The protection of children’s personal data has and continues to present regulatory and practical challenges for lawmakers, businesses, organisations, institutions and establishments that deal with personal data (“Data Fiduciary“). Children are more vulnerable to online harms and their ability to provide informed consent is limited, thereby necessitating heightened safeguards.
The Foundational Framework
The Digital Personal Data Protection Act, 2023 (“DPDP Act“), while establishing India’s first comprehensive data protection framework, attempts to address these concerns by imposing stricter obligations on Data Fiduciaries processing a child’s personal data. The DPDP Act defines a “child” as an individual who has not completed the age of 18 (eighteen) years[1] and imposes a set of specific and restrictive obligations on Data Fiduciaries in this regard. This includes obtaining the verifiable consent of the parent or lawful guardian, not processing personal data where such data is likely to cause any detrimental effect on the well-being of a child, and not tracking or engaging in behavioural monitoring or targeted advertising directed at children[2].
Additionally, the Draft Digital Personal Data Protection Rules, 2025 (“Draft Rules“), released for public comments earlier this year[3], mention adopting appropriate technical and organisational measures to obtain verifiable parental consent and emphasize on due diligence to verify that a person identifying as a parent is an identifiable adult with reliable details of identity and age.
As for exemptions, the Draft Rules only carve out specific exemptions for certain classes of Data Fiduciaries, such as educational institutions and clinical establishments but specified that this was only in cases where data processing was strictly for a child’s health, safety and/or education. The intent behind these exemptions is to distinguish between legitimate, welfare-oriented activities and commercial exploitation of children’s personal data.
To comply with the foundational framework, the DPDP Act itself lays down the most pertinent solution- that personal data collection be limited to what is “necessary” for a specified and lawful purpose. However, in achieving this with respect to children’s data collection, two key issues may arise: defining what stronger data minimisation standards for children should look like in practice, and the challenge of ensuring that parental consent is verified in a manner that does not create disproportionate burdens or privacy risks for parents and lawful guardians.
Data Minimization Standards in Practice
When applied to the collection of children’s personal data, data minimisation demands an even stricter implementation. Certain scenarios could include:
- Children’s Websites and Magazines – Websites or digital magazine platforms which target children must, unless necessary, obtain only the parents’ details which would be necessary to verify parental consent before activating the child’s account.
- Educational Institutions & Platforms – The Draft Rules permit educational institutions to process student data without repeated consent only if it is strictly necessary for educational activities or in the interest of safety.[4] Thus, educational institutions must only collect what is needed – student’s name, parent/legal guardian contact details, and any mandatory health information and avoid demographic details or personal preferences, unless educationally required. Similarly, EdTech platforms should only ask for information needed to deliver the learning content and explicitly avoid unnecessary tracking of students.
- Social Media Platforms – Social media platforms must tread very carefully. Since no child can create an account without verifiable parental consent, any sign-up flow must ask for only the minimal required details, such as birthdate to verify age and parent’s contact details for consent. The biggest issue with social media platforms is the growing trend of targeted advertising. The DPDP Act, however, explicitly bans behavioural tracking and targeted advertising towards children.
- Internships and Recruitment- Data Fiduciaries such as companies frequently engage interns who may be below 18 (eighteen) years of age. While human resource departments may need to collect certain personal data for onboarding purposes, the principle of data minimisation requires limiting collection to only essential details “necessary” to fulfil the “purpose” of data collection, in addition to obtaining parental consent. This would include collection of resumes and details of education, as well as name, date of birth and contact information.
Thus, for social media platforms, educational institutions, and other interactions involving children, Data Fiduciaries must move away from routine collection and retention practices and embed minimisation into their operational design.
Verifiable Parental Consent: Balancing Reliability and Privacy
To counter issues involving privacy, the European Commission launched an age verification pilot program on July 14, 2025 under the Digital Services Act to protect minors from harmful online content. This pilot, involving countries like Denmark, Greece, Spain, France and Italy tested a privacy-preserving age verification application and its integration with national identity sources and platforms. Furthermore, the system uses “zero knowledge proofs” to allow users to prove that they are over 18 (eighteen) years of age, without them having to share their exact identity or personal information.
India could, perhaps benefit from or take inspiration from such a program. A balanced framework for verifiable parental consent could include privacy preserving techniques such as tokenisation. This would avoid unnecessary retention of parental personal data while maintaining a clear documentation of the consent process in line with the requirement under the Draft Rules to rely on national identity platforms. This would further ensure accountability without excessive data retention.
However, in the case of government backed-tools such as DigiLocker – while they provide formal safeguards, however, they also raise concerns. The collection and storing of parental identification may itself generate privacy risks. Additionally, the reliance on digital identity systems may lead to exclusion of parents or guardians who lack access or digital literacy.
Conclusion
With the advent of the data protection regime and the implementation of the Draft Rules around the corner, compliance is no longer merely hypothetical but rather a statutory obligation for Data Fiduciaries. By prioritising minimisation and verifiable consent, Data Fiduciaries can demonstrate accountability and reduce risk while simultaneously aligning with the evolving expectations of India’s data protection landscape.
[1] Section 2(f), The Digital Personal Data Protection Act, 2023.
[2] Section 9, The Digital Personal Data Protection Act, 2023.
[3] The Draft Digital Personal Data Protection Rules were released for public consultation on January 3, 2025.
[4] Rule 11 read with Fourth Schedule, Part A of The Draft Digital Personal Data Protection Rules, 2025.
English
Chinese (Simplified)
Japanese