Navigating Children's Data: Verifiable Parental Consent Under DPDPA Section 9

The Digital Personal Data Protection Act, 2023 (DPDPA), now fully operational with its accompanying rules, marks a pivotal shift in India’s data governance landscape. Among its most critical provisions is Section 9, dedicated to the processing of children’s data, which mandates verifiable parental consent. As of June 2026, Indian businesses are grappling with the practicalities of implementing these requirements, balancing robust protection for minors with the realities of digital engagement in a diverse nation.

The Mandate of Verifiable Parental Consent

Section 9 of the DPDPA establishes a stringent framework for handling personal data of individuals under the age of eighteen, defining them as “children.” Specifically, Section 9(1) stipulates that a Data Fiduciary can only process a child’s personal data after obtaining verifiable consent from their parent or lawful guardian. This blanket requirement for individuals under 18 stands in contrast to regulations like the GDPR, where the age of digital consent is set at 16, with Member States having the flexibility to lower it to 13. India’s uniform approach aims for maximum protection, reflecting a broader societal emphasis on safeguarding minors.

Crucially, Section 9(2) places an additional obligation on Data Fiduciaries: they must not process children’s data in a manner that is likely to cause detriment to the child’s well-being. This principle-based requirement goes beyond mere consent, demanding a proactive assessment of potential harm, including adverse psychological, physical, or developmental impacts. Furthermore, Data Fiduciaries are prohibited from undertaking tracking or behavioural monitoring of children, or targeted advertising directed at them. This significantly curtails common data monetisation practices when applied to minors.

Operationalising “Verifiable Consent” in the Indian Context

The DPDPA Rules, now in effect, elaborate on the methods and standards for achieving “verifiable parental consent.” The challenge for Indian businesses lies in implementing these methods effectively across a vast user base with varying levels of digital literacy and access. While the rules aim for flexibility, common approaches emerging include:

1. Age-Gating and Layered Verification: Most online services now implement clear age-gating mechanisms. If a user identifies as a child, the platform must then initiate a verification process for parental consent. This often involves requesting a parent’s email address or phone number to send an OTP or a link to a consent form.
2. Payment-Based Verification: For services involving financial transactions, a small, refundable charge to a parent’s credit or debit card can serve as a strong indicator of parental involvement, a method seen in some global jurisdictions and now being adopted in India.
3. Government ID Linkage (with safeguards): While direct Aadhaar-based verification for children’s consent raises significant privacy concerns, the rules may permit linking to a parent’s verified digital identity (e.g., through Digilocker) under strict conditions, ensuring the child’s data is not directly tied to the parent’s identity for processing purposes.
4. Declaration and Manual Review: For certain low-risk or educational services, a robust digital declaration by the parent, combined with random manual checks or algorithmic detection of suspicious patterns, might be deemed sufficient, as long as the Fiduciary can demonstrate “reasonable efforts” as per the DPDPA Rules.

The DPDP Rules acknowledge that the level of verification effort should be proportionate to the risk associated with the data processing. The Data Protection Board of India (DPBI), established under Section 18, is expected to issue further guidelines, particularly under Section 9(3), specifying additional methods for obtaining verifiable consent, adapting to technological advancements and evolving digital practices.

Sectoral Nuances and Regulatory Overlap

The DPDPA’s requirements for children’s data intersect with existing sectoral regulations, creating a complex compliance landscape.

• Financial Sector (RBI, SEBI): Entities regulated by the Reserve Bank of India (RBI) and the Securities and Exchange Board of India (SEBI) already have strict Know Your Customer (KYC) norms for minors, often requiring physical documentation and parental signatures for opening accounts or investments. The DPDPA adds a layer of digital consent for data processing related to these services, requiring harmonisation of physical and digital consent records.
• Insurance (IRDAI): Similarly, the Insurance Regulatory and Development Authority of India (IRDAI) mandates specific procedures for insuring minors. Data Fiduciaries in this sector must now ensure their consent mechanisms comply with both IRDAI guidelines and DPDPA Section 9.
• IT Rules and Online Platforms: The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, already place obligations on social media and other online intermediaries to protect children. The DPDPA strengthens these provisions, making explicit parental consent a statutory requirement for processing children’s data on these platforms, thereby impacting everything from user registration to content moderation.

This regulatory overlap necessitates a holistic compliance strategy, ensuring that consent mechanisms satisfy the highest common denominator of all applicable laws.

Exemptions and Future Outlook

Section 9(4) provides a crucial carve-out, allowing the Central Government to exempt certain classes of Data Fiduciaries or specific purposes from the verifiable parental consent requirement. This exemption is likely to be invoked for critical public interest services, such as educational technology platforms, child safety initiatives, or health services, where obtaining individual consent might be impractical or detrimental to the child’s welfare. However, any such exemption would still be subject to the overriding principle of not causing detriment to the child.

The DPBI will play a critical role in interpreting the DPDPA’s provisions, issuing guidelines, and adjudicating disputes. Its initial decisions on parental consent mechanisms will set important precedents for businesses across India.

Practical takeaway

Indian businesses, particularly those with a significant user base of minors or those offering services accessible to children, must immediately conduct a comprehensive data mapping exercise to identify all instances of child data processing. General Counsels and Data Protection Officers should prioritise implementing robust, multi-layered verifiable parental consent mechanisms, aligning them with the DPDP Rules and anticipated guidance from the DPBI. This involves not just technical solutions but also clear, age-appropriate privacy notices and a commitment to child-centric design principles. Collaboration with sectoral regulators to harmonise compliance efforts will be key to navigating this evolving landscape effectively and ensuring both legal adherence and the protection of India’s youngest digital citizens.