What this topic covers
India sets the bar for a 'child' under DPDP at 18 — higher than GDPR (16, often 13) and COPPA (13). That single number turns every Indian-facing platform with a meaningful under-18 user base into a children's-data processor with extra duties. Edtech, gaming, social, learning apps, even general-purpose tools used in schools, are all in scope.
Section 9 bans three things outright when processing children's data: tracking or behavioural monitoring, targeted advertising, and any processing 'likely to cause any detrimental effect on the well-being of a child'. These prohibitions are absolute — they are NOT unlocked by parental consent. Good explainers on this topic separate the absolute bans from the consent-gated processing so viewers understand which controls they need.
On top of the bans, you cannot process a child's personal data without 'verifiable consent of the parent or lawful guardian'. The Rules don't lock you into one verification method, but the spirit is unambiguous: a checkbox saying 'my parent agrees' doesn't count. Workable methods include a small refundable payment from a parent's account (COPPA-style), DigiLocker-backed parent ID, government-ID OTP linked to a parent's mobile, or a signed authorisation uploaded as a document.
Points a complete video on this topic should cover
- India's "child" definition at 18 (higher than GDPR/COPPA)
- Section 9's three absolute bans (tracking, targeted ads, harmful processing)
- What 'verifiable parental consent' actually means
- Workable verification methods (payment, DigiLocker, OTP, signed authorisation)
- Age-determination flow — when self-attestation is enough vs not enough
- Sub-account architecture for verified-minor users
- Exempted categories (healthcare providers, schools, crèches)
Relevant sections of the DPDP Act / Rules
- Section 9 (children)
- Rule 10 (parental consent verification)