Children's Data Under the DPDP Act

Verifiable parental consent, the ban on tracking and targeted ads at minors, and the ₹200 Cr penalty tier explained
shape1
shape2
shape3
shape4
shape5
shape6
shape7
shape8

DPDP Children's Data Rules: The Strictest Part of the Law

If your business touches the personal data of anyone under 18, the DPDP Act, 2023 holds you to its strictest standard. That covers schools, coaching classes, EdTech platforms, gaming apps, and any website or app that students and minors sign up for.

The rules are simple to state and serious to break: verifiable parental consent is mandatory before processing a child's data, and tracking, behavioral monitoring, and targeted advertising at minors are banned. Misusing children's data carries a penalty of up to ₹200 crore per violation, one of the highest tiers in the Act.

Note the age line: India draws it at 18, while GDPR uses 16 (and allows as low as 13). So even businesses that are compliant in Europe have a gap to close in India.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

The Three Core Rules for Under-18 Data

Verifiable Parental Consent

A parent or guardian must consent before you process a child's data, and you must verify the parent is a real, verified adult, for example through DigiLocker or other government-authorized verification. A self-declared checkbox does not qualify.

No Tracking or Monitoring

Tracking and behavioral monitoring of minors is banned. Analytics and profiling systems that quietly follow what a child does on your platform have to be switched off for under-18 users.

No Targeted Ads at Minors

Targeted advertising directed at children is prohibited outright. Ad tech, remarketing, and personalized promotions cannot be aimed at under-18 users, with a ₹200 Cr penalty tier behind the ban.

Limited Exemptions: Healthcare, Education, Child Transport

The law recognizes that some processing of children's data is necessary and beneficial. Narrow exemptions exist for specific purposes:

  • Healthcare: hospitals, clinics, and health services treating a child
  • Education: legitimate educational activities by schools and institutions
  • Child transport: safety-related tracking for transporting children, such as school transport

These exemptions are purpose-specific, not blanket passes. An EdTech platform cannot use the education exemption to run ad targeting, and a hospital cannot use the healthcare exemption to build marketing profiles of young patients. Outside the exempted purpose, the full rules, verifiable parental consent included, apply.

Who Feels These Rules the Most

BusinessWhat Changes Under DPDP
EdTech platformsVerifiable parental consent at signup, no behavioral tracking of students, no ad targeting, this is the strictest-hit sector
Schools & coaching classesConsent workflows for student data, careful use of the education exemption, secure handling of records
Gaming apps & platformsAge checks, parental consent flows, and switching off tracking, profiling, and targeted ads for under-18 players
Any app or site minors useIf under-18 users can sign up, you need a plan for verifying age and parental consent

Because children's data misuse sits in the ₹200 crore penalty tier, this is one area where "we'll fix it later" is a genuinely expensive strategy. If your platform is likely to be high-volume, also check whether you could be designated a Significant Data Fiduciary, which adds further duties.

Parental Consent Systems Take Time to Build

Consent rules become mandatory on 13 November 2026 and full enforcement begins on 13 May 2027. Compliance setup takes 2-6 months, and verifiable parental consent is one of the harder pieces to get right.

Check My Children's Data Compliance

Want the Complete DPDP Picture?

Children's data is one chapter. See the full law, all penalty tiers, deadlines, and the complete compliance checklist on our main DPDP guide.

Learn Everything About DPDP Compliance

DPDP Children's Data: Frequently Asked Questions

Who counts as a child under the DPDP Act?

Anyone under 18 years of age. That is stricter than GDPR, where the threshold is 16 and can go as low as 13. If under-18 users can sign up for your product or service, these rules apply to you.

Does Your Platform Handle Under-18 Data?

Find out if your consent flows, tracking setup, and ad systems would pass a DPDP check, before the Board asks.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.

Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.