Section 9 DPDPA

Processing of personal data of children.


9.(1) The Data Fiduciary shall, before processing any personal data of a child or a person with disability who has a lawful guardian obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed.

Explanation.—For the purpose of this sub-section, the expression “consent of the parent” includes the consent of lawful guardian, wherever applicable.

(2) A Data Fiduciary shall not undertake such processing of personal data that is likely to cause any detrimental effect on the well-being of a child.
(3) A Data Fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children.
(4) The provisions of sub-sections (1) and (3) shall not be applicable to processing of personal data of a child by such classes of Data Fiduciaries or for such purposes, and subject to such conditions, as may be prescribed.
(5) The Central Government may, if satisfied that a Data Fiduciary has ensured that its processing of personal data of children is done in a manner that is verifiably safe, notify for such processing by such Data Fiduciary the age above which that Data Fiduciary shall be exempt from the applicability of all or any of the obligations under sub-sections (1) and (3) in respect of processing by that Data Fiduciary as the notification may specify.

Applicable DPDP Rule 2025

Rule 10: Verifiable Consent for Processing of Personal Data of Child or of Person with Disability Who has Lawful Guardian
Rule 11: Exemptions from certain obligations applicable to processing of personal data of child

Read More on The Rule 10 of DPDP Rules and its Legal Interpretation

Read more on BLOG : Childrens of illiterate parents BANNED from social media IN INDIA?

Read more on BLOG : Consent under DPDPA - Comprehensive Understanding

Section 10 DPDPA →
DPDPA
Table of contents


Report error

Legal Interpretation of the

Section 9 of the Digital Personal Data Protection Act, 2023 (DPDPA)

1. Purpose and Scope of Section 9

Purpose: To establish specific rules and safeguards for processing the personal data of children, including mandatory parental consent and prohibitions on harmful processing.

Scope: Applies to all Data Fiduciaries processing personal data of individuals below 18 years, with stricter obligations for Significant Data Fiduciaries.

Age Limits for Defining Children in Different Countries

  • India: Below 18 years
  • European Union (GDPR): Below 16 years (member states can lower to 13 years)
  • United States (COPPA): Below 13 years
  • United Kingdom (UK GDPR): Below 13 years
  • Australia: Below 18 years, though 15 is often considered mature for consent
  • China (PIPL): Below 14 years
  • Canada: Below 18 years, though provinces may differ

2. Alignment with Constitutional Principles and Other Indian Laws

Right to Privacy: Recognized as a fundamental right under Article 21 in Justice K.S. Puttaswamy v. Union of India (2017), requiring enhanced protection for children.

Indian Contract Act, 1872: Prohibits children from entering legal contracts, reinforcing the need for parental consent.

IT Act, 2000: Penalizes unauthorized access and misuse of personal data, indirectly protecting children's data.

Juvenile Justice Act, 2015: Protects the welfare and rights of children, aligning with data protection obligations.

3. Practical Examples and Illustrations

  • Social Media Platforms: Platforms require parental consent for account creation by users under 18.
  • Educational Apps: E-learning apps obtain parental consent before collecting children’s names and learning preferences.
  • Online Gaming: Games require parental consent for in-app purchases for minors.
  • Healthcare Services: Medical apps use encryption and parental consent to store a child’s medical data.

4. Implications for Data Fiduciaries and Data Principals

For Data Fiduciaries:

  • Operational Complexity: Implement systems for verifying parental consent.
  • Compliance Costs: Increased obligations for Significant Data Fiduciaries.
  • Legal Risks: Non-compliance may lead to penalties or reputational damage.

For Data Principals:

  • Parental Awareness: Parents must monitor the platforms and services their children use.
  • Children’s Rights: Ensures protection of children’s data privacy.
  • Enhanced Trust: Safeguards build trust in digital platforms targeting children.

5. Summary of Safeguards to Prevent Misuse

  • Parental Consent: Mandatory for processing data of children under 18.
  • Prohibition on Profiling: Avoid creating behavioral profiles for marketing purposes.
  • Data Minimization: Collect only the data necessary for the service provided.
  • Retention Policy: Delete children’s data once the purpose is fulfilled or upon adulthood.
  • Transparency: Provide clear, child-friendly notices about data processing activities.
  • Security Measures: Encrypt children’s data to prevent unauthorized access.

Conclusion

Section 9 of the DPDPA establishes a strong framework for protecting children’s data. By requiring parental consent and prohibiting harmful processing, it aligns with constitutional principles and international best practices. Robust safeguards ensure that children’s data is handled responsibly and ethically.

Read More on The Rule 10 of DPDP Rules and its Legal Interpretation

Read more on BLOG : Childrens of illiterate parents BANNED from social media IN INDIA?

Read more on BLOG : Consent under DPDPA - Comprehensive Understanding

© 2025 Advocate (Dr.) Prashant Mali