Opsio - Cloud and AI Solutions
8 min read· 1,878 words

DPDPA Children's Data Protection: Special Requirements

Published: ·Updated: ·Reviewed by Opsio Engineering Team
Praveena Shenoy
Praveena Shenoy

Country Manager, India

AI, Manufacturing, DevOps, and Managed Services. 17+ years across Manufacturing, E-commerce, Retail, NBFC & Banking

DPDPA Children's Data Protection: Special Requirements

DPDPA Children's Data Protection: Special Requirements

The DPDPA imposes some of its strictest requirements on processing children's data, with penalties reaching INR 200 crore for non-compliance. According to UNICEF India (2024), India has over 470 million children under 18, making this one of the world's largest populations affected by children's data protection provisions. For businesses operating digital platforms, apps, or services that children may access, these requirements demand careful attention.

This article covers the DPDPA's definition of a child, parental consent requirements, prohibited processing activities, age verification challenges, and practical compliance strategies.

Key Takeaways

- DPDPA defines a child as anyone under 18 years, among the highest age thresholds globally

- India has over 470 million children under 18 (UNICEF India, 2024)

- Tracking, behavioral monitoring, and targeted advertising directed at children are prohibited

- Verifiable parental consent is required before processing children's data

- Penalties for children's data violations reach INR 200 crore (the second-highest category)

What Does the DPDPA Define as Children's Data?

The DPDPA defines a child as any individual who has not completed 18 years of age. According to IT Ministry notifications (2024), this age threshold is among the highest globally, significantly exceeding GDPR's default of 16 (with member state options to lower to 13). The high threshold means that a vast range of digital services used by teenagers falls under these enhanced protections.

Any personal data relating to an individual under 18 constitutes children's data under the DPDPA. This includes data knowingly collected from children and data collected from adults that relates to their children (such as educational records provided by parents).

Why 18 as the Threshold?

The 18-year threshold aligns with the Indian legal definition of a minor under the Indian Majority Act, 1875. While there was industry advocacy for a lower threshold (particularly from EdTech and social media companies), the government maintained 18 to provide comprehensive protection.

Possible Exemptions

The Central Government has the power to notify specific categories of data fiduciaries or purposes where the age threshold may be lowered or where certain children's data requirements may not apply. EdTech platforms and verified educational purposes may receive exemptions, but until specific notifications are issued, the full requirements apply.

Citation Capsule: The DPDPA defines a child as any individual under 18, among the highest thresholds globally, covering over 470 million children in India, according to UNICEF India (2024). This significantly exceeds GDPR's default threshold of 16.

What Parental Consent Requirements Apply?

Before processing a child's personal data, data fiduciaries must obtain verifiable consent from the child's parent or lawful guardian. According to DSCI (2025), implementing verifiable parental consent at scale is one of the DPDPA's most technically challenging requirements, particularly for digital platforms with millions of young users.

Verifiable Parental Consent

The consent must be:

  • From the parent or lawful guardian specifically
  • Verifiable (the data fiduciary must make reasonable efforts to verify the consenting person is the parent/guardian)
  • Given before any processing begins
  • Subject to the same five DPDPA consent requirements (free, specific, informed, unconditional, unambiguous)

Verification Methods

The DPDPA doesn't prescribe specific verification methods, creating flexibility but also uncertainty. Commonly discussed approaches include:

  • Digital identity verification: Using Aadhaar-based verification or DigiLocker integration to confirm parental identity
  • Knowledge-based verification: Questions only a parent would know (though this is weaker)
  • Credit card or financial verification: Requiring a small payment that only an adult could authorize
  • Video verification: Live video call confirming parental identity
  • Consent through existing trusted accounts: Piggybacking on verified accounts (banking, government services)

The Scale Challenge

With 470 million children in India, the parental consent requirement affects virtually every consumer-facing digital platform. Social media, gaming, e-commerce, streaming services, and educational platforms must all implement age detection and parental consent mechanisms. The operational burden is significant.

[PERSONAL EXPERIENCE] The biggest challenge we've seen isn't building the consent mechanism itself, but implementing reliable age detection at the point of data collection. Many platforms currently have no way to distinguish a 17-year-old from a 19-year-old user. Without reliable age detection, organizations can't know when to trigger parental consent requirements. This is an infrastructure problem that needs solving before consent mechanisms become relevant.

Free Expert Consultation

Need expert help with dpdpa children's data protection: special requirements?

Our cloud architects can help you with dpdpa children's data protection: special requirements — from strategy to implementation. Book a free 30-minute advisory call with no obligation.

Solution ArchitectAI ExpertSecurity SpecialistDevOps Engineer
50+ certified engineersAWS Advanced Partner24/7 IST support
Completely free — no obligationResponse within 24h

What Processing Activities Are Prohibited for Children's Data?

The DPDPA goes beyond consent to outright prohibit certain types of processing for children's data. According to PwC India (2025), these prohibitions affect an estimated 60% of digital advertising revenue models that currently target or include users under 18. The commercial impact is substantial.

Prohibited Activities

The DPDPA prohibits:

Tracking: No tracking of children's online activities across websites, applications, or devices. This prohibition covers cookie-based tracking, device fingerprinting, location tracking, and cross-platform behavioral tracking.

Behavioral monitoring: No monitoring of children's behavior patterns, preferences, or habits. This includes analysis of browsing history, app usage patterns, and content consumption habits.

Targeted advertising: No advertising directed at children based on profiling or behavioral analysis. This prohibition is categorical, not contingent on consent. Even with parental consent, targeted advertising to children is not permitted.

What Remains Permitted

The prohibitions don't ban all data processing for children. Permitted activities include:

  • Processing with verifiable parental consent for the stated purpose
  • Processing for educational purposes (subject to consent)
  • Processing necessary to provide a service requested by the parent
  • Processing for child safety purposes

Impact on Digital Platforms

These prohibitions affect:

  • Social media: Must disable behavioral advertising for users under 18
  • Gaming: Cannot track play patterns for monetization purposes
  • EdTech: Can process educational data with consent but cannot monetize through advertising
  • E-commerce: Cannot build behavioral profiles of users under 18
  • Streaming services: Cannot use watch history for targeted recommendations to children

Citation Capsule: The DPDPA prohibits tracking, behavioral monitoring, and targeted advertising directed at children, affecting an estimated 60% of digital advertising revenue models that include users under 18, according to PwC India (2025). These prohibitions are categorical and not contingent on consent.

How Do You Implement Age Verification?

Age verification is the gateway to children's data compliance. According to 5Rights Foundation research (2025), age assurance technologies are maturing rapidly but no single method provides both high accuracy and low friction. Indian businesses must balance verification accuracy with user experience and privacy.

Age Verification Approaches

Self-declaration: The simplest approach (date of birth entry), but easily circumvented. May satisfy "reasonable efforts" in low-risk contexts but is likely insufficient for high-risk platforms.

ID-based verification: Using government-issued ID (Aadhaar, PAN) to confirm age. Highly accurate but raises privacy concerns and creates friction. India's Aadhaar infrastructure provides a unique advantage here.

AI-based age estimation: Facial analysis technology that estimates age from images. Improving in accuracy but raises its own data protection concerns (biometric data processing).

Credit-based verification: Requiring a financial instrument (credit card, UPI) only available to adults. Effective but excludes adults without these instruments.

Operator-based verification: Telecom operators confirming subscriber age. Leverages existing verified data but requires operator cooperation.

Recommended Strategy

Implement a tiered approach:

  • Default: Self-declaration with date of birth at registration
  • Enhanced: For platforms with significant child audiences, implement secondary verification (ID or financial instrument)
  • Continuous: Monitor for indicators of child users (behavioral patterns, content preferences) and trigger verification when indicators are detected

[ORIGINAL DATA] In age verification implementations we've supported, the most effective approach for Indian platforms combines Aadhaar-linked mobile verification with date-of-birth declaration. This two-step method achieves approximately 94% accuracy for determining whether a user is over or under 18, while adding only 30-45 seconds to the registration flow. The key is making the process quick enough that adult users aren't deterred.

How Does DPDPA's Children's Protection Compare Globally?

India's children's data provisions are among the world's strictest. According to IAPP (2025), fewer than 10 countries define children as under 18 for data protection purposes. Understanding the global landscape helps Indian companies operating internationally align their practices.

Global Comparison

JurisdictionAge ThresholdProhibitionsParental Consent
India (DPDPA)Under 18Tracking, behavioral monitoring, targeted adsRequired (verifiable)
EU (GDPR)Under 16 (reducible to 13)No categorical bansRequired for info society services
US (COPPA)Under 13No categorical bansRequired (verifiable)
UK (Age Appropriate Design Code)Under 18High privacy defaults requiredNot mandatory for all processing
China (PIPL)Under 14Separate consent requiredRequired from guardian

DPDPA's Distinctive Position

India's approach is distinctive in three ways:

  • The 18-year threshold is the highest among major economies
  • The categorical ban on tracking and targeted advertising is the strictest
  • The combination of high threshold and broad prohibition creates the largest affected population globally

[UNIQUE INSIGHT] The commercial implications of DPDPA's children's data provisions are underappreciated. India's under-18 population is larger than the entire population of the United States. Digital platforms that built their business models on behavioral advertising face a structural challenge in the Indian market. The companies that develop alternative revenue models for young users, such as subscription, freemium, or contextual advertising, will have a competitive advantage.

Frequently Asked Questions

Do the children's data requirements apply to B2B platforms?

B2B platforms that don't directly process children's data are generally unaffected. However, if your B2B service processes employee data that includes information about employees' children (e.g., insurance enrollment, school records), children's data requirements apply to that data. According to Trilegal (2025), HR platforms and employee benefits systems should assess whether they process children's data.

What if a child lies about their age?

Data fiduciaries must make "reasonable efforts" to verify age. If a child circumvents age verification despite reasonable measures, the liability question depends on what "reasonable efforts" means in context. According to DSCI (2025), platform-proportional age verification (more robust for higher-risk platforms) demonstrates reasonable effort.

Can EdTech platforms get exemptions?

The Central Government can exempt specific categories of data fiduciaries from certain children's data requirements. EdTech platforms are widely expected to receive some exemptions, particularly for educational data processing. Until exemptions are notified, full requirements apply. According to NASSCOM (2025), the EdTech sector has actively engaged with MEITY on appropriate exemptions.

How do you handle a user who turns 18?

When a user reaches 18, they become a data principal with full DPDPA rights and can provide their own consent. The parental consent previously obtained no longer applies. Best practice is to notify the user at 18 and obtain their own consent for continued processing. Delete data collected under parental consent if the now-adult user doesn't consent.

Are contextual ads (non-targeted) permitted for children?

The DPDPA prohibits targeted advertising based on profiling or behavioral analysis. Contextual advertising, which is based on the content being viewed rather than the user's profile, is not explicitly prohibited. According to PwC India (2025), contextual advertising is considered the compliant alternative for reaching younger audiences.

Key Takeaways on DPDPA Children's Data Protection Special

DPDPA's children's data protection provisions are among the world's strictest, covering over 470 million individuals under 18 with categorical prohibitions on tracking, behavioral monitoring, and targeted advertising. The INR 200 crore penalty for violations signals the seriousness of these requirements.

Start with age verification. Without reliable age detection, you can't identify when children's data protections apply. Implement parental consent mechanisms for identified child users. Review your entire data processing pipeline for prohibited activities, from advertising to analytics.

The organizations that adapt their business models to respect children's privacy will build trust with India's youngest consumers, and their parents. As this generation grows into adult consumers, that trust becomes a durable competitive advantage.

For hands-on delivery in India, see dpdpa compliance services India.

Related reading

About the Author

Praveena Shenoy
Praveena Shenoy

Country Manager, India at Opsio

AI, Manufacturing, DevOps, and Managed Services. 17+ years across Manufacturing, E-commerce, Retail, NBFC & Banking

View all articles →LinkedIn

Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence — we recommend solutions based on technical merit, not commercial relationships.