DPDP WorkshopLearning Hub
Check Your Cost →
Quick Answer4 min read

DPDP Rules for Children's Data in India (MBS Guide)

Understand DPDP rules for processing children's data in India. Learn consent, age verification, and compliance costs with MBS.

SP
Sushant Pasumarty

DPDP Rules for Children's Data in India: Quick Answer

Yes, the Digital Personal Data Protection Act (DPDP Act) imposes stringent rules for processing the personal data of children in India. Data Fiduciaries must obtain verifiable parental consent and cannot track, monitor, or engage in targeted advertising to children.

These rules are designed to protect minors online, creating significant compliance obligations for businesses whose services are likely to be accessed by children.

What This Means Right Now: Enforcement and Reality

While the DPDP Act is not yet fully enforced, businesses that interact with children's data must prepare proactively. The Ministry of Electronics and Information Technology (MeitY) will likely release specific rules and timelines for compliance, but the core principles regarding children's data are clear.

Sushant Pasamarty, founder of Meridian Bridge Strategy, emphasizes, "The intent of the DPDP Act is to put the onus on businesses to prove they have adequate safeguards for children's data. Waiting for enforcement notifications is a high-risk strategy." Early preparation will prevent rushed, expensive compliance efforts later.

💡 Key Insight: The DPDP Act defines a 'child' as an individual under 18 years of age. This broad definition impacts a wide range of services, not just those explicitly targeting children.

What You Actually Need to Do

  1. Obtain Verifiable Parental Consent: For any processing of a child's personal data, you must obtain verifiable consent from their parent or lawful guardian. The Act does not specify *how* to verify, leaving it to businesses to implement robust mechanisms. This could involve age-gating, multi-factor authentication, or other identity verification methods.
  2. Prohibit Targeted Advertising: The DPDP Act explicitly bans tracking, monitoring, or behavioral targeting of children. This means businesses cannot use children's data to create profiles for personalized advertisements.
  3. Avoid Harmful Data Processing: Data Fiduciaries cannot process children's data in a manner detrimental to their well-being. This broad clause requires a careful assessment of all data processing activities involving minors.
  4. Implement Robust Age Verification: If your service is likely to be accessed by children, you must implement mechanisms to determine if the user is a child and, if so, trigger the parental consent process. This is crucial even if your primary audience is adults.
  5. Conduct Data Mapping for Minors: Identify all instances where your business collects, stores, processes, or shares data belonging to individuals under 18. This foundational step is critical for understanding your exposure.

What It Costs to Become Compliant with Children's Data Rules

Compliance with DPDP rules for children's data is not a standalone activity but an integral part of your overall DPDP readiness. The costs depend on your existing data infrastructure and the volume/sensitivity of children's data you handle. Meridian Bridge Strategy offers structured services to guide you.

TierWhat it includes for Children's Data CompliancePrice RangeDuration
Data MappingIdentify all touchpoints where children's data is collected and processed, including vendors. This reveals where verifiable consent and age-gating are needed.₹1.5L – ₹3L1-2 weeks
DPDP Readiness AuditIncludes Data Mapping + Gap analysis for parental consent flows, age verification mechanisms, and assessing risks of harmful processing or targeted advertising towards children.₹2L – ₹6L2-4 weeks
DPDP WorkshopIncludes Data Mapping, Gap Analysis + Prioritized recommendations and a 90-day roadmap to implement verifiable parental consent, age-gating, and redesign advertising practices.₹5L – ₹10L4-6 weeks
Full DPDP ConsultingIncludes Workshop + Implementation support for new consent flows and age verification, DPO training on children's data protection, and a final readiness opinion.₹7L – ₹12L3-6 months
✅ Pro Tip: If your business primarily serves adults but has ancillary features or content accessible by minors (e.g., social features, user-generated content), a Data Mapping service is your critical first step. This helps identify the scope of children's data within your system.

When to Start Your DPDP Children's Data Compliance

Start immediately. The DPDP Act is clear on its intent regarding children's data. Businesses with a significant digital presence, especially those in ed-tech, gaming, social media, or e-commerce, cannot afford to wait. Building robust age verification and parental consent systems takes time and development effort.

Sushant Pasamarty, with his background in identity verification and cybersecurity, emphasizes the complexity. "Implementing truly 'verifiable' consent requires more than a simple checkbox. It involves technical and process changes that impact user experience and data architecture."

Next Step: Understand Your Specific Obligations

The best way to determine your specific compliance needs and associated costs for children's data is to assess your current data practices. Use the free calculator on dpdpworkshop.com to get an initial estimate for your organization. You can then book a call with Sushant Pasamarty to discuss your specific context.

For more detailed information on general DPDP compliance, explore our guide on DPDP Compliance for Media & AdTech, as these sectors frequently encounter children's data challenges.

Frequently Asked Questions

What is the age of a 'child' under the DPDP Act?

Under the Digital Personal Data Protection Act (DPDP Act), a 'child' is defined as any individual who has not completed eighteen years of age. This applies across all provisions of the Act relating to children's data.

What does 'verifiable parental consent' mean for businesses?

'Verifiable parental consent' means businesses must implement reasonable steps to confirm that consent for processing a child's data is indeed given by their parent or legal guardian. The Act doesn't prescribe a specific method, but common approaches include age-gating combined with email confirmation, government ID verification, or payment method verification.

Can I use personalized ads for children if I have parental consent?

No. The DPDP Act explicitly prohibits tracking, behavioral monitoring, or targeted advertising directed at children, regardless of whether parental consent has been obtained for other data processing activities. This is a strict prohibition.

Does DPDP apply if my app is for adults but children might access it?

Yes. If your service is 'likely to process the personal data of children,' you must still comply with the children's data provisions. This means implementing age verification and, if a user is identified as a child, obtaining verifiable parental consent before processing their data, even if your primary target audience is adults.

Related Guides

DPDP Compliance: Mandatory for Indian Startups?

Indian startups need to know DPDP compliance. Get a direct answer, learn current enforcement realities, and see MBS service costs.

DPDP Fines for Small Businesses: What You Need to Know

Indian small businesses face DPDP fines up to ₹250 Cr. Learn direct answers, enforcement reality, and steps to comply.

DPDP Act: Foreign Companies in India – Guide by MBS

Does India's DPDP Act apply to your foreign company? Learn the applicability criteria, current enforcement, and compliance steps from Sushant Pasumarty of MBS.

Check Your DPDP Cost

Use the free calculator to estimate your compliance cost. Then book a call with Sushant to scope the right engagement.

Estimate My DPDP Cost →
Or book a call with Sushant →