

If your business touches the personal data of anyone under 18, the DPDP Act, 2023 holds you to its strictest standard. That covers schools, coaching classes, EdTech platforms, gaming apps, and any website or app that students and minors sign up for.
The rules are simple to state and serious to break: verifiable parental consent is mandatory before processing a child's data, and tracking, behavioral monitoring, and targeted advertising at minors are banned. Misusing children's data carries a penalty of up to ₹200 crore per violation, one of the highest tiers in the Act.
Note the age line: India draws it at 18, while GDPR uses 16 (and allows as low as 13). So even businesses that are compliant in Europe have a gap to close in India.
No cost. No obligation. Get your compliance gap report.
A parent or guardian must consent before you process a child's data, and you must verify the parent is a real, verified adult, for example through DigiLocker or other government-authorized verification. A self-declared checkbox does not qualify.
Tracking and behavioral monitoring of minors is banned. Analytics and profiling systems that quietly follow what a child does on your platform have to be switched off for under-18 users.
Targeted advertising directed at children is prohibited outright. Ad tech, remarketing, and personalized promotions cannot be aimed at under-18 users, with a ₹200 Cr penalty tier behind the ban.
The law recognizes that some processing of children's data is necessary and beneficial. Narrow exemptions exist for specific purposes:
These exemptions are purpose-specific, not blanket passes. An EdTech platform cannot use the education exemption to run ad targeting, and a hospital cannot use the healthcare exemption to build marketing profiles of young patients. Outside the exempted purpose, the full rules, verifiable parental consent included, apply.
| Business | What Changes Under DPDP |
|---|---|
| EdTech platforms | Verifiable parental consent at signup, no behavioral tracking of students, no ad targeting, this is the strictest-hit sector |
| Schools & coaching classes | Consent workflows for student data, careful use of the education exemption, secure handling of records |
| Gaming apps & platforms | Age checks, parental consent flows, and switching off tracking, profiling, and targeted ads for under-18 players |
| Any app or site minors use | If under-18 users can sign up, you need a plan for verifying age and parental consent |
Because children's data misuse sits in the ₹200 crore penalty tier, this is one area where "we'll fix it later" is a genuinely expensive strategy. If your platform is likely to be high-volume, also check whether you could be designated a Significant Data Fiduciary, which adds further duties.
Consent rules become mandatory on 13 November 2026 and full enforcement begins on 13 May 2027. Compliance setup takes 2-6 months, and verifiable parental consent is one of the harder pieces to get right.
Check My Children's Data ComplianceChildren's data is one chapter. See the full law, all penalty tiers, deadlines, and the complete compliance checklist on our main DPDP guide.
Learn Everything About DPDP ComplianceAnyone under 18 years of age. That is stricter than GDPR, where the threshold is 16 and can go as low as 13. If under-18 users can sign up for your product or service, these rules apply to you.
Consent from a parent or guardian that you have actually verified, for example through DigiLocker or other government-authorized verification mechanisms. A checkbox saying "I am over 18" or "I am the parent" is not verifiable consent.
No. Tracking, behavioral monitoring, and targeted advertising directed at minors are banned under the DPDP Act, and misusing children's data carries a penalty of up to ₹200 crore per violation.
Yes, but they are narrow and purpose-specific: healthcare, education, and child transport. They cover only the exempted purpose itself, so they cannot be used to justify tracking, profiling, or ad targeting of minors.
Find out if your consent flows, tracking setup, and ad systems would pass a DPDP check, before the Board asks.
Book Your Free DPDP AuditNo cost. No obligation. Get your compliance gap report.
Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.
Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.