What counts as verifiable parental consent under DPDP? A practical guide for Indian businesses
At a glance
DPDP requires more than a parent’s say-so — it requires verifiable consent before you process a child’s (under-18) personal data, meaning you actually confirm the identity and age of the adult consenting, not just collect a checkbox claiming “I am a parent.” Rule 10 gives two accepted verification routes, and Schedule IV exempts a defined set of sectors and purposes — but only where the exemption genuinely fits, not as a self-certifying opt-out.
Educational resource only. This explains the verifiable parental consent requirement for children’s data under India’s Digital Personal Data Protection Act, 2023 (DPDP Act) and its Rules; it is not formal legal advice.
On this page
- Why “verifiable” is the operative word
- The two accepted verification routes
- What else DPDP bans once a user is a child
- The exemptions — and their limits
- Building verifiable consent into your product
- FAQ
The situation
Plenty of apps and platforms already have an age gate of some kind — a birthdate field, or a checkbox that says “I confirm I am the parent or guardian of this user.” Under most consumer product norms, that’s been treated as good enough. Under DPDP it isn’t. The Act specifically requires verifiable consent for anyone processing a child’s data, and a self-reported tick box doesn’t verify anything — it just records a claim.
Why “verifiable” is the operative word
DPDP doesn’t just ask for parental consent — it asks you to confirm the consenting adult actually is who they say they are, before you rely on that consent. Section 9 of the Act requires a Data Fiduciary to obtain verifiable consent from a parent or lawful guardian before processing a child’s personal data — “child” meaning anyone under 18. Rule 10 of the DPDP Rules, 2025 spells out what “verifiable” means in practice: you need a reliable basis for believing the person consenting is (a) an adult and (b) the child’s actual parent or guardian, not merely a claim you took at face value. Getting this wrong exposes you to one of the higher penalty tiers in the Act — breaches involving children’s data sit near the top of the scale.
The two accepted verification routes
Rule 10 gives you two ways to satisfy the verification bar, depending on whether you already have a relationship with the parent.
- Existing relationship. If you already hold reliable identity and age details for the parent — because they’re an existing registered user, for instance — you can rely on those details rather than asking them to re-verify from scratch.
- New relationship. If you don’t already have that on file, the parent can voluntarily provide their identity and age details directly, or use a virtual token issued by an authorised entity — a government body, an agency entrusted by law, or a Digital Locker Service Provider (DigiLocker) — that confirms their identity and age without you having to independently collect and store their raw ID documents.
In practice, most consumer platforms building this fresh will lean on the second route via a Digital Locker–style token: it verifies the parent without the platform itself becoming a second custodian of the parent’s Aadhaar or other ID.
What else DPDP bans once a user is a child
Verified consent is the entry condition — it doesn’t unlock everything. Once you’re processing a child’s data (with valid verifiable consent in place), the Act separately prohibits:
- Tracking or behavioural monitoring of the child, and
- Targeted advertising directed at the child, and
- Any processing that’s likely to cause a detrimental effect on the child’s wellbeing.
So a platform can’t use verifiable parental consent as a green light to profile or target-advertise to the child anyway — the consent covers the processing you actually need for the service, not a general licence.
The exemptions — and their limits
Schedule IV of the Rules exempts specific sectors and purposes from some or all of the child-data restrictions — but the fit has to be genuine, not assumed. Broadly, the exempted categories include:
- Sectoral (Part A): healthcare providers delivering medical services, educational institutions acting for safety or educational purposes, childcare/crèche facilities, and school transport providers doing location tracking for child safety.
- Purpose-based (Part B): processing clearly in a child’s interest for exercising a legal function, providing government subsidies or benefits, creating an email account for communication, real-time safety-related location tracking, and age-appropriate content or access filtering.
The caveat that matters in practice: these categories are written broadly, and it’s tempting for a platform to characterise itself as “educational” or “in the child’s interest” to sidestep verification altogether. That’s the wrong way to use an exemption. Check the exemption against what you’re actually doing — the specific purpose, not the general category your product markets itself under — before deciding it applies to you.
Building verifiable consent into your product
Treat it as a flow, not a checkbox — verification, not disclosure.
- Age-gate at signup. Collect date of birth (or another reliable age signal) before any child-specific data collection begins.
- Route under-18 accounts to a parent-verification flow rather than letting the signup complete unverified.
- Implement one of the two Rule 10 routes — reuse existing verified-adult details where you have them, or integrate a virtual-token / Digital Locker–style verification for new relationships.
- Log the verification record — who verified, when, and by what method. This is your proof if the consent is ever challenged, the same demonstrable-record principle that runs through the rest of DPDP.
- Suppress tracking, behavioural monitoring and targeted ads for confirmed-minor accounts by default, regardless of what the parent consented to.
- Check your exemption fit honestly before assuming Schedule IV lets you skip verification — match the specific purpose, not the sector label.
FAQ
What counts as verifiable parental consent under DPDP? Consent from a parent or guardian where you’ve actually confirmed their identity and age — either using reliable details you already hold on them, or through a voluntary ID submission or an authorised virtual token (e.g. via DigiLocker) for a new relationship. A self-reported “I am the parent” checkbox does not meet this bar.
Can I just ask “are you over 18?” as a checkbox? No. That’s a self-declaration, not verification. DPDP requires you to have a reliable basis for believing the consenting adult’s identity and age, not just an unverified claim.
Is my ed-tech or healthcare app automatically exempt from verifiable parental consent? Not automatically. Schedule IV exempts specific sectors (including education and healthcare) and purposes, but the exemption has to match what you’re actually doing, not just the category your product falls under generally. Check the fit before relying on it.
What happens if I don’t get verifiable consent for a child’s data? You’re processing a child’s personal data without a valid legal basis, which carries exposure at one of the Act’s higher penalty tiers — breaches or violations involving children’s data are treated more seriously than the general baseline.
Does verified parental consent let me show a child targeted ads? No. DPDP separately bans tracking, behavioural monitoring and targeted advertising directed at children, regardless of what the parent consented to for the underlying service.
Related reading
- What DPDP protections your child now has — the same rules explained from a parent’s side.
- A parent’s starter guide to your child’s data rights — the consumer-facing companion to this guide.
- DPDP consent, explained — the general consent standard this builds on.
- DPDP penalties, explained — where children’s-data violations sit in the penalty tiers.
Reviewed by Confidential Dispatch Editorial Team
Last updated 10 July 2026
Not legal advice.