's approach to this provision.
Compliance Steps for Consumer Platforms
Step one: audit your current user base. Do you know what proportion of your users are under 18? If you do not collect date of birth, you have no way to apply Section 9 appropriately. Add age collection to your onboarding flow — using a date of birth field rather than an 'I am over 18' checkbox — and design your product to apply appropriate restrictions to under-18 accounts.
Step two: implement parental consent flows for users who are under 18 or who self-declare as under 18. This requires a separate consent path that verifies the parent's identity before the child's account is activated. Until the Rules specify the verification standard, use the most robust verification available to you.
Step three: disable tracking, profiling, and targeted advertising for all users under 18. This is an absolute prohibition — not a consent override. Review your advertising SDK integrations, analytics tools, and personalisation features to ensure they can be switched off for under-18 accounts. Document the technical controls as evidence in your DPDP compliance programme.
Frequently Asked Questions
Our app is primarily for adults but some teenagers may use it. Does Section 9 apply?
Can a parent consent on behalf of multiple children for a family account?
What age verification standard will satisfy "verifiable consent"?
Is an ed-tech platform that processes children's data automatically exempt under Section 9(4)?
Our platform uses behavioural analytics for product improvement. Is this prohibited for under-18 users?
Automate your compliance today
AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.
Start for free