Confidential Dispatch

A parent’s starter guide to your child’s data rights and protections

Short answer

Under India’s DPDP Act, anyone under 18 is a child, and businesses must get verifiable parental consent before processing a child’s personal data. They also can’t track children, monitor their behaviour, or target advertising at them (with a few narrow, notified exceptions). As a parent, that gives you real control — over what apps, schools and services can collect from your child — and this guide is your starting map to it.

Educational resource only. This explains children’s-data protections and parental controls under India’s Digital Personal Data Protection Act, 2023 (DPDP Act); it is not formal legal advice.

On this page

The two big protections your child now has

The DPDP Act treats children’s data as needing extra care — built on two core protections.

The Act sets a higher bar for anyone under 18 (Section 9). Two protections do most of the work:

  1. Nothing without a parent’s yes. A business generally can’t process your child’s personal data without your verifiable consent as the parent or guardian.
  2. No profiling of children. Businesses can’t track your child, monitor their behaviour, or run targeted advertising at them.

Together these aim at the two things parents worry about most: data being harvested from a child, and children being profiled and advertised to. Each of the specifics below has its own detailed guide in this section.

What “verifiable parental consent” means for you

Before a service collects your child’s data, it has to get — and be able to prove — a parent’s genuine consent.

“Verifiable” is the key word: a business can’t just ask a child to tick a box claiming to be an adult. It has to take reasonable steps to confirm that a real parent or guardian has consented. For you, that means services aimed at or used by children should be routing the permission decision to you, not to your child — and if an app is collecting your under-18’s data without ever involving you, that’s a red flag worth acting on.

The no-tracking rule — and its limits

Children can’t be tracked or targeted — but a few notified categories are exempted, so it’s not absolute.

The Act’s default is clear: no behavioural tracking or monitoring of children, and no targeted advertising directed at them. This is the protection that pushes back on the data-hungry design of many apps and games.

The load-bearing caveat, so you’re not misled: the government can notify exemptions — certain classes of services (for example some in education or healthcare, and in specific contexts) may be allowed limited processing that would otherwise be restricted, and the exact age-related rules can be adjusted for notified classes. So the protection is strong but not unconditional; where an exemption applies, some processing is permitted. When something seems off, it’s worth checking whether the service is relying on a genuine exemption or simply overreaching.

What you can actually do as a parent

You’re not just a bystander — you have levers over apps, schools and the services your child uses.

Practical starting points, each covered in depth in this section:

  • Control what apps collect. Review and restrict what learning, gaming and social apps can take from your child, and use available parental controls.
  • Question school and admission forms. Schools often ask for far more than needed (parental salaries, Aadhaar, designations) — you can ask why, and give the minimum.
  • Judge ed-tech and gaming apps. Know what these services can and can’t collect from a child before signing your kid up.
  • Teach your child the basics. Simple habits — not oversharing, recognising what’s private — go a long way.

Use the dedicated guides for the how-to; this page is the map that ties them together.

FAQ

At what age is my child covered by these protections? Anyone under 18 is treated as a child under the DPDP Act, so the parental-consent and no-tracking protections apply until they turn 18.

Does an app need my permission to collect my child’s data? Generally yes — it needs verifiable parental consent. A service that collects an under-18’s data without ever involving a parent is a warning sign.

Can apps still show my child targeted ads? The default rule prohibits targeting advertising at children and tracking them. Some notified categories of service may be exempted in specific contexts, so it isn’t absolute — but broad ad-targeting at kids runs against the Act.

What can I do if a service is collecting my child’s data improperly? Raise it with the service’s grievance channel, give only the minimum data, and you can escalate to the Data Protection Board of India. Reviewing the app’s permissions and controls is a good first step.

Related reading

  • Your rights over your personal data, explained — the rights framework these build on.
  • How to protect your personal data from leaks and breaches — the family-wide prevention routine.
  • DPDP consent, explained — what makes consent valid, including the higher bar for children.
  • What is a Data Fiduciary? — the businesses that owe these duties.

Reviewed by Confidential Dispatch Editorial Team

Last updated 9 July 2026

Not legal advice.