Skip to content
checkDPDP

Guide

Verifiable parental consent: how to handle children's data under the DPDP Act

The DPDP Act puts children under 18 in a special category — verifiable parental consent, no tracking, no targeted ads. The Rules give a phased rollout, but the engineering work is harder than people expect. Here's what 'verifiable' actually means.

06 May 2026 · 8 min read

India sets the bar for a 'child' at 18 under the DPDP Act — higher than GDPR (16, often lowered to 13 by Member States) and COPPA (13). That single number turns every Indian-facing platform with a meaningful under-18 user base into a children's-data processor with extra duties. Edtech, gaming, social, learning apps, even general-purpose tools used in schools, are all in scope.

Section 9 of the Act bans three things outright for children: (1) processing that is likely to cause any detrimental effect on the well-being of a child; (2) tracking or behavioural monitoring of children; (3) targeted advertising directed at children. These prohibitions don't bend to consent — even verifiable parental consent doesn't unlock targeted ads at minors.

Then there's the consent itself. You can't collect a child's personal data without 'verifiable consent of the parent or lawful guardian'. The Rules don't lock you into one verification method, but the spirit is unambiguous: a checkbox saying 'I am over 18 / my parent agrees' doesn't count. Workable methods include — a small payment from a parent's account (₹1 refund flow, à la COPPA-style payment verification), DigiLocker-backed parent ID, a government-ID OTP linked to a parent's mobile, or a signed authorisation uploaded as a document.

Engineering implications: you need an age-determination flow before consent. Self-attested age is fine if you have no signal otherwise, but if your platform clearly has under-18 users (school-domain emails, age fields, in-app behaviour), self-attestation alone won't satisfy regulators. The defensive design is age-gate → if under 18, parental verification handshake → if verified, a sub-account with no tracking and no ads.

The Rules give exempted categories phased relief — healthcare providers, educational institutions and crèches get a lighter touch when processing is for the child's welfare. But the default assumption for a consumer product should be: under-18 = strictly-necessary processing only, with verifiable parental consent gating anything beyond that. Build it once, properly, before the Board's first enforcement action sets the precedent against you.

Note. Guidance, not legal advice. For specific compliance decisions, please consult a qualified data-protection lawyer.

← All posts