BACK TO DPDP ACT
DPDP Act 2023

Section 9

Processing of Personal Data of Children

THE STATUTE

Original Text

(1) A Data Fiduciary shall, before processing any personal data of a child, obtain verifiable consent of the parent of such child or of the lawful guardian, as the case may be, in such manner as may be prescribed. (2) A Data Fiduciary shall not undertake such processing of personal data of a child that is likely to cause any detrimental effect on the well-being of the child. (3) A Data Fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children. (4) The Central Government may, by notification, exempt any class of Data Fiduciaries or any processing from the application of this section, subject to such conditions as may be prescribed.

Simplified

[DPDP Rules 2025 — Rules 10, 11, 12 and Fourth Schedule operationalise this section; in force 13 May 2027] Section 9 is the DPDP Act's most protective provision — and deliberately so. Children's data attracts the highest penalty (₹250 crore under Section 33) and the most prescriptive restrictions. The section operates on three levels. First, verifiable parental consent: before processing any personal data of a child (defined as a person under 18), the Data Fiduciary must obtain consent from the parent or lawful guardian. The word 'verifiable' is crucial — a checkbox saying 'I confirm I am over 18' does not satisfy Section 9. The DPDP Rules will specify what verification methods are acceptable, expected to include options such as DigiLocker-based age verification, parental consent tokens, or OTP-verified parent accounts. This creates a significant engineering and UX challenge for consumer-facing platforms — age-gating at registration is insufficient; the Fiduciary must have a mechanism to actually verify that the person giving consent is the child's parent and that the user is in fact a child. Second, no detrimental processing: even with parental consent, processing that is likely to cause detrimental effect on the child's well-being is prohibited. This is deliberately open-ended — it goes beyond physical harm to psychological, developmental, and social harms, covering addictive design patterns, content that promotes body image issues, or processing that causes social exclusion. Third, absolute prohibitions: regardless of consent, two categories of processing are unconditionally banned for children — tracking or behavioural monitoring, and targeted advertising. A children's gaming app cannot profile children's play patterns for ad targeting. A social media platform cannot use children's data to build psychographic profiles. These prohibitions cannot be contracted around even with parental consent. Section 9(4) allows the Central Government to exempt certain classes of Data Fiduciaries or processing from Section 9's requirements — expected to be used for categories like educational platforms providing academic services, healthcare providers, and possibly platforms where the child's data is incidental to a parental service. These exemptions will likely be prescribed with conditions (e.g., educational platforms exempt only for in-scope educational processing). Comparison with global standards: Section 9 is comparable to COPPA (US) in requiring parental consent, to the UK Age Appropriate Design Code in restricting behavioural processing, and goes beyond both in its absolute prohibition on behavioural monitoring even with consent.

Common Queries

Any person under 18 years of age. The DPDP Act does not follow the tiered approach of some jurisdictions (such as GDPR's 13-16 age of digital consent) — every person under 18 is a child for the purposes of Section 9, requiring parental consent for all processing of their personal data.
The DPDP Rules will specify the exact methods. Likely options include: Aadhaar/DigiLocker-based identity verification of the parent, parental OTP authentication, or other government-approved digital verification mechanisms. A simple age declaration checkbox by the child will not satisfy the 'verifiable' standard.
The Central Government is expected to notify exemptions under Section 9(4) for educational platforms providing age-appropriate academic services. Until such an exemption is notified, schools and edtech platforms processing student data technically need verifiable parental consent. Watch for the DPDP Rules for the specific exemptions.
No. Section 9(3) absolutely prohibits tracking, behavioural monitoring, and targeted advertising directed at children — even with parental consent. These are unconditional prohibitions that cannot be waived by anyone.
The Act does not define this precisely, leaving interpretation to the Data Protection Board and courts. It is expected to cover psychological harm (anxiety, addiction), developmental harm (exposure to inappropriate content), social harm (data-driven exclusion), and physical safety risks. Data Fiduciaries should apply a precautionary standard.

Legal Context

Children's data protection was a key concern in all drafts of the Indian data protection bill from the Srikrishna Committee onwards. The 2018 Committee report and 2019 Bill both had specific children's data provisions. The JPC 2021 report recommended strengthening these provisions. The final DPDP Act 2023 adopts a strict consent-and-prohibition model rather than the UK's 'best interests of the child' design standard — a choice that simplifies compliance testing but may miss some harms the best-interests standard would catch.

Key Rules & Provisions

Verifiable parental consent mandatory — self-declaration of age by the child is insufficient.

Absolute prohibition on tracking, behavioural monitoring, and targeted advertising of children — not contractable away even with parental consent.

Highest penalty (₹250 crore) for violations — signals legislative priority.

Central Government exemption power for educational, health, and other beneficial processing categories.

Rule 10 (DPDP Rules 2025): verifiable parental consent — identity verified via existing KYC, government-issued virtual token, or DigiLocker.

Rule 11: lawful guardian consent for persons with disability requires court/authority appointment verification.

Fourth Schedule Part A: healthcare providers, educational institutions, crèches, and school transport operators exempt from §9(1) and §9(3).

Fourth Schedule Part B: email account creation, real-time location safety tracking, content filtering, and age-confirmation processing also exempt.

Related Case Laws

K.S. Puttaswamy v. Union of India (2017)

(2017) 10 SCC 1
RELEVANCE

The constitutional right to privacy recognised in Puttaswamy provides the foundation for heightened protection of children's data — children's informational self-determination is particularly acute given developmental vulnerabilities.