The DPDP Act 2023 devotes specific provisions to the protection of children's personal data. This is not a minor compliance footnote - it is a significant obligation that affects edtech platforms, gaming apps, social platforms, healthtech with family plans, and any product likely to be used by minors. The rules are among the most prescriptive in the entire Act, and the penalties among the steepest.
If you have already worked through our consent mechanism guide and privacy notice template, this is the children's-data layer that sits on top of both.
1. Who Is a 'Child' Under the DPDP Act?
A child is defined as a person below the age of 18. This is consistent with Indian majority law (the Indian Majority Act, 1875).
Critically, the Act does not distinguish between a 10-year-old and a 17-year-old - both are children, and both require parental or lawful guardian consent for data processing. There is no graduated "teen" tier as exists in some other jurisdictions.
Under GDPR, the digital-consent age can be as low as 13 (member-state dependent). The DPDP Act's flat threshold of 18 means platforms that treat 13-17 year-olds as adults under a GDPR-style model will have a compliance gap in India. See our GDPR vs DPDP comparison.
2. Key Obligations for Processing Children's Data
Verifiable parental consent is mandatory
Before processing any personal data of a child, you must obtain verifiable consent from the child's parent or lawful guardian. 'Verifiable' is the critical word - you cannot simply ask users to confirm they are over 18. You need a mechanism that can actually verify parental identity and consent: mobile-linked verification (parent's mobile OTP), Aadhaar-based parental verification where applicable, or signed consent forms for institutional deployments such as schools using edtech.
No tracking or behavioural monitoring
The Act prohibits tracking the behaviour of children across websites or applications. No behavioural advertising targeted at children, no cross-platform tracking of children's online activity, and no profiling of children for personalisation based on tracked behaviour. This has significant implications for advertising-supported apps with child users.
No targeted advertising to children
You cannot serve targeted advertisements to children, even with parental consent. This is a blanket prohibition - it is not consent-curable. A parent agreeing to data processing does not unlock the ability to target ads at their child.
No processing likely to cause harm
Data Fiduciaries must ensure that processing does not have any detrimental effect on the well-being of a child. The Act does not enumerate what this includes - but regulators and courts will likely interpret it broadly to cover addictive design patterns, data-driven manipulation, and anything that compromises a child's welfare.
Truly verifiable parental consent at scale is a significant technical challenge - far harder than a self-declared age gate. Plan your approach carefully, document the verification method you chose and why, and get it reviewed by legal counsel before deployment.
3. Which Platforms Are Most Affected?
Edtech platforms
Platforms serving students - from K-12 to competitive exam prep - handle large volumes of children's data. School-authorised deployments may use institutional consent frameworks, but direct-to-consumer platforms need individual parental consent for each child.
Gaming and entertainment apps
If your game or app is likely to be used by minors (even if not designed exclusively for them), you have obligations. 'Likely to be used by children' is a broader standard than 'marketed to children'.
Health and fitness apps with family plans
If you allow parents to create profiles for their children within a family plan, each child profile falls under children's data obligations.
Social and community platforms
Any platform that allows profile creation, content sharing, or communication must address the possibility of child users and implement age verification accordingly.
4. Steps to Build Compliance
Identify your risk exposure
Assess whether children are likely users of your platform. Consider your marketing channels, app store category, content type, and any known minor users.
Implement age verification
Build an age-gate at registration. If the user indicates they are under 18 - or if you cannot verify they are 18+ - route them through the parental consent workflow.
Build the parental consent flow
Design and deploy a verifiable parental consent mechanism. Document the verification method chosen and the rationale, and get it reviewed by legal counsel before deployment.
Audit your data processing practices
Remove all behavioural tracking, profiling, and targeted advertising for identified child users. If you use third-party SDKs for analytics or advertising, ensure they are disabled or configured for child-safe modes.
Review your privacy notice
Your privacy notice must address children's data specifically - what you collect, why, and how parental consent is managed.
5. Penalties for Non-Compliance
Violations related to children's data attract some of the highest penalties under the DPDP Act - up to โน200 crore. The reputational risk is equally severe: child data breaches or misuse attract intense public and media scrutiny, which often causes more lasting commercial damage than the financial penalty itself.
The DPDP Act's children's data provisions are among its most prescriptive. Build the right foundations now - age verification, parental consent flows, and a tracking-free experience for child users - and you will be ahead of most Indian platforms. For the broader obligations, see our guides on breach notification and the rights of data principals.
Building for users under 18?
SecComply helps edtech, healthtech, and consumer platforms build DPDP-compliant programmes - including children's data obligations, verifiable parental consent flows, and tracking-free architectures.
Book a children's data compliance call โFAQ
A child is any person below the age of 18, consistent with the Indian Majority Act, 1875. The Act does not distinguish between a 10-year-old and a 17-year-old - both are children and both require verifiable parental or lawful guardian consent before their personal data is processed.
Before processing any personal data of a child, you must obtain verifiable consent from the child's parent or lawful guardian. 'Verifiable' is the key word - a simple checkbox asking users to confirm they are over 18 is not enough. You need a mechanism that can actually verify parental identity and consent, such as mobile-linked (OTP) verification, Aadhaar-based parental verification where applicable, or signed consent forms for institutional deployments like schools. Achieving truly verifiable consent at scale is a significant technical challenge, so plan and document your method.
No. The prohibition on targeted advertising to children is a blanket ban - it is not curable by parental consent. The Act also prohibits tracking or behavioural monitoring of children across websites and applications, and profiling children for personalisation based on tracked behaviour. These restrictions apply even where a parent has consented to the underlying data processing.
Edtech platforms serving students, gaming and entertainment apps likely to be used by minors, health and fitness apps with family plans where parents create child profiles, and social or community platforms that allow profile creation and content sharing. Importantly, the standard is 'likely to be used by children' - broader than 'marketed to children' - so a platform can have obligations even if minors are not its intended audience.
Violations related to children's data attract some of the highest penalties under the DPDP Act - up to โน200 crore. The reputational risk is just as significant: child data breaches or misuse draw intense public and media scrutiny, which often causes more lasting commercial damage than the financial penalty itself.