BACK TO DPDP RULES INDEX
DPDP Rules 2025 Phase 3 (13 May 2027) CHILDREN

Rule 6

Processing of Personal Data of Children and Persons with Disabilities

Practical Note

Rule 6 is the highest-penalty-risk rule for consumer-facing platforms. Any platform that children may use must implement age verification and verifiable parental consent. The 'behavioural tracking' prohibition is technology-neutral — algorithmic profiling, personalised advertising, and targeted content recommendation are all caught. The practical implementation challenge is age verification without creating privacy risks for adults. Watch for Central Government standards on age verification methods.

THE STATUTE

Original Text

(1) For the purposes of sub-section (1) of section 9, a Data Fiduciary shall, before processing any personal data of a child, obtain verifiable consent of the parent or guardian of such child, in such manner as may be specified, having regard to the available technology. (2) The Central Government may, by notification, exempt any class of Data Fiduciaries from the requirement of verifiable parental consent for processing personal data of children, subject to specified conditions. (3) No Data Fiduciary shall process personal data for the purpose of — (a) tracking or behavioural monitoring of children; (b) targeted advertising directed at children.

Analysis & Details

Rule 6 operationalises the stringent child data protections in Act Section 9. The core requirements are: VERIFIABLE PARENTAL CONSENT: Before processing any personal data of a child (under 18), the Data Fiduciary must obtain consent from the child's parent or guardian — and that consent must be 'verifiable', meaning the Data Fiduciary must take reasonable steps to confirm that the consenting individual is actually the child's parent or guardian. The technical means of verification are left to Central Government specification, reflecting the need for age verification technology to develop. Current likely approaches include: government ID verification (Aadhaar/DigiLocker), telephone number matching (parent's number vs registered number), and third-party age verification services. BEHAVIOURAL TRACKING PROHIBITION: Rule 6 absolutely prohibits (no consent exception) processing child data for: tracking or behavioural monitoring of children; and targeted advertising directed at children. This is a categorical ban — unlike GDPR Article 8 which focuses on consent validity, not on prohibiting specific processing types. In practice, this means: social media algorithms cannot profile children; targeted advertising networks cannot serve ads to identified children; behavioural analytics cannot track children's online activity. The prohibition is technology-neutral — it covers algorithmic recommendation, user profiling, ad targeting, and similar techniques regardless of the technology used. EXEMPTIONS: The Central Government can exempt classes of Data Fiduciaries from verifiable parental consent — for example, educational platforms serving children, health services, and emergency services are likely candidates for conditional exemption. No exemptions have been notified as of the Rules' commencement.

GDPR Parallel

Article 8 (Children's consent online) + Article 22 read with Recital 71

IT Act Impact

Rule 6's child protection provisions significantly strengthen protections beyond the IT Act's Section 67B (which only criminalised child pornography). The comprehensive behavioural tracking prohibition is new — the IT Act had no equivalent.

Common Queries

Under 18 years. Any person under 18 is a 'child' for DPDP purposes. Before processing their personal data, the Data Fiduciary must obtain verifiable consent from their parent or guardian. This is higher than GDPR (which sets 16 as the default, with Member States able to lower to 13) and COPPA in the US (13).
Yes, but only with verifiable parental consent and without using the child's data for behavioural tracking or targeted advertising. Social media platforms must: (1) implement age verification mechanisms; (2) obtain and verify parental consent before the child creates an account; (3) absolutely not profile the child's behaviour or serve targeted ads to the child. Platforms that fail to comply face penalties up to ₹200-250 crore.
Behavioural monitoring includes: algorithmic profiling of a child's online behaviour; tracking browsing, viewing, or purchasing history; personalised content recommendation based on past behaviour; targeted advertising using the child's profile; and any other form of automated analysis of a child's online activity to build a profile or make decisions about them. The prohibition is absolute — no consent from the parent can override it.
Rule 6 requires 'verifiable' parental consent but leaves the technical standards for verification to Central Government specification. Likely acceptable methods include: verification through DigiLocker-linked parental identity documents, Aadhaar-based parent-child relationship verification, mobile number matching (parent's registered number), and third-party age verification services. Simple self-declaration ('I confirm I am the parent') is unlikely to satisfy the verifiability requirement.

Key Rules & Provisions

Age threshold: under 18 — higher than GDPR (16) and most global standards (13).

Verifiable parental consent required — self-declaration insufficient.

Absolute prohibition on behavioural tracking and targeted advertising to children — no consent exception.

Central Government may exempt specific categories (e.g., educational platforms) subject to conditions.

Technical verification standards to be specified separately — Aadhaar/DigiLocker likely.