Processing children’s personal data under the DPDPA

The Digital Personal Data Protection Act, 2023 (DPDPA) defines a ‘child’ as an individual below 18 years of age. While limited exemptions have been set out in the Digital Personal Data Protection Rules, 2025 (DPDP Rules), obtaining verifiable parental consent is mandatory in all other instances before processing children’s personal data. This article explores the various legal ambiguities and operational roadblocks that organisations may face while calibrating their onboarding processes and consent management workflows for processing children’s personal data.

The comparatively high age threshold and the absence of graded treatment present their own set of challenges. For instance, the DPDPA requires data fiduciaries to treat a 17-year-old accessing educational content identically to a 9-year-old accessing a gaming platform. This approach ignores the differences in cognitive development, digital literacy, and risk exposure. This is particularly concerning in sectors like edtech where personalised learning and engagement metrics will be non-compliant despite serving legitimate educational purposes. The absence of age-based graded legal requirements will compel organisations to deploy the same measures irrespective of the risk and harm associated with their offerings.

To obtain verifiable parental consent, data fiduciaries must authenticate parental identity and establish the legal relationship with the child. To minimise compliance risks, data fiduciaries may turn to processing sensitive details such as government IDs. This will create a fundamental paradox: Data fiduciaries end up collecting and processing substantial volumes of sensitive information to comply with a law that espouses data minimisation as a core principle.

The DPDP Rules permit data fiduciaries to process personal data (without parental consent) solely to verify whether an individual is a child or not. Heavy reliance on self-declaration will be counterproductive in a country like India where parents often rely on their children to navigate online offerings. Further, the DPDP Rules take a rather vague approach while prescribing permissible verification methods, unlike the COPPA (USA) which lists out various acceptable methods that are actively reviewed and updated by the Federal Trade Commission.

The prohibition on behavioural monitoring and tracking of children, may limit the ability of online platforms and intermediaries to deploy adequate and appropriate safety measures to protect children. There can also be friction between these obligations and the recent mandates relating to synthetic media which require SSMIs to deploy tools to review content and undertake labelling checks. While the central government has the power to lower the age threshold and dilute the prescribed prohibitions, it remains to be seen how this power will be utilised.

The high cost of compliance will adversely impact early-stage companies that require processing of children’s data in high volumes. According to reports, Aadhar e-KYC costs ₹3 per check. The use of DigiLocker and other government-based ID verification will cost even more.

The DPDPA reposes all risks and liabilities with data fiduciaries. Under traditional B2B technology agreements, data processors operated under broad indemnification protections, with liability caps often limited to annual agreement values. This arrangement will no longer work where processors process children’s personal data, and comprehensive re-negotiation may be required.

The DPDPA's child data protection framework represents a significant departure from global standards. Aside from the high financial stake, there is also the possibility of significant reputational fallout. Organisations must carefully navigate these legal ambiguities while implementing verification workflows, designing audit trails, and creating silos and separate channels, for processing children’s personal data.

(The views expressed are personal)

This article is authored by Lagna Panda, partner, at AP & Partners.