1. Introduction to Children's Data Protection
The DPDPA 2023 recognizes that children require special protection in the digital environment. Section 9 establishes a comprehensive framework for processing children's personal data, with requirements that go beyond those applicable to adult data principals.
The heightened protections reflect the vulnerability of children, their limited capacity to understand data processing implications, and the need to protect them from exploitation in the digital ecosystem.
Definition of Child Section 2(f)
"Child" means an individual who has not completed the age of eighteen years.
Important Note
Unlike some jurisdictions that use a lower age threshold (such as GDPR's 16 years with member state flexibility down to 13 years, or COPPA's 13 years in the US), India's DPDPA sets the threshold at 18 years, aligning with the Indian Majority Act, 1875.
2. Verifiable Parental Consent
Parental Consent Requirement Section 9(1)
Before processing any personal data of a child, a Data Fiduciary shall obtain verifiable consent of the parent or lawful guardian of the child.
2.1 What is Verifiable Consent?
Verifiable consent means consent that the data fiduciary can demonstrate was obtained from a parent or lawful guardian through a reasonable method of verification. The consent must be:
- Authentic: Actually given by parent/guardian, not the child
- Verified: Reasonable steps taken to confirm identity
- Documented: Records maintained for accountability
- Informed: Parent made aware of processing details
- Specific: For identified purposes of processing
2.2 Methods of Verification
| Method | Description | Suitability |
|---|---|---|
| Aadhaar-based verification | OTP or biometric verification of parent | High reliability |
| Video verification | Live video call with parent | Moderate to high |
| Government ID verification | Upload and verification of parent's ID | Moderate reliability |
| Credit card verification | Small charge to parent's credit card | Limited use cases |
| Signed consent form | Physical or electronic signature | Lower reliability |
| Knowledge-based verification | Questions only parent would know | Supplementary method |
Implementation Example: Educational App
An educational app for students implements the following verification flow:
Step 1: Child creates account with parent's email/phone
Step 2: Parent receives verification link
Step 3: Parent verifies identity via Aadhaar OTP or ID upload
Step 4: Parent reviews data collection notice
Step 5: Parent provides consent for specific purposes
Step 6: System records verification and consent
Step 7: Child's account activated with parent dashboard access
3. Prohibition on Behavioral Monitoring
Tracking and Monitoring Ban Section 9(2)
The Data Fiduciary shall not undertake tracking or behavioral monitoring of children or targeted advertising directed at children.
3.1 What is Prohibited
Prohibited Activities
- Behavioral tracking: Monitoring browsing patterns, app usage, online behavior
- Profiling: Creating profiles based on children's activities or preferences
- Targeted advertising: Serving personalized ads based on child's data
- Recommendation algorithms: Content personalization based on behavioral data
- Cross-site tracking: Following children across websites/apps
- Location tracking: Beyond what is strictly necessary
3.2 Permissible Activities
Not all data processing involving children is prohibited. The following may be permissible:
- Processing necessary for providing the service (with parental consent)
- Contextual advertising (non-personalized, based on content being viewed)
- Safety and security measures to protect children
- Educational content delivery
- Age-appropriate content filtering
- Parental control features
Penalty for Violation
Processing personal data of a child in breach of Section 9 can attract a penalty of up to Rs 200 crore. Organizations targeting children must implement robust compliance measures and document their approach to children's data protection.
4. Age Verification Mechanisms
Implementing verifiable parental consent requires effective age verification to identify when a user is a child.
4.1 Age Determination Methods
| Method | How It Works | Limitations |
|---|---|---|
| Self-declaration | User enters date of birth | Easily circumvented |
| Age gate | Confirmation of age above threshold | No verification |
| ID verification | Upload government ID | Privacy concerns |
| AI-based estimation | Facial analysis technology | Accuracy concerns |
| Credit/debit card | Card holder typically 18+ | Not universal access |
| Third-party verification | Identity verification services | Additional cost/friction |
4.2 Proportionate Approach
Age verification methods should be proportionate to the risk:
- Low risk processing: Self-declaration with parental verification for minors
- Medium risk processing: Documentary verification
- High risk processing: Robust identity verification
- Adult content/services: Stringent age verification
5. Persons with Disabilities
Section 9(3) extends similar protections to persons with disabilities who have lawful guardians acting on their behalf.
Persons with Disabilities Section 9(3)
The provisions of this section shall apply with necessary modifications to processing of personal data of a person with disability who has a lawful guardian acting on her behalf.
5.1 Key Considerations
- Lawful guardian: Guardian appointed under applicable law (Rights of Persons with Disabilities Act, 2016)
- Scope: Only applies where guardian is acting on behalf of person with disability
- Capacity: Relevant where person lacks legal capacity to consent
- Consent: Guardian provides consent on behalf of the person
- Rights exercise: Guardian may exercise data principal rights
Balancing Autonomy and Protection
Not all persons with disabilities require guardian consent. Many can and should provide their own consent. The provisions apply only where a lawful guardian is acting on behalf of the person, typically in cases of intellectual disabilities affecting legal capacity.
6. Exemptions for Certain Classes
Section 9(4) provides for exemptions from the strict requirements of Section 9 for certain classes of data fiduciaries or purposes.
Exemption Provision Section 9(4)
The Central Government may, by notification, exempt certain classes of Data Fiduciaries from the requirements of verifiable parental consent and the prohibition on tracking/behavioral monitoring.
6.1 Potential Exemption Categories
| Category | Rationale for Exemption |
|---|---|
| Healthcare providers | Emergency treatment, health monitoring |
| Educational institutions | Educational delivery, academic records |
| Government welfare programs | Child welfare services, benefits delivery |
| Child safety services | Missing children, abuse prevention |
| Age-appropriate services | Services designed for children's benefit |
7. Sensitive Personal Data - DPDPA Approach
Unlike the GDPR which defines "special categories" of sensitive personal data with additional protections, the DPDPA 2023 does not create a separate category of sensitive personal data.
7.1 No Sensitive Data Category
DPDPA treats all personal data uniformly, without distinction based on sensitivity. This is a significant departure from:
- GDPR's special categories (racial origin, political opinions, religious beliefs, health data, etc.)
- Earlier Indian IT Rules 2011 which defined sensitive personal data
- Most global data protection frameworks
7.2 Implications
| Aspect | DPDPA Approach | GDPR Approach |
|---|---|---|
| Health data | Regular personal data | Special category - explicit consent |
| Biometric data | Regular personal data | Special category - explicit consent |
| Financial data | Regular personal data | Not special category |
| Religious data | Regular personal data | Special category - explicit consent |
Practical Implication
While DPDPA does not mandate different treatment for sensitive data, organizations should still apply higher standards of protection as a matter of best practice. The penalty regime and breach notification requirements apply equally, and processing highly sensitive data may attract greater regulatory scrutiny.
8. Compliance Checklist for Children's Data
Implementation Checklist
- Implement age verification mechanism at registration/data collection
- Develop verifiable parental consent process
- Create parent dashboard for consent management
- Disable behavioral tracking for users identified as children
- Disable targeted advertising for children's accounts
- Implement content moderation for child-accessible services
- Train staff on children's data requirements
- Document compliance measures and maintain records
- Regular audit of children's data processing practices
- Clear privacy notice specifically for parents/guardians
9. Key Takeaways
Summary Points
- Child is defined as individual under 18 years under DPDPA
- Verifiable parental consent required before processing children's data
- Behavioral tracking and targeted advertising to children is prohibited
- Age verification mechanisms must be implemented
- Similar protections apply to persons with disabilities with lawful guardians
- Central Government may exempt certain categories from strict requirements
- DPDPA does not create a separate sensitive personal data category
- Penalties up to Rs 200 crore for violating children's data provisions