Confidential Dispatch

What data protections does your child have under the DPDP Act?

At a glance

The DPDP Act treats anyone under 18 as a child and gives them specific protections: a business needs a parent’s verifiable consent before processing a child’s data, must not process it in ways that harm the child, and — even with consent — must not behaviourally track children or target advertising at them. A few narrow health, education and safety uses are exempted. As the parent, you exercise these protections on your child’s behalf.

Educational resource only. This explains the children’s-data protections under India’s Digital Personal Data Protection Act, 2023 (DPDP Act); it is not formal legal advice.

On this page

Where these protections come from

The DPDP Act singles out children for stronger protection than adults get, in one dedicated part of the law (Section 9). If the starter guide is the map, this is the detail behind each protection — what it actually requires, and where its edges are.

The four protections in the children’s-data rule

The law stacks four distinct duties on any business handling a child’s data. Together they cover collection, harm, tracking and advertising:

  1. Verifiable parental consent. A business must obtain your genuine, confirmed consent as parent or guardian before processing your child’s personal data — not the child’s own click.
  2. No harmful processing. It must not process a child’s data in a way likely to have a detrimental effect on the child’s wellbeing. This is a broad safety backstop.
  3. No behavioural tracking or monitoring. It can’t track or profile a child’s behaviour across a service or the web.
  4. No targeted advertising at children. It can’t aim behaviourally-targeted ads at your child.

The first is a gate on collection; the other three limit what can be done even after data is collected — and protections 3 and 4 hold regardless of consent.

What makes parental consent “verifiable”

“Verifiable” means the business has to actually confirm a real adult parent agreed — not take a child’s word for it. Under the Rules notified in November 2025, a business must take reasonable technical steps and due diligence to check that the person consenting is an identifiable adult acting for the child. In practice it can do this in one of three ways:

  • using reliable information it already holds about the parent;
  • relying on identity or age details the parent voluntarily provides; or
  • using a government-issued token or credential — for example a check through DigiLocker, India’s government-backed digital ID and document service.

The point for you: legitimate services route the consent decision to a verified you. A service that lets your under-18 self-declare as an adult and sail through has not met this bar.

The tracking and targeting ban — and its exemptions

Children can’t be tracked or advertised to — but a defined set of health, education and safety uses is carved out. The default is strong and consent-proof: no behavioural monitoring, no targeted ads at children. The exemptions, set by the Rules, are narrow and tied to who is processing and why:

  • Healthcare providers — clinical and mental-health establishments and health professionals — where processing is limited to necessary health services for the child.
  • Educational institutions, day-cares and caretakers — where tracking or monitoring (including location) is in the interest of the child’s safety.

What the exemptions are not: a general loophole for commercial apps. If a business isn’t in one of these defined classes acting for one of these defined purposes, the ban applies in full. So “we’re educational” or “it’s for their own good” doesn’t, by itself, license tracking a child.

The rights you can exercise for your child

Your child’s data rights don’t wait until they turn 18 — you exercise them now, as the parent. The everyday rights that apply to your own data extend to your child’s, and you act on their behalf:

  • Access — ask what data a service holds about your child.
  • Correction — get inaccurate details fixed.
  • Erasure — have your child’s data deleted once its purpose is over or you withdraw consent.
  • Withdraw consent — take back a permission you gave, as easily as you gave it.
  • Grievance and escalation — complain to the service, then the Data Protection Board of India if it isn’t resolved.

When your child turns 18, they step into these rights themselves.

FAQ

At what age do these child protections stop? At 18. The DPDP Act treats everyone under 18 as a child; the protections apply until then, after which your child exercises their own data rights.

Do the tracking and ad rules apply even if I consent? Yes. The bans on behavioural tracking and targeted advertising of children are not something a parent’s consent can switch off.

What counts as “verifiable” parental consent? The business must confirm an identifiable adult parent is consenting — using information it holds, ID or age details you provide, or a government-backed check such as DigiLocker.

Are any services exempt from these rules? Narrowly — healthcare providers for necessary health services, and schools, day-cares and caretakers for child-safety monitoring. It’s not a general exemption for commercial apps.

Can I get my child’s data deleted? Yes. You can withdraw consent and request erasure once the purpose is over, and escalate to the Data Protection Board if a service refuses.

Reviewed by Confidential Dispatch Editorial Team

Last updated 15 July 2026

Not legal advice.