Verifiable Parental Consent for Children's Data: An Indian Imperative

The Digital Personal Data Protection Act, 2023 (DPDPA) marks a significant shift in India’s data privacy landscape, placing a strong emphasis on the protection of children’s data. At the heart of this framework lies Section 9, which mandates verifiable parental consent for processing the personal data of a child. As of May 2026, with the DPDPA and its accompanying Rules (2025) fully in effect, Indian data fiduciaries face the critical task of operationalising this requirement, navigating a unique blend of technological, cultural, and regulatory challenges.

The Mandate of Section 9: Beyond Mere Consent

Section 9(1) of the DPDPA unequivocally states that a Data Fiduciary shall not process the personal data of a child without obtaining “verifiable consent” from the parent or lawful guardian. A “child” is defined as an individual under the age of eighteen years (Section 2(d)). This provision moves beyond a simple declaration of consent, demanding a demonstrable assurance that the consent indeed originates from the authorized adult. Furthermore, Section 9(2) imposes stringent restrictions, prohibiting data fiduciaries from tracking children, monitoring their behaviour, engaging in targeted advertising, or processing data that is likely to cause harm to a child. These prohibitions underscore the Act’s protective intent, aiming to shield children from exploitative data practices prevalent in the digital sphere. The DPDP Rules (2025) are crucial here, as they elaborate on the specific methods and standards for achieving this “verifiable” consent.

Navigating “Verifiable” Consent in India’s Digital Landscape

The term “verifiable” is the linchpin of Section 9, presenting a nuanced challenge for Indian businesses. Unlike the GDPR’s Article 8, which calls for “reasonable efforts” to verify parental consent, the DPDPA’s explicit use of “verifiable” suggests a potentially higher, more prescriptive standard. In the diverse Indian context, where digital literacy and access to formal identity documents vary widely, implementing effective and inclusive verification mechanisms is complex.

Possible methods for verifiable consent, as outlined or implied by the DPDP Rules (2025), could include:

• Aadhaar-based verification: While powerful for identity, its use for general consent beyond specific government services requires careful consideration of Supreme Court precedents limiting its application. It may be suitable for high-assurance scenarios but not universally applicable.
• DigiLocker integration: Leveraging this platform could offer a secure way for parents to verify their identity and provide consent.
• Credit/Debit card verification: A common method globally, but its reach in India is still evolving, and it raises concerns about financial data exposure.
• Government ID upload with liveness checks: This offers robust verification but demands sophisticated backend processing and raises data minimisation questions.
• OTP-based verification linked to registered mobile numbers: While widely used, it’s susceptible to misuse by tech-savvy children and may not definitively prove parental identity.
• Consent Management Platforms (CMPs): These will need to integrate deeply with Indian identity infrastructure to meet the “verifiable” threshold, potentially incorporating multi-factor authentication or linking to digital signatures.

The challenge lies in balancing robust verification with user experience and accessibility, ensuring that compliance does not inadvertently exclude segments of the population.

Sector-Specific Considerations and Regulatory Overlap

The implications of Section 9 extend across various sectors. For Ed-tech platforms, which primarily cater to children, verifiable parental consent is foundational. These companies must ensure that the parent, not the child, is consenting to data processing for learning analytics, performance tracking, and communication. Similarly, online gaming and social media platforms popular among minors face significant hurdles, especially given Section 9(2)’s prohibition on targeted advertising and behavioural monitoring. Their business models often rely on these very practices, necessitating a fundamental re-evaluation of how they engage with child users.

In the financial sector, while existing RBI, SEBI, and IRDAI norms dictate how minors interact with financial products (typically requiring parental involvement for account opening or investments), the DPDPA adds a distinct layer of data processing consent. Financial institutions must now ensure that the personal data collected during KYC processes for minors also has verifiable parental consent for all subsequent processing activities, not just account creation. The IT Rules, 2021 (as amended), which address online content and intermediary liability, also underscore a broader regulatory intent to protect children online, aligning with the DPDPA’s objectives. Harmonisation between these various regulatory frameworks is key to avoiding compliance ambiguities.

The Enforcement Landscape and Compliance Challenges

The Data Protection Board of India (DPBI) is empowered to enforce the DPDPA, and the penalties for non-compliance with Section 9 are substantial, reaching up to Rs. 200 crore per instance (Section 33(2)(b)). This underscores the gravity with which the Indian government views children’s data protection. For businesses, the challenges are multi-faceted: developing scalable and user-friendly verification systems, ensuring data minimisation during the verification process, maintaining detailed records of consent (Section 6(9)), and continuously adapting to evolving DPDP Rules and DPBI guidance. The onus is firmly on the data fiduciary to demonstrate that verifiable consent was obtained.

Practical Takeaway

Indian businesses, general counsels, and Data Protection Officers must move beyond perfunctory consent mechanisms. The DPDPA’s mandate for “verifiable” parental consent for children’s data is a call for robust, demonstrable compliance. Invest in identity verification solutions that are tailored to the Indian demographic, potentially leveraging existing digital public infrastructure while respecting privacy principles. Conduct thorough Data Protection Impact Assessments (DPIAs) for any service involving children’s data, meticulously documenting the consent acquisition and management processes. Prioritise data minimisation, collecting only what is necessary for verification. Furthermore, clearly communicate privacy practices to parents in accessible language, ensuring transparency and building trust. Regular training for staff on children’s data protection best practices and continuous review of consent mechanisms against the evolving regulatory landscape will be crucial for sustained compliance and avoiding significant penalties.