Children's Data Under DPDPA: The Verifiable Consent Conundrum in India
The Digital Personal Data Protection Act (DPDPA), 2023, now operational, marks a significant shift in India’s data privacy landscape. Among its most impactful provisions is Section 9, which lays down stringent requirements for processing the personal data of children. As of May 2026, Data Fiduciaries across sectors are grappling with the practicalities of complying with these mandates, particularly the cornerstone requirement of “verifiable parental consent.” This provision, while crucial for safeguarding minors, presents unique challenges within India’s diverse digital ecosystem.
The Mandate of Section 9: Verifiable Consent and Prohibitions
Section 9 of the DPDPA unequivocally states that a Data Fiduciary must obtain verifiable parental consent before processing the personal data of a child. For the purposes of this Act, an individual below the age of eighteen years is considered a child. This foundational requirement underscores the state’s commitment to protecting minors from potential online harms. Beyond consent, the DPDPA imposes further restrictions: Section 9(3) prohibits Data Fiduciaries from undertaking tracking, behavioural monitoring, or targeted advertising directed at children. This is a progressive step, aiming to shield children from manipulative commercial practices often prevalent on digital platforms.
Crucially, Section 9(4) introduces a provision allowing the Central Government to exempt certain classes of Data Fiduciaries or specific purposes from these requirements, provided such processing is deemed safe for children. This flexibility is vital, potentially allowing for the continued operation of public interest services or educational platforms without undue burden, while still ensuring child safety. However, the default position remains one of strict protection, placing the onus on Data Fiduciaries to demonstrate compliance.
Navigating “Verifiable Consent” in the Indian Digital Landscape
The DPDPA itself, in its current form, does not prescribe specific methods for obtaining “verifiable parental consent.” This critical detail is expected to be elaborated upon in the forthcoming Digital Personal Data Protection Rules. The challenge for Indian businesses lies in implementing mechanisms that are both robust enough to satisfy the “verifiable” standard and practical for India’s vast and varied user base.
Consider the complexities: How does an online educational platform verify that the individual providing consent is indeed the child’s parent or legal guardian? Traditional methods like credit card verification, common in some Western jurisdictions, have limited applicability in India due given lower credit card penetration. Knowledge-based authentication, while possible, carries inherent security risks and can be cumbersome. Digital signatures are not yet universally adopted by the general populace. Relying on an OTP sent to a mobile number raises questions: whose number – the child’s or the parent’s? And how is the relationship verified? The digital divide further complicates matters, as many parents, particularly in rural or semi-urban areas, may lack the digital literacy or access to sophisticated tools required for complex verification processes.
The absence of a universal digital identity system for minors, coupled with the varied levels of digital proficiency among adults, means that any prescribed method in the DPDP Rules must be carefully calibrated. It must balance stringent verification with accessibility, ensuring that genuine guardians can provide consent without undue friction, while preventing fraudulent approvals.
The Role of DPDP Rules and Sectoral Regulators
The specific mechanisms for verifiable parental consent are anticipated to be detailed in the DPDP Rules. These rules will likely outline acceptable methods, perhaps differentiating based on the nature of data processed or the type of service offered. We can expect a tiered approach, where higher-risk data processing might demand more rigorous verification.
Beyond the general rules, sectoral regulators like the Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), and Insurance Regulatory and Development Authority of India (IRDAI) are expected to issue their own guidelines for regulated entities dealing with minors’ data. For instance, financial institutions offering services to minors (e.g., bank accounts, insurance policies) will need explicit instructions on how to comply with DPDPA Section 9 while adhering to their existing Know Your Customer (KYC) norms. This layered regulatory approach aims to ensure comprehensive protection.
Globally, privacy frameworks like the GDPR (Article 8) also mandate parental consent for children’s data, requiring “reasonable efforts” to verify the consent. However, the specific socio-economic and technological context of India necessitates bespoke solutions, rather than a direct lift-and-shift of foreign models. India’s challenge is to forge a path that is uniquely Indian, leveraging existing digital infrastructure while addressing its limitations.
Practical Takeaway
For Indian businesses operating as Data Fiduciaries, especially those in sectors like ed-tech, gaming, social media, and e-commerce, proactive preparation is paramount. Begin by undertaking a comprehensive data mapping exercise to identify all instances where children’s personal data is processed. Assess your current age verification and consent mechanisms against the spirit of DPDPA Section 9. While awaiting the granular details from the DPDP Rules, consider implementing multi-factor authentication for parental consent, exploring options like government-backed digital identity proofs (where permissible and secure), or even offline verification methods for high-risk data. Prioritize privacy-by-design principles, ensuring data minimization and robust security measures are embedded from the outset. Training for your Data Protection Officers (DPOs) and relevant staff on these evolving requirements will be crucial to navigate the compliance landscape effectively. The goal is not just compliance, but fostering a safer digital environment for India’s youngest citizens.