DPDP Rules for Children's Data (Under 18)
Liability Check
Processing children's data (under 18) without verifiable parental consent is a direct route to crippling penalties under the DPDP Act, with fines up to ₹250 Crore. This isn't just a guideline; it's a strict liability.
Why DPDP Rules for Children's Data (Under 18) is at Risk
The DPDP Act treats **children's data** with extreme sensitivity. Any Data Fiduciary processing data of individuals under 18 must obtain **verifiable parental consent** or consent from a lawful guardian. This applies across the board, from ed-tech platforms in Bengaluru to gaming apps in Gurugram. The law explicitly prohibits processing data that could cause **detrimental effect** to a child, or for targeted advertising based on their data. This isn't just about privacy; it's about **child protection**, and the Data Protection Board will scrutinize this heavily.
Common Violations
- 1.Failing to implement a robust, verifiable **parental consent mechanism** before processing data of users under 18.
- 2.Engaging in **targeted advertising** directly at children or profiling them based on their personal data.
- 3.Processing children's data (e.g., location, browsing history) in a manner that could cause **detrimental effect**, even if consent was obtained.
The Immediate Fix
Immediately conduct an **age gate review** across all user-facing platforms. Implement a clear, verifiable parental consent flow for any user identified or reasonably expected to be under 18, utilizing methods like OTP verification to a parent's number or school IDs.
Projected Compliance Deadline: Immediate