Protecting children in the digital realm is a global priority, and India’s Digital Personal Data Protection Act, 2023 (DPDPA) places specific, stringent obligations on businesses (Data Fiduciaries) when processing the personal data of individuals under the age of 18. The Act is dedicated to this sensitive area, introducing requirements for verifiable parental consent and imposing outright prohibitions on certain types of processing directed at children. Non-compliance can attract severe penalties of up to ₹200 Crore, making this a critical area for businesses to focus on.
This article outlines the key provisions concerning children’s data under DPDPA, focusing on verifiable consent, strict processing prohibitions, and potential exemptions.
Who is a “Child” under DPDPA?
The DPDPA provides a clear and broad definition: a “child” is any individual who has not completed eighteen years of age. This threshold is notably higher than the default under GDPR (which is 16 years, reducible to 13 by member states), signifying a more protective stance in the Indian context.
The Cornerstone: Verifiable Parental Consent
Before processing any personal data of a child, a Data Fiduciary must obtain verifiable consent from the parent of such child or their lawful guardian. This is a non-negotiable first step.
What is “Verifiable”?
The Act requires consent to be obtained “in such manner as may be prescribed.” The term “verifiable” implies a duty on the Data Fiduciary to take reasonable steps to ensure that the consent obtained is genuinely from a parent or lawful guardian who is an identifiable adult.
While the finalised DPDP Rules will provide definitive methods, the Draft DPDP Rules offer some insight into what might be considered verifiable:
- Relying on reliable identity and age details already available with the Data Fiduciary about the parent
- Voluntarily provided identity/age details from the parent or a virtual token (e.g., from a Digital Locker service provider or another government-entrusted entity) that confirms the parent is an identifiable adult
The Challenge: Implementing truly robust and universally accessible verifiable consent mechanisms can be operationally complex, especially in the absence of a widespread, universal digital identity system for parents that easily links to their children for this purpose. Businesses will need to design processes (which might involve age prompts, dedicated parental portals, or integrations with prescribed verification services) that meet this standard once fully defined by the Rules.
Strict Prohibitions: What Data Fiduciaries CANNOT Do With Children’s Data
Even if verifiable parental consent is obtained, the DPDPA explicitly prohibits certain activities involving children’s personal data:
1. No Processing Likely to Cause Detrimental Effect
A Data Fiduciary “shall not undertake such processing of personal data that is likely to cause any detrimental effect on the well-being of a child.”
The term “detrimental effect” is not explicitly defined in the Act, creating some ambiguity. However, it implies a proactive duty on Data Fiduciaries to assess potential harms that go beyond mere privacy violations. This could include mental health impacts, exposure to inappropriate content, or other forms of harm to a child’s overall well-being.
2. No Tracking or Behavioural Monitoring of Children
Data Fiduciaries “shall not undertake tracking or behavioural monitoring of children.”
3. No Targeted Advertising Directed at Children
Data Fiduciaries cannot engage in “targeted advertising directed at children.”
These prohibitions are strong and, importantly, cannot be overridden by parental consent alone. Businesses, particularly those in sectors like EdTech, gaming, social media, and any platform catering to younger users, must critically evaluate their current practices. Activities such as personalised recommendations based on behaviour, or any form of ad targeting towards users identified as children, will need to cease or be significantly modified to ensure compliance.
Potential Exemptions: A Glimmer of Flexibility?
The DPDPA allows the Central Government to grant certain exemptions from some of these stringent requirements for children’s data:
Exempt Entities/Purposes
The government may, by notification, exempt certain classes of Data Fiduciaries or specific processing purposes from the requirement of parental consent and the prohibitions on tracking, behavioural monitoring, and targeted advertising.
The Draft DPDP Rules suggest potential exemptions for entities like educational institutions or healthcare providers processing children’s data for specific, beneficial purposes (e.g., for health protection without parental consent in certain contexts, or for educational services). These exemptions, if finalised, will likely come with their own set of conditions.
Age Relaxation for “Verifiably Safe” Processing
If the Central Government is satisfied that a Data Fiduciary processes children’s data in a “verifiably safe manner,” it may, by notification, specify an age below 18 for that Fiduciary. For children above this notified age (but still below 18), that Fiduciary may be exempt from some or all of the children-specific obligations.
The criteria for what constitutes “verifiably safe” processing are yet to be defined and will be crucial for organisations hoping to avail this flexibility.
It is critical for businesses to assume the core obligations apply fully unless and until specific exemptions are officially notified and clearly applicable to their operations.
Actionable Steps for Businesses
To navigate the DPDPA’s requirements for children’s data, businesses should:
1. Identify Child Users
Implement appropriate age verification mechanisms to identify users under 18. The robustness of these mechanisms should be proportionate to the risks involved in the data processing.
2. Develop Verifiable Consent Flows
Design and implement robust processes for obtaining and verifying parental/guardian consent before any processing of a child’s personal data begins. Keep an eye on the finalised DPDP Rules for prescribed methods.
3. Audit Processing Activities Involving Children
Scrutinise all data processing activities involving users identified as children. Immediately cease any activities that constitute prohibited tracking, behavioural monitoring, or targeted advertising directed at children. Proactively assess and mitigate any potential “detrimental effects.”
4. Review Third-Party Integrations
Ensure any third-party tools or services (like analytics platforms or ad networks) used on platforms accessed by children also comply with the DPDPA’s prohibitions related to children’s data.
5. Monitor for Exemptions
Stay updated on official government notifications regarding potential exemptions that may apply to your sector or specific processing activities.
6. Maintain Diligent Documentation
Keep thorough records of your age verification methods, parental consent mechanisms (including proof of verification), and your assessments regarding potential detrimental effects and prohibited activities.
Conclusion: Heightened Sensitivity, Heightened Responsibility
The DPDPA treats children’s personal data with heightened sensitivity, reflecting a global trend towards stronger protections for young digital citizens. The mandate for verifiable parental consent and the strict prohibitions on detrimental processing, tracking, monitoring, and targeted advertising impose significant responsibilities on Data Fiduciaries.
While potential exemptions may offer some flexibility in the future, businesses must currently operate on the assumption that these core obligations apply rigorously. Proactive assessment of data practices, careful redesign of consent and processing flows, and meticulous documentation are crucial for navigating these requirements and avoiding severe penalties. Prioritising the well-being and privacy of children is not just a legal obligation under DPDPA but a fundamental ethical imperative.
Disclaimer: The information provided in this article is for general informational purposes only and does not constitute legal advice. The content is based on the Digital Personal Data Protection Act, 2023, and the Draft DPDP Rules, which are subject to change. For advice on specific legal issues, please consult a qualified legal professional.
Need Help with DPDPA Compliance?
Contact our team of experts for personalized guidance and implementation support.
