The rise of digital platforms, social media applications, online learning tools, gaming apps, and e-commerce websites has significantly increased the collection and processing of personal data in India. With children becoming active internet users at a young age, protecting their digital privacy has become a major legal and ethical concern. To address these concerns, India introduced the Digital Personal Data Protection Act, 2023, commonly known as the DPDP Act.

One of the most important provisions under the DPDP Act relates to children’s personal data. The law imposes strict responsibilities on businesses and organizations that collect or process information belonging to minors.

In this article, we will explain who is considered a child under the DPDP Act, the age threshold for parental consent, obligations of companies, prohibited activities, penalties for non-compliance, and practical implications for businesses.

Understanding the DPDP Act

The Digital Personal Data Protection Act, 2023 is India’s primary data protection legislation designed to regulate the processing of digital personal data. The law applies to organizations, companies, government bodies, and digital platforms that collect or process personal data within India.

The Act aims to:

• Protect the privacy rights of individuals
• Regulate lawful data processing
• Ensure accountability among data fiduciaries
• Safeguard children from harmful online practices
• Promote responsible use of digital data

Among its various provisions, child data protection has been given special importance due to the vulnerability of minors in the online environment.

Who is Considered a Child Under the DPDP Act?

Under the DPDP Act, a child is defined as:

“An individual who has not completed 18 years of age.”

This means any person below the age of 18 years is legally treated as a child for the purpose of data protection compliance in India.

Unlike some international privacy laws that provide different age thresholds, the DPDP Act adopts a strict and uniform standard of 18 years.

Age of Child for Which Guardian Consent is Required Under DPDP Act

The age threshold for mandatory parental or guardian consent under the DPDP Act is:

Below 18 Years of Age

If a user is under 18 years old, any organization processing their personal data must first obtain verifiable consent from a parent or lawful guardian.

This requirement applies to:

• Mobile applications
• Gaming platforms
• Educational technology platforms
• Social media companies
• E-commerce websites
• Streaming services
• Healthcare applications
• Financial technology platforms
• Online learning portals
• AI-powered platforms collecting user data

The law places the burden on the company or platform to verify that parental consent has actually been obtained before processing the child’s personal data.

Why Does the DPDP Act Define Children as Under 18?

The Indian legislature intentionally adopted a broader definition of “child” compared to some foreign privacy laws.

The key reasons include:

1. Protection Against Online Exploitation

Children and teenagers are more vulnerable to:

• Manipulative advertising
• Online scams
• Behavioral profiling
• Data misuse
• Psychological targeting

The law aims to create stronger digital safeguards.

2. Increasing Digital Dependency

Modern children use smartphones, apps, gaming systems, and social media extensively. Their data footprints are created very early in life.

3. Preventing Harmful Behavioral Tracking

Many online platforms collect behavioral data to influence purchasing decisions, engagement habits, and content consumption patterns. The DPDP Act restricts such practices when children are involved.

What is Parental Consent Under the DPDP Act?

Parental consent refers to obtaining authorization from the child’s parent or lawful guardian before processing the child’s personal data.

The consent must be:

• Free
• Specific
• Informed
• Unambiguous
• Verifiable

Organizations must implement mechanisms to verify:

• The identity of the parent or guardian
• The authenticity of the consent
• The child’s age

Simply adding a checkbox stating “I am above 18” may not always be sufficient if the platform knowingly targets children.

Who is a Data Fiduciary?

Under the DPDP Act, organizations that determine the purpose and means of processing personal data are known as “Data Fiduciaries.”

Examples include:

• Social media companies
• OTT platforms
• Online gaming applications
• EdTech companies
• Healthcare apps
• E-commerce marketplaces
• Digital banks
• Mobile app developers

These entities have legal responsibilities while handling children’s data.

Special Obligations of Data Fiduciaries Handling Children’s Data

The DPDP Act imposes stricter obligations on businesses processing data belonging to children.

1. Mandatory Verifiable Parental Consent

Before collecting or processing any child data, companies must obtain verifiable consent from parents or legal guardians.

This applies even if the data collection seems minimal.

2. No Profiling of Children

The DPDP Act expressly prohibits profiling of children.

Profiling means automated processing used to analyze or predict behavior, preferences, interests, habits, or activities.

For example:

• Predicting purchasing habits
• Tracking emotional responses
• Behavioral scoring
• Engagement manipulation

Such practices are prohibited when directed at children.

3. No Tracking or Monitoring

Companies cannot track or monitor children’s online activities in a manner prohibited under the Act.

Examples may include:

• Persistent location tracking
• Behavioral analytics
• Activity surveillance
• Device fingerprinting
• Continuous usage monitoring

This provision aims to preserve children’s digital privacy and autonomy.

4. Ban on Targeted Advertising

Targeted advertising directed specifically at children is prohibited.

Platforms cannot use personal data to:

• Push personalized ads
• Influence purchasing decisions
• Encourage addictive engagement
• Manipulate online behavior

This is particularly relevant for gaming apps, social media platforms, and video-sharing websites.

5. No Detrimental Effect on Child Well-being

Organizations are prohibited from processing children’s personal data in a manner likely to cause detrimental effects on their well-being.

Detrimental effects may include:

• Mental harm
• Emotional distress
• Addiction-based engagement
• Exploitative design practices
• Manipulative content delivery

This provision gives regulators broad powers to assess harmful digital practices.

Examples of Child Data Covered Under the DPDP Act

The law applies to any digital personal data relating to children, including:

• Name
• Email address
• Mobile number
• Location data
• School information
• Photos and videos
• Device identifiers
• Browsing history
• Biometric information
• Health records
• Payment information

Even indirect identifiers can qualify as personal data.

Practical Impact on Businesses

The child protection provisions under the DPDP Act significantly affect digital businesses operating in India.

Companies may need to implement:

• Age verification systems
• Parent authentication workflows
• Consent management platforms
• Child-safe privacy policies
• Restricted advertising models
• Data minimization practices

Businesses targeting teenagers may face major operational changes due to the 18-year age threshold.

Challenges Faced by Companies

1. Difficulty in Age Verification: Determining a user’s exact age online can be difficult without collecting additional sensitive data.
2. User Experience Concerns: Parental consent systems may create friction during user registration.
3. Compliance Costs: Implementing child data protection mechanisms can increase operational costs.
4. Advertising Revenue Impact: Restrictions on targeted advertising may affect revenue models for child-focused platforms.

Penalties for Non-Compliance

The DPDP Act contains substantial financial penalties for violations.

Organizations that fail to protect children’s data or violate child-related obligations may face heavy penalties imposed by the Data Protection Board of India.

Repeated non-compliance may also lead to:

• Regulatory investigations
• Reputational damage
• Loss of user trust
• Legal disputes

Comparison with International Privacy Laws

India (DPDP Act)

• Child defined as below 18 years
• Mandatory parental consent below 18
• Strict ban on tracking and targeted ads

United States (COPPA)

Children’s Online Privacy Protection Act applies to children under 13 years.

European Union (GDPR)

General Data Protection Regulation generally sets the age of digital consent between 13–16 years depending on the member state.

India’s approach is therefore stricter than many global standards.

Importance of Child Data Protection in the Digital Age

Children today interact with digital ecosystems constantly. From online classes to gaming and entertainment, their digital presence begins very early.

Without strong legal protections, children may become vulnerable to:

• Data exploitation
• Manipulative algorithms
• Privacy invasions
• Online addiction
• Commercial targeting

The DPDP Act seeks to establish a safer digital ecosystem for minors by placing stronger accountability obligations on businesses.

Conclusion

Under the Digital Personal Data Protection Act, 2023, any individual below 18 years of age is considered a child. The law requires organizations to obtain verifiable parental or guardian consent before processing a child’s personal data.

The Act also imposes strict prohibitions on profiling, tracking, monitoring, and targeted advertising directed at children. Additionally, companies must ensure that their data processing activities do not negatively affect a child’s well-being.

These provisions make India’s child data protection framework one of the strictest globally. Businesses operating digital platforms in India must therefore adopt robust compliance mechanisms to ensure lawful handling of children’s personal data.

As digital engagement among children continues to rise, the DPDP Act represents a significant step toward creating a safer and more privacy-focused online environment for young users.

FAQs on Children Under the DPDP Act

Q1. Who is considered a child under the DPDP Act?

A1. A child under the DPDP Act is any individual who has not completed 18 years of age.

Q2. What is the age of consent under the DPDP Act?

A2. The age threshold for parental consent under the DPDP Act is 18 years.

Q3. Is parental consent mandatory for processing children’s data?

A3. Yes, Data fiduciaries must obtain verifiable consent from a parent or legal guardian before processing a child’s personal data.

Q4. What is meant by verifiable parental consent?

A4. It means companies must implement reasonable methods to confirm that consent genuinely comes from the parent or lawful guardian.

Q5. Can companies show targeted advertisements to children?

A5. No, The DPDP Act prohibits targeted advertising directed specifically at children.

Q6. Does the DPDP Act prohibit profiling of children?

A6. Yes, Profiling, tracking, and behavioral monitoring of children are prohibited under the Act.

Q7. What are examples of children’s personal data?

A7. Examples include names, email addresses, phone numbers, location data, browsing activity, photos, videos, and biometric information.

Q8. Which businesses are affected by child data protection rules?

A8. Any business processing digital personal data of children, including social media platforms, gaming apps, EdTech companies, and e-commerce websites.

Q9. What happens if a company violates child data protection provisions?

A9. Companies may face significant financial penalties, regulatory action, and reputational damage for non-compliance.

Q10. Is India’s child data protection law stricter than GDPR?

A10. Yes, India defines children as individuals below 18 years, whereas GDPR generally allows digital consent between 13 and 16 years depending on the country.