Obligations of Data Fiduciaries towards Children under the DPDP Act, 2023: Parental Consent and Restrictions on Profiling/Advertising

Posted On - 9 October, 2025 • By - Jidesh Kumar

Executive Summary

The Digital Personal Data Protection Act, 2023 (DPDP Act in India) imposes stringent obligations on Data Fiduciaries processing the personal data of children. Any individual under 18 years of age is classified as a child, and fiduciaries must obtain verifiable parental consent before processing their personal data. In addition, the Act expressly prohibits tracking, monitoring, targeted advertising, and profiling of children.

India’s threshold of 18 years is significantly stricter than global standards such as the GDPR (13–16 years) and COPPA (13 years). This high bar creates substantial compliance challenges for ed-tech providers, gaming platforms, social media companies, and e-commerce players engaging with teenage users.

Introduction: Why Children’s Data Needs Special Protection

Children are more vulnerable to manipulation, exploitation, and privacy harms. They often lack the capacity to understand the consequences of sharing data online. Recognising this, the DPDP Act creates special obligations for fiduciaries when dealing with children’s personal data.

The two key pillars are:

1. Verifiable parental consent for all processing of children’s data.

 2. Prohibition of harmful practices, including tracking, profiling, or targeted advertising directed at children.

Statutory Framework under the DPDP Act

The DPDP Act mandates that:

Before processing the personal data of a child (defined as any person under 18 years), fiduciaries must obtain verifiable parental consent. Fiduciaries are prohibited from:

  • Engaging in tracking or behavioral monitoring of children.
  • Conducting targeted advertising directed at children.
  • Undertaking profiling that may have a detrimental impact.

The Under-18 Threshold: A Stricter Standard

India’s Approach: By setting the threshold at 18 years, India diverges significantly from global practice. This reflects India’s socio-cultural and legal framework, where 18 is the age of majority.

Global Comparisons

  • GDPR (EU): Default age is 16, with Member States permitted to lower it to 13.
  • COPPA (U.S.): Applies to children under 13.
  • LGPD (Brazil): Parental consent required for under 13.
  • PDPA (Singapore): Parental consent generally required for under 13.
  • India’s higher bar means that teenagers (13–17 years), who elsewhere may consent independently, require parental consent in India.

Business Impact

  • Platforms popular among teenagers (gaming, social media, streaming) face increased compliance burdens.
  • Verifying parental consent for millions of teen users may disrupt user acquisition.
  • Risk of alienating teenage consumers if parental consent becomes cumbersome.

Meaning of Verifiable Consent: The DPDP Act requires not just parental consent but verifiable parental consent, placing the burden on fiduciaries to authenticate it.

Practical Mechanisms

  • OTP verification linked to parent’s mobile number.
  • Upload of identity documents establishing parental relationship.
  • Use of digital signature or Aadhaar-based authentication (subject to legal feasibility).

Challenges

  • Verifying millions of users in a scalable manner.
  • Risk of excluding teenagers without easy parental access.
  • Balancing verification with privacy and user experience.

Prohibition on Profiling, Tracking, and Targeted Advertising

  • Profiling: Using data to build behavioral or psychological profiles.
  • Tracking: Monitoring online activities, such as browsing history or app usage.
  • Targeted Advertising: Delivering ads based on children’s data.

Implications

  • Ed-tech apps cannot profile students for advertising or adaptive learning without parental oversight.
  • Gaming platforms cannot track in-game behavior to push paid features.
  • Social media companies cannot deliver algorithmic ads to minors.

Grey Areas

  • Whether contextual advertising (non-personalised ads) is permitted remains unclear.
  • Whether anonymised analytics on children’s behavior qualifies as “profiling” will need regulatory clarification.

Sectoral Implications

Ed-Tech Platforms:  

  • Heavily impacted as primary users are children.
  • Must obtain verifiable parental consent during onboarding.
  • Cannot profile students for marketing courses or coaching services.

Gaming Platforms

  • Popular among teenagers.
  • Must integrate robust age verification and parental consent systems.
  • Cannot use behavioral tracking to design monetisation strategies.

Social Media and Entertainment

  • Platforms with teen-heavy user bases must either restrict under-18 accounts or overhaul advertising models.
  • Restrictions may lead to “teen-only safe modes” with limited features.

E-Commerce and Retail

  • Platforms offering teen-oriented products must secure parental consent before processing purchase data.
  • Cannot deliver personalised recommendations or ads to under-18 accounts.

Healthcare and Health-Tech

  • Apps offering fitness, wellness, or teleconsultation services to teenagers must obtain parental consent.
  • Cannot track behavioral data for commercial insights.

Hypothetical Examples

  • Ed-Tech: A 16-year-old attempts to sign up for an online tutoring app. The platform must route the process through a parental verification step (e.g., OTP sent to parent’s registered mobile).
  • Gaming: A 15-year-old spends hours on an online game. The platform cannot profile him to predict when to push microtransactions.
  • Social Media: A 17-year-old uses a photo-sharing app. The platform cannot serve targeted ads based on browsing history or interactions.
  • E-Commerce: A 14-year-old browses a sports retailer’s app. The platform cannot recommend products based on his browsing profile without parental consent.

Comparison with Global Frameworks

  1. GDPR (EU): Requires parental consent for children under 13–16 (depending on country). Prohibits unfair profiling but allows certain teen-directed content with safeguards.
  2. COPPA (U.S.): Requires parental consent for under 13. Allows consent via credit card, signed forms, or video chat verification.
  3. LGPD (Brazil): Requires parental consent for under 13. Provides for simplified notices for children.
  4. PDPA (Singapore): Requires parental consent for under 13. Emphasises practical, proportionate safeguards.

Compliance Strategies for Fiduciaries

1. Age Verification Systems: Implement reliable age-gating (e.g., date-of-birth entry cross-checked with ID).

2. Parental Verification Mechanisms: OTP-based parental consent, integration with government-issued IDs, and consider scalable verification services.

3. Default Child-Safe Settings: Restrict data collection to minimum required, and disable tracking and ad personalisation by default.

4. Transparent Notices: Provide child-friendly explanations in simple language, translate into multiple languages.

5. Internal Controls: Maintain records of parental consent, conduct DPIAs for child-focused services.

Risks of Non-Compliance

  • Financial Penalties: Up to ₹250 crore per breach.
  • Operational Disruption: Platforms may be forced to suspend services to minors if consent systems fail.
  • Reputational Damage: Public backlash for mishandling children’s data can be severe.
  • Regulatory Scrutiny: Child-focused industries will be under heightened oversight.

Conclusion & Key Takeaways

The DPDP Act imposes one of the world’s strictest child data protection regimes, requiring verifiable parental consent for under-18s and prohibiting profiling, tracking, and targeted advertising.

Key takeaways:

  • Fiduciaries must design onboarding systems that integrate parental consent.
  • Platforms with teen users must rethink advertising and monetisation models.
  • Compliance requires age verification, parental authentication, safe defaults, and DPIAs.
  • Non-compliance risks not just penalties but also reputational harm.

For businesses, protecting children’s data is not merely a regulatory obligation but trust imperative. Companies that embrace child-centric privacy by design will emerge as leaders in India’s rapidly evolving digital ecosystem.

Co – Authored by – Aurelia Menezes