含羞草社区

← Back to index

The internet is no longer a luxury for children. It has become an essential component of modern youth, facilitating learning, communication and various day-to-day activities. In 2025, internet usage or access among individuals in India, is expected to cross 900 million.

However, children may lack the maturity to understand the risks and consequences associated with sharing personal data. Hence, there is a need to regulate the processing of personal data of children. Although parents are responsible for guiding children to navigate the complexities of this digital landscape, the law mandates organisations to play a significant role in protecting children’s data.

The Digital Personal Data Protection Act, 2023 (DPDP Act), imposes specific duties on organisations processing personal data of children. The publication of the Draft Digital Personal Data Protection Rules, 2025 (draft DPDP Rules), underscores the need for organisations to adopt a time and cost-efficient approach in implementing the compliance-heavy rules.

Who is a child?

Section 2(f) of the DPDP Act 2023 defines a child as an individual who has not completed 18 years of age’.

For the purposes of the law, a data principal (DP) includes a parent or the guardian of a child, in so far as children’s data is concerned.

Fundamental principles

(1) Best interests of a child. Data fiduciaries (DFs) must ensure that they uphold the best interests of the child while processing personal data. All aspects impacting a child, including the following, shall be considered before making any decision on the best interests of the child: (a) Age and gender; (b) Intellectual disabilities; (c) Affinity to a minority group; (d) Level of maturity; (e) Social environment of the child; (f) Inequalities in literacy of the parents;

(g) Race/caste; and (h) Physical, psychological and moral interests of a child.

(2) Evolving capacities of a child. A child progressively acquires competencies, understanding and increasing levels of agency thereby increasing the autonomy in exercising their rights. Although the DPDP Act, 2023 does not consider the principle of “evolving capacities of child”, a DF must be able to recognise the child’s capacity even if parental consent has been given to processing of personal data. Children falling under various age groups and their ability to cope with the risks associated with processing must be kept in mind by the DF, as parental consent does not change the age of the child.

(3) Right to an open future. Parents’ autonomy over a child’s rights should not affect the future of the child. Digital footprints can last forever and children have a right to an open future. Hence, a DF must ensure that personal data of children is erased on fulfilment of the purpose.

Specific obligations

Section 9 of the DPDP Act 2023 provides for specific obligations of a DF, when it comes to processing children’s data, which include obtaining valid verifiable parental consent. In this regard, rule 10 of the draft DPDP Rules provides guidance on how to obtain verifiable parental consent.

Exemptions

Section 9(4) of the DPDP Act 2023 provides for a certain class of DF and processing data for certain specified purposes as being exempt from complying with obligations while processing children’s data.

Exempt data fiduciaries. Rule 11 read with schedule IV of the draft DPDP Rules exempts the following class of DFs, from the obligations contained under the DPDP Act 2023: clinical establishments, mental health institutions, and healthcare and allied professionals. Clinical establishments include hospitals, nursing homes, maternity homes, dispensaries, clinics or any institution, offering services and facilities for diagnosis and care under a recognised system of medicine.

Can DFs track children?

DFs are prohibited from tracking or undertaking behavioural monitoring. However, the draft DPDP Rules provide for exceptional circumstances, where a class of DFs may undertake tracking and behavioural monitoring of children.

In schedule IV of the draft DPDP Rules, educational institutions include those of learning and imparting education. However, clarity is needed on whether “platforms imparting education and learning” would qualify as an educational institution, as the meaning assigned to the term is wide enough to cover any institution imparting education and learning.

It may be possible that such DFs providing services relating to education may claim this exemption to fall outside the scope of the DPDP Act 2023. Until there is judicial clarity on this ambiguity, it is advisable for DFs to limit tracking and monitoring (which ideally generate performance reports) and not to process images and voices of children. In instances where video lectures are recorded (which includes videos of children), it is advisable to create new recordings for future batches rather than reusing existing ones.

The principles of purpose limitation and data minimisation also play a crucial role in such scenarios. Regular auditing and monitoring would enable DFs to ensure that the processing of children’s data complies with the law.

Similar circumstances can also be attributable to tech wearable companies i.e. smart watches, baby breathing monitors, heart rate monitoring devices, etc. Technically, these companies do not qualify as clinical establishments, even if their devices can help with health monitoring. Questions arise as to whether such companies can undertake fitness tracking and sleep/health monitoring as the DPDP Act 2023 prohibits DFs from tracking or behavioural monitoring of children.

Additionally, data generated from glucose monitoring devices is essential for managing children’s diabetes and keeping them healthy, regardless of whether it comes from a clinical establishment or not. Further clarification is needed on whether parental consent can legitimise tracking measures aimed at protecting children’s health by entities that do not qualify as clinical establishments. In the interim, it is recommended these entities continue to follow mandates listed as part of the DPDP Act 2023 and the draft DPDP Rules 2025.

Compliance strategies

The following are compliance strategies that entities, DFs and parents must do:

1. Entities undertaking tracking and behavioural monitoring to protect the health and safety of children must obtain parental consent and comply with obligations until clarifications are issued;
2. Entities must take steps to identify their users and ensure that services accessed by children comply with the specific obligations under the law;
3. Parental consent does not justify treating children like adults. Hence, DFs are to observe due diligence while processing children’s data, even if parental consent has been obtained;
4. DFs must categorise children based on age group and undertake children impact assessments (data protection impact assessments, or DPIAs), to understand the maturity level of children and analyse whether the process has any detrimental impact;
5. DFs must take reasonable efforts to verify the age of children. Apart from verifying the age through virtual mapping, DFs can opt for age estimation solutions offering anonymity during verification;
6. DFs must ensure that parents have easy access to children’s data;
7. DFs must ensure that consent mechanisms are children-centric, i.e. comics and videos, to educate children on privacy and consent considering the literacy rates in India; and
8. DFs must ensure that only functional cookies are placed when children access their platforms.

   SHIVADASS & SHIVADASS LAW CHAMBERS

   The data privacy and protection practice at Shivadass & Shivadass, stems from the team’s inherent understanding of technological advancements and opportunities in India.

   We advise, strategise, and measure the entities’ strength against the backdrop of several legislations across the world and their potential impact in India. We advise MNCs, Indian entities and Indian startups on compliance best practices, ranging from notice and consent management, structuring privacy and cookie policies, cross-border data transfers, data minimization and retention, breach strategies, general agreements with third-party data processors, internal data mapping and compliance strategies, including training internal managements and teams, employee handbooks etc.

   The team is also mindful of growing technology trends including AI, smart contracts, blockchain, cryptocurrency and digital assets, and advise clients pragmatically. Our data protection and privacy practice along with our well-recognised competition & antitrust, intellectual property and tax practices, provide holistic and concrete next steps to clients.

   #4/2, Millers Road, Level 3,
   Bengaluru – 560 052
   Tel : +91 80 4377 9955
   Email: admin@sdlaw.co.in

← Back to index