Ensuring Child Safety under the DPDPA

November 25, 2025
Ensuring Child Safety under the DPDPA

By Vikrant Rana, Anuradha Gandhi and Prateek Chandgothia

Introduction

Indian law defines a ‘child’ as an individual under the age of 18. According to UNICEF, children make up approximately 39% of India’s total population.[1] As per a 2024 report by the Assam Police, one in four internet users in India is a child. This means that a substantial 25% of the population using Internet in India is below the age of 18.[2] These statistics indicate a growing concern of safeguarding children’s digital presence and identity in India. The Digital Personal Data Protection Act, 2023 (hereinafter referred to as ‘DPDPA’) and the Rules made thereunder (hereinafter referred to as ‘DPDP Rules’) addresses these concerns by providing additional protection to Children’s Personal Data. This article will discuss the provisions related to Children’s data under the DPDPA in conjunction with other relevant laws and if the same is sufficient to protect children in the cyberspace.

(To read more on online harms affecting children, refer to – https://ssrana.in/articles/openais-report-triggers-ethical-ai-concerns-1-2-million-users-seek-self-harm-related-advice-from-chatgpt/ )

Key Compliances for Processing Children’s Data under DPDPA

The DPDPA maintains the legal status quo with other Indian laws by defining a ‘child’ as an individual below the age of 18. Section 9 of the DPDPA lays down key requirements for Data Fiduciaries (hereinafter referred to as ‘DF’) to comply with prior to processing personal information (hereinafter referred to as ‘PI’) of a child:

  1. Ensure Parental Consent – The DPDPA mandates that a DF must obtain a verifiable consent from the Parent or lawful guardian of a child before processing her PI. [3]This must be done through ‘appropriate technical and organizational measures’ including Digital Locker Service Providers as notified by the Central Government. [4]
  2. Certain Consequential and Purposive Prohibitions – DPDPA prohibits the DFs from undertaking such processing of personal data that is likely to cause any detrimental effect on the well-being of a child. This includes processing PI for tracking, behavioral monitoring and targeted advertising directed at children. This is, however, a limited prohibition which is subject to the exemptions laid down under Rule 12 and Schedule 4 of the DPDP Rules.

(To read more on safeguarding children’s data under DPDPA, refer to – https://ssrana.in/articles/safeguarding-childrens-data-under-dpdp-law/ )

Permissible processing of Children’s PI under the DPDPA

In certain cased, a DF may not be required to obtain verifiable consent of a Parent and the Prohibitions related processing of children’s PI shall not apply. These exemptions include:

  1. Protecting children’s Health – Clinical establishments, mental health establishments, healthcare or allied healthcare professionals are exempted from obtaining verifiable consent of the parent or lawful guardian and other prohibitions pertaining the children’s PI as stated above. However, purposes of PI processing by such DFs shall be limited to the extent necessary for the protection of the child’s health.
  2. Fostering Effective and Efficient Education – Educational Institutions are permitted to process PI of children for tracking and behavioral monitoring for educational activities or in the interest of safety of the children enrolled with such educational institution.
  3. Safety of Children in Day Care – DPDPA permits processing of children’s PI by such institution which is entrusted with children’s care and operates as a crèche or day care. Such institution may track or monitor the behavior of the children in the interest of safety of such children.
  4. Secure Transportation for children – A DF who is entrusted with the transportation of children enrolled in an educational institution, crèche or day care may process their PI for real time location tracking during the course of travel to and from such institution. This processing shall not be detrimental to the interests of the children.
  5. Exemptions along with strict purposive limitation – DPDPA permits certain exemptions on the basis of the purpose of processing children’s PI. These exemptions shall be available to all DFs irrespective of the nature and scope of the business activities if the purpose of processing are:
    1. To safeguard the interest of the child as per the law in force.
    2. Real time location monitoring for safety and protection of the child,
    3. Creation of a user account for communicating by email and;
    4. To Confirm the Parent is an adult while obtaining verifiable consent.
    5. To restrict the information which is detrimental on the well-being of the child.
    6. Providing any benefit or subsidy in the interest of the child.

These exemption are strictly restricted to the specified purposes and upholding the interests and safety of the child.

Content Moderation for Child Safety[5]

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (hereinafter referred to as ‘IT Rules’) lay down some important provisions regulating the online curated content on social media and OTT platforms to ensure welfare and safety of children.

  1. Content Moderation for Minors – Rule 3 of mandates all Intermediaries to take reasonable efforts to prevent uploading of any content on their platform which may cause harm or any effect which is detrimental to a child.
  2. Age based Content Classification – The IT rules mandates access control mechanisms such as parental locks for online curated content classified as U/A 13+ and reliable age verification mechanism for viewership of such content for content classified as ‘A’. These requirements address the concerns around ensuring Children’s safety and best interests while viewing Online curated content.

(To read more privacy aspects of children’s data, refer to – https://ssrana.in/articles/digital-footprints-and-little-steps-why-privacy-matters-for-children/ )

Key Concerns and Comparison with Global Frameworks

  1. Addressing the Teenage Discretion and Lack of Digital Literacy of Parents

    2. The DPDPA has not altered the age of majority, keeping it as 18 years, while mandating verifiable parental consent. While this age limit might serve well for the level of digital literacy in India, certain jurisdictions like the EU, UK and US prescribe lower age limits for children. The Article 8 of the General Data Protection Regulation (hereinafter referred to as ‘GDPR’) defines a child to be below the age of 16 while the Children’s Online Privacy Protection Act[6] (hereinafter referred to as ‘COPPA’) of the US prescribes this age limit to be below 13 years. The UK’s Age Appropriate Design Code[7] (hereinafter referred to as ‘AADC’) gives a schedule linking the age brackets with the development stages:

    • 0 – 5: pre-literate and early literacy
    • 6 – 9: core primary school years
    • 10-12: transition years
    • 13-15: early teens
    • 16-17: approaching adulthood

    This schedule indicates that different and varying measure may be implement to ensure children’s safety based on the target age groups. This mechanism takes into consideration the greater capacity of children in their late teens to give informed consent pertaining to their own personal information. By this age many children have developed reasonably robust online skills, coping strategies and resilience.[8] For example, children in the age group of 16-17 years may be considered more capable of giving informed consent when compared with children in the other age brackets. This may also solve the issue of Indian households where Parents are not as digitally literate and struggle with technology usage.

  2. Cross Border Transfers

    3. Section 16 of the DPDPA and Rule 15 of the DPDP Rules govern and regulate the cross border transfer of all Personal Information. The provisions, presently, do not put any restrictions on the cross border transfer, but gives the power to the Central Government to issue any such restrictions as and when required. There are no specific prohibitions on the transfer of children’s data outside the territory of India. However, the Organizations located abroad but processing PI of children in India and providing goods and services within the territory of India must comply with the provisions of the DPDPA.

  3. Age verification mechanisms

    4. One of the major challenges in enforcing the obligations related to children’s PI is implementing adequate and effective age verification mechanisms. Currently, Rule 10 of the DPDP Rules mentions obtaining verifiable parental consent through Digital Locker services notified by the Central Government but does not provide any clear procedure or protocols for the same. Here a reference can be made to the COPPA which mentions multiple methods to obtain verifiable parental consent under § 312.5. Some of the feasible methods are as follows:

    1. Consent form to be signed by the parent and returned to the operator by postal mail, facsimile, or electronic scan
    2. Requiring a parent, in connection with a transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder
    3. Having a parent call a toll-free telephone number staffed by trained personnel
    4. Having a parent submit a government-issued photographic identification that is verified to be authentic and is compared against an image of the parent’s face taken with a phone camera or webcam using facial recognition technology and confirmed by personnel trained to confirm that the photos match; provided that the parent’s identification and images are promptly deleted by the operator from its records after the match is confirmed

    One of the interesting methods mentioned by COPPA is verifying a parent’s identity using knowledge-based authentication. This may be through dynamic, multiple-choice questions, where there are a reasonable number of questions with an adequate number of possible answers such that the probability of correctly guessing the answers is low. However it must be ensured that the questions are of sufficient difficulty that a child of age 12 or younger (the age limit under COPPA) in the parent’s household could not reasonably ascertain the answers.[9]

  4. Child Centric Design Obligations

    5. Currently the DPDPA does not mention specific standards or guidelines for website or app design making them suitable for children. For this, Organizations may draw reference from UK’s AADC which provides guidance on designing online resources suitable for children’s access.

    1. Provide ‘bite-sized’ explanations at the point at which use of personal data is activated
    2. Present Information through diagrams, cartoons, graphics, video and audio content, and gamified or interactive content that will attract and interest children, rather than relying solely on written communications.
    3. Provide ‘high privacy’ default settings which means that unless the setting is changed, your own use of the children’s personal data is limited to use that is essential to the provision of the service. Additionally, ensure geolocation options are off by default.
    4. You should not use nudge techniques to lead or encourage children to activate options that mean they give you more of their personal data, or turn off privacy protections.
    5. Nudges towards high privacy options, wellbeing enhancing behaviors and parental controls and involvement should support the needs of children.

    These are some of the design practices which may be adopted by the Organizations who process children’s PI.

(To read more on the importance of privacy elements in platform’s UX, refer to – https://ssrana.in/articles/ai-chats-became-public-records-privacy-crisis-unfolds/ )

[1] https://data.unicef.org/how-many/how-many-children-under-18-are-there-in-india/

[2] https://www.sentinelassam.com/topheadlines/one-in-every-4-children-in-india-is-an-internet-user#:~:text=Social%20share,the%20state%20police%20force%20said

[3] Section 9, DPDPA

[4] Rule 11, DPDP Rules

[5] https://www.meity.gov.in/static/uploads/2024/02/Information-Technology-Intermediary-Guidelines-and-Digital-Media-Ethics-Code-Rules-2021-updated-06.04.2023-.pdf

[6] https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312

[7] https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/code-standards/

[8] https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/annex-b-age-and-developmental-stages/

[9] https://www.ecfr.gov/current/title-16/part-312#p-312.5(b)(2)(vi)

More Articles

  1. India’s First Smell Trademark: CGPDTM Accepts Rose Fragrance for Tires
  2. Effect of Digital Personal Data Protection Rules, 2025 on AI Regulation
  3. India’s New Labour Codes: A Comprehensive Overview for Employers
  4. From Apprehension to Action: Delhi HC on Limits of Quia Timet Actions
  5. “WOW” Gets Its Due – Family of Marks Doctrine Reaffirmed
  6. Delhi High Court Protects “Barbie” from Initial Interest Confusion
For more information please contact us at : info@ssrana.com