Confidential Dispatch

How to control what apps collect from your child under 18

At a glance

Under India’s DPDP Act, an app must get a parent’s verifiable consent before collecting an under-18’s personal data, and it can’t track your child or target ads at them — so you hold the permission switch, not your child. In practice, controlling what an app collects comes down to four moves: check what it’s actually taking, use the device and account controls you already have, spot the apps that skipped your consent, and pull that consent back when you want.

Educational resource only. This explains parental controls over children’s data under India’s Digital Personal Data Protection Act, 2023 (DPDP Act); it is not formal legal advice.

On this page

The situation

Your child wants a game, a learning app, or a social account, and the sign-up breezes through permissions you never really saw — location, contacts, microphone. You’re left wondering what’s being collected, and whether you have any real say. Under India’s data law, you have more than you might think.

Why you hold the switch, not your child

The law routes the permission decision to you: an app needs a parent’s verifiable consent before it can process an under-18’s data. The DPDP Act treats anyone under 18 as a child (Section 9), and sets two rules that work in your favour:

  • Nothing without your yes. An app generally can’t collect your child’s personal data without your verifiable consent — it has to take real steps to confirm a genuine parent agreed, not just let a child tick a box.
  • No tracking, no targeting. Apps can’t behaviourally track your child or aim targeted advertising at them — and this holds even if you consented. It’s a hard line, not a setting.

So your job isn’t to fight the app’s design single-handed; it’s to use the say the law already gives you. The steps below are how you exercise it.

Step by step: control what an app collects

Work from the app’s own permissions outward to the device and account controls — most of the levers are already in your hands.

  1. Read what it’s asking for at sign-up. Before agreeing, look at the permissions and the privacy notice: what data, why, and whether it’s needed for the app to work. A torch app asking for contacts is a mismatch.
  2. Strip permissions back on the device. In your phone’s settings, turn off location, contacts, microphone, and camera access for apps that don’t genuinely need them. You can grant narrowly (e.g. location “only while using”).
  3. Use the built-in family controls. Android’s Family Link and Apple’s Screen Time / Family Sharing let you approve downloads, restrict data-sharing, and see what your child is using — treat these as your consent gate.
  4. Check the age settings. Make sure the account is set up as a child’s account, not an adult one — that’s often what switches on the child protections in the first place.
  5. Prefer apps that ask you properly. An app that routes consent through a parent (identity or age confirmation, sometimes via a government-backed check like DigiLocker) is following the rule; one that never involves you is not.

The red flags that mean an app is overreaching

A few patterns reliably signal an app is taking more than the law allows. Watch for:

  • No parent step at all — your under-18 signed up and started sharing data without you ever being asked.
  • Permissions with no purpose — access to contacts, location, or the mic that the app’s function doesn’t need.
  • Targeted ads following your child — ads that clearly track interests or behaviour, which the Act prohibits for children.
  • No easy way to withdraw or delete — a service that makes pulling data back hard is failing a duty.
  • What good looks like: a clear notice, a real parental-consent step, narrow permissions, and simple controls to withdraw and delete.

What you can do if an app crosses the line

You can withdraw consent, demand deletion, and escalate — the same rights you have over your own data extend to your child’s.

  • Withdraw your consent. You can take it back at any time, and it must be as easy to withdraw as it was to give (Section 6). The app then has to stop the processing that relied on it.
  • Ask for deletion. Request that the app delete your child’s data once you’ve withdrawn or the purpose is over, and ask for confirmation.
  • Escalate if ignored. Raise a grievance with the app’s grievance channel, and if that fails, the Data Protection Board of India.

FAQ

Does an app need my permission before collecting my child’s data? Generally yes — it needs your verifiable parental consent for an under-18. An app that collects your child’s data without ever involving you is a warning sign.

Can I stop an app from tracking my child? The Act already prohibits behavioural tracking and targeted advertising of children — so an app doing it is breaking the rule, not offering an option. You can also strip tracking-related permissions on the device.

How do I actually withdraw permission I already gave? Use the app’s privacy settings or its privacy contact to withdraw consent; it must be as easy as giving it was, and you can ask for your child’s data to be deleted.

What are the best first controls to set? Set the account up as a child’s account, turn on Family Link or Screen Time, and switch off any app permissions (location, contacts, mic) the app doesn’t genuinely need.

My child is 16 and signed up without me — what now? Under-18s are covered, so you can withdraw consent, ask for deletion, and review the app’s permissions. If the service resists, escalate through its grievance channel.

Reviewed by Confidential Dispatch Editorial Team

Last updated 15 July 2026

Not legal advice.