Processing of children’s personal data under the DPDP Act: what does it means for businesses?

The Digital Personal Data Protection Act, 2023 (DPDP Act) along with the Digital Personal Data Protection Rules, 2025 (DPDP Rules) create the framework for protection of an individual’s privacy in the digital world. The DPDP Act recognizes the sensitivity around the processing of children’s personal data and accordingly, prescribes a higher standard for such processing that promotes safety and security of children.

Under the DPDP Act, an individual below the age of 18 (eighteen) years is classified as a child.^[1] Interestingly, the DPDP Act adopts a more conservative approach to the definition of a child when compared to the European Union’s General Data Protection Regulation which sets the default age threshold at 16 (sixteen) years, with flexibility for EU Member States to lower this threshold to 13 (thirteen) years.

^[1] Section 2(f), DPDP Act.

When processing the personal data of children, a data fiduciary must comply with all obligations that apply to the processing of personal data of data principals generally. In addition, the DPDP Act prescribes certain heightened, child specific safeguards.^[1]

Further, unless an exemption applies, a data fiduciary must comply with the following additional obligations (Additional Obligations):

• Ensure that the processing of a child’s personal data does not cause any detrimental effect on the wellbeing of the child;^[2] (No Detrimental Effect Obligation)
• Obtain verifiable consent of the child’s parent or legal guardian prior to processing the child’s personal data;^[3] (Verifiable Consent Obligation) and
• Refrain from undertaking tracking, behavioural monitoring, or targeted advertising directed at children.^[4] (No Monitoring Obligation)

^[1] Section 9(2), DPDP Act.

^[2] Section 9(1), DPDP Act.

^[3] Section 9(3), DPDP Act.

^[1] Section 9, DPDP Act also prescribes these processing standards for the personal data of persons with disabilities.

Before processing a child’s personal data, the data fiduciary is required to obtain verifiable consent from the child’s parent or the legal guardian.

The DPDP Rules clarify that consent is considered “verifiable” where the data fiduciary is able to authenticate that the individual providing consent is indeed an adult acting on behalf of the child. To achieve this, the data fiduciary must adopt appropriate technical and organizational measures and exercise due diligence.^[1]

The verification of the parent or the legal guardian’s identity may be carried out using the following methods:

• Identity details already available with the data fiduciary;
• Identity details voluntarily provided by the parent or legal guardian; or
• A virtual token issued by an authorised entity.

^[1] Rule 10, DPDP Rules.

Recognizing that strict application of these obligations may not be appropriate in all contexts, the DPDP Act provides for certain exemptions and also empowers the government to grant targeted exemptions from either certain or all Additional Obligations.

• Notification based exemptions: The government may notify that a particular data fiduciary has ensured that its processing activities are carried out in a manner that has been verified to be safe for children. In such cases, the government may specify an age threshold above which the data fiduciary is exempted, partly or wholly, from complying with the Verifiable Consent Obligation and No Monitoring Obligation
• Exemptions for certain classes of data fiduciaries : The DPDP Rules provide exemptions from the Verifiable Consent Obligation and No Monitoring Obligation to identified categories of data fiduciaries when processing personal data for limited purposes, including:
  • Clinical establishments, mental health establishments, and healthcare professionals when processing personal data to provide healthcare services to a child;
  • Allied healthcare professionals when processing personal data to support healthcare treatment or referral plans;
  • Educational institution when tracking or behavioural monitoring is undertaken for educational activities or in the interests of child’s safety;
  • Crèche facilities when tracking or behavioural monitoring is necessary for the safety of children; and
  • Transport facility providers engaged by educational institutions, crèches, or childcare centre when tracking the location of children are in the interest of their safety.
• Purpose-based exemptions[9] : The DPDP Rules exempt data fiduciaries from the Verifiable Consent Obligation and No Monitoring Obligation where children’s personal data is processed for the following purposes:
  • Compliance with any law in the interest of the child;
  • Provision of any subsidy, benefit, or service to the child;
  • Creation of a user account for email communication;
  • Determination of the real-time location of a child in the interest of safety, protection or security;
  • Restricting access to material that may be detrimental to the wellbeing of the child; and
  • Confirmation that a data principal is not a child.
• General exemptions: The DPDP Act also provides for exemptions from certain provisions of the DPDP Act, including the Additional Obligations applicable to the processing of children’s personal data. These exemptions may be granted on the following bases:
  • Specified purpose exemption: Data fiduciaries are exempted from complying with the Additional Obligations where children’s personal data is processed for specified purposes such as enforcement of legal right or claim; prevention, detection, investigation or prosecution of offences; ascertaining financial information of a person who has defaulted their loan payment, among others[10]
  • State exemption: The government may, by notification, exempt any instrumentality of the State from the application of provisions of the DPDP Act where such processing is in the interest of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order, or prevention of incitement to commit cognizable offence[11]
  • General exemption: The government may, by notification, exempt certain data fiduciaries from any or all provisions of the DPDP Act, including the Additional Obligations relating to children’s personal data[12]

[9] Section 9(4), DPDP Act and Rule 12, read with Part B, Fourth Schedule, DPDP Rules.
[10] Section 17(1), DPDP Act.
[11] Section 17(2), DPDP Act.
[12] Section 17(5), DPDP Act.

Failure to comply with the Additional Obligations can attract a penalty of up to INR 200 crore (~ USD 22.16 million) under the DPDP Act.

The DPDP Act’s framework effectively views children’s data as sensitive and signals a clear intent to create a safe digital environment for this category of data principals. Since the DPDP Act places the onus on businesses to proactively assess and redesign their data practices, a few points for consideration are as follows:

• Examine your position: The exemptions discussed above are not all absolute and are subject to certain conditions. Therefore, businesses must carefully examine and understand their positioning from a compliance perspective and then design their consent and other data management systems to be responsive to these different layers of legal requirements.
• Legacy data of children: For legacy data, the DPDP Act requires a data fiduciary to only notify the data principals under Section 5(2) as opposed to issuing a consent based notice, for processing of personal data. Separately, Section 9 requires the data fiduciaries to obtain verifiable consent from the parent/ guardian of children but does not specify whether this is also applicable to legacy data. Therefore, with respect to legacy data of children, businesses will have to issue a one-time notice under Section 5(2) to the parent/ guardian rather than the child.
• Child-focused services require special attention: Businesses offering services primarily to children should evaluate whether they may qualify for a government-notified exemption. Particularly, if a business is undertaking tracking or behavioural monitoring of children or directing targeted advertising to children, it would be important to identify whether such businesses fall under the class of data fiduciaries specified in Part A of Fourth Schedule. Secondly, data fiduciaries processing children’s data as part of their business may also fall under the ambit of Section 9(5) of the DPDP Act. In the run up to the full implementation of the DPDP Act, such businesses should consider proactively engaging with other stakeholders at an industry level and make representations to the government to seek necessary clarifications around the scope and availability of exemptions.

We trust you will find this an interesting read. For any queries or clarifications please write to us at insights@elp-in.com or write to our authors:

Ravisekhar Nair, Partner – Email- – Email – ravisekharnair@elp-in.com

Abhay Joshi, Partner – Email- – Email – AbhayJoshi@elp-in.com

Ketki Agrawal, Principal Associate – Email- ketkiagrawal@elp-in.com

Bhaavi Agrawal, Senior Associate – Email- bhaaviagrawal@elp-in.com