Children's Data Protection
Navigate the heightened protections for children's personal data under Section 9 โ verifiable parental consent, behavioural monitoring prohibitions, and the significant โน200 Crore penalty framework.
๐ฏ Introduction
Children are not simply small adults โ they require special protection in the digital world. Their developing cognitive abilities make them particularly vulnerable to manipulation, exploitation, and the long-term consequences of data collection they cannot fully comprehend.
๐๏ธ The Philosophy of Child Protection
As John Locke observed, children are "blank slates" (tabula rasa) โ not yet equipped with the rational faculties to make autonomous decisions. While Locke applied this to education, the principle extends to data protection: children cannot provide meaningful consent because they lack the cognitive development to understand consequences. Parents, as natural guardians, must exercise this judgment on their behalf. This isn't paternalism โ it's recognition of developmental reality.
๐ Section 9: Complete Overview
๐ DPDPA 2023, Section 9 โ Processing of Personal Data of Children
(2) The Data Fiduciary shall not undertake such processing of personal data that is likely to cause any detrimental effect on the well-being of a child.
(3) The Data Fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children.
(4) The provisions of sub-sections (1) and (3) shall not apply to processing of personal data of a child by such class of Data Fiduciaries or for such purposes, as may be prescribed."
Four Pillars of Section 9
Verifiable Parental Consent
Consent must come from the parent/guardian and must be verifiable โ not merely claimed.
ยง9(1)No Detrimental Processing
Any processing likely to harm the child's well-being is prohibited regardless of consent.
ยง9(2)No Tracking or Monitoring
Behavioural tracking and monitoring of children is prohibited.
ยง9(3)No Targeted Advertising
Advertising targeted at children based on their personal data is prohibited.
ยง9(3)๐ถ Who is a "Child"?
๐ DPDPA 2023, Section 2(f) โ Definition of Child
๐ The 18-Year Standard
DPDPA adopts the constitutional definition of majority (Article 21A, Juvenile Justice Act) rather than the lower thresholds seen in some jurisdictions. Every individual under 18 is a "child" for data protection purposes โ no exceptions based on "digital maturity" or parental permission to lower the threshold.
Global Age Comparison
โ ๏ธ Compliance Challenge
India's 18-year threshold is among the highest globally. Services that operate with 13+ age gates in the US or EU will need significantly different compliance approaches for India. A 15-year-old American teenager who uses a service freely will be treated as a protected "child" requiring parental consent in India.
โ Verifiable Parental Consent
๐ "Verifiable" โ Not Merely Claimed
The consent must be verifiable โ the Data Fiduciary must have reasonable mechanisms to confirm that consent actually comes from a parent or lawful guardian, not the child themselves clicking "my parent agrees." Self-declaration alone is insufficient.
What Makes Consent "Verifiable"?
While the Rules will prescribe specific methods, international practice suggests these verification approaches:
๐ณ Payment Card Verification
Request small transaction on parent's credit/debit card as identity proof.
โ High assurance, standard method
โ Excludes unbanked parents, friction
๐ Phone Verification
Call to parent's registered phone number with verbal confirmation.
โ Direct human verification
โ Scale challenges, recording issues
๐ง Email Plus
Email to parent with additional verification (security questions, ID upload).
โ Scalable, documented
โ Email access can be faked by child
๐ชช ID Document Upload
Parent uploads government ID establishing identity and relationship.
โ High assurance of identity
โ Privacy concerns, friction
๐ฑ DigiLocker/Aadhaar
Verification through DigiLocker or Aadhaar-based authentication.
โ Government-backed, high trust
โ Not all parents have digital literacy
๐ซ School Verification
Verification through educational institution for EdTech services.
โ Established relationship
โ Limited to educational context
โ Absolute Prohibitions
Section 9(2): No Detrimental Processing
๐ DPDPA 2023, Section 9(2)
โ ๏ธ Examples of Detrimental Processing
โข Collecting data to promote addictive features (infinite scroll, engagement metrics)
โข Processing that enables cyberbullying or harassment
โข Data use that promotes eating disorders, self-harm, or dangerous challenges
โข Age-inappropriate content targeting based on child's data
โข Processing that exploits children's developmental vulnerabilities
โข Collecting data for predatory marketing (gambling, alcohol, tobacco)
Section 9(3): No Tracking, Monitoring, or Targeted Advertising
๐ DPDPA 2023, Section 9(3)
Location Tracking
Continuous or periodic collection of child's location data for profiling purposes.
Behavioural Monitoring
Tracking browsing patterns, app usage, content consumption to build behavioural profiles.
Targeted Advertising
Serving ads based on child's personal data, interests, or behavioural profile.
Profiling
Building profiles about children's preferences, habits, or predicted behaviour.
๐ Permitted vs. Prohibited
Permitted: Contextual advertising (ads based on content being viewed, not the child's profile)
Prohibited: Behavioural advertising (ads based on the child's browsing history, interests, or profile)
Permitted: Parental monitoring apps (parent tracking their own child)
Prohibited: Third-party commercial tracking of children
๐ Exemptions (Section 9(4))
๐ DPDPA 2023, Section 9(4)
The Central Government may prescribe exemptions for certain classes of fiduciaries or purposes. Potential exemptions (to be specified in Rules) may include:
| Potential Exemption | Rationale | Safeguards Expected |
|---|---|---|
| Healthcare Providers | Medical treatment necessitates data processing | Limited to treatment purposes; confidentiality |
| Educational Institutions | Education requires student data processing | Limited to educational purposes; no commercial use |
| Child Safety Services | Platforms monitoring for child abuse, exploitation | Strictly for safety purposes; oversight |
| Government Welfare | Delivery of child welfare benefits, schemes | Statutory basis; purpose limitation |
โ ๏ธ Exemptions Don't Remove All Protections
Even exempt fiduciaries remain bound by ยง9(2) โ the prohibition on detrimental processing. No exemption permits processing that harms children's well-being. Additionally, all other DPDPA obligations (security, breach notification, etc.) continue to apply.
๐ Global Comparison
| Aspect | DPDPA (India) | COPPA (USA) | GDPR (EU) |
|---|---|---|---|
| Age Threshold | 18 years | 13 years | 16 years (Member States can lower to 13) |
| Parental Consent | Verifiable consent required | Verifiable parental consent | Consent "given or authorised" by holder of parental responsibility |
| Tracking Prohibition | Explicit prohibition (ยง9(3)) | Not explicitly prohibited but limited by consent | Not explicitly prohibited but subject to GDPR principles |
| Targeted Ads | Explicitly prohibited (ยง9(3)) | Limited by consent requirements | Subject to consent; DSA prohibits for minors |
| Detrimental Processing | Explicitly prohibited (ยง9(2)) | Not explicit but FTC enforcement | Best interests principle (UK AADC) |
| Maximum Penalty | โน200 Crores (~$24M) | $50,120 per violation | โฌ20M or 4% global turnover |
๐ India's Stricter Approach
India's framework is notably stricter than global peers. The 18-year threshold is higher than most jurisdictions. The explicit prohibition on tracking and targeted advertising goes beyond COPPA and GDPR. The well-being test in ยง9(2) creates a substantive protection standard absent in many laws. This reflects the Srikrishna Committee's concern about children's vulnerability in digital environments.
๐ Practical Implementation
๐ Compliance Checklist for Child Data Processing
1. Age Verification:
โก Implement age gate at registration/first data collection
โก Use appropriate verification method (not just self-declaration)
โก Document age verification process for audit
2. Parental Consent:
โก Design verifiable parental consent mechanism
โก Maintain records of consent obtained
โก Enable parents to review, modify, withdraw consent
3. Tracking & Advertising:
โก Disable behavioural tracking for child users
โก Remove children from targeted advertising segments
โก Switch to contextual advertising only
4. Well-being Assessment:
โก Review all processing activities for detrimental effects
โก Conduct child impact assessments for new features
โก Implement safeguards against addiction, manipulation
5. Privacy by Design:
โก Default to maximum privacy settings for children
โก Minimize data collection to what's strictly necessary
โก Shorter retention periods for children's data
โ ๏ธ Common Implementation Pitfalls
โข Self-declaration age gates: "Click here if you're 18+" is insufficient verification
โข Parent email only: Children can create fake parent emails
โข Treating 16-17 year olds as adults: DPDPA protects all under-18s equally
โข Assuming B2B exemption: EdTech selling to schools still processes children's data
โข Ignoring embedded trackers: Third-party SDKs may track children unknowingly
๐ฏ Key Takeaways
18-Year Threshold
Everyone under 18 is a "child" โ higher than most global standards.
Verifiable Consent
Parental consent must be verifiable โ self-declaration insufficient.
Tracking Prohibited
No behavioural monitoring or tracking of children allowed.
No Targeted Ads
Targeted advertising to children is explicitly prohibited.
Well-being Test
Processing harmful to child's well-being prohibited regardless of consent.
โน200 Crore Penalty
Significant penalties reflect seriousness of child protection.