Children's Data Under the DPDP Act: The Compliance Project Indian EdTech and Gaming Startups Should Start Now
The DPDP Rules, 2025 require verifiable parental consent before you process any under-18 user's data. Here's what Section 9 and Rule 10 mean for Indian edtech, gaming and consumer apps, and what to build now.
If your app has users under 18, children's data under the DPDP Act is about to become one of your harder compliance problems. The DPDP Act, 2023 treats everyone below 18 as a child, and the DPDP Rules, 2025 (notified on 13 November 2025) spell out what "verifiable parental consent" actually means in practice. For an Indian edtech platform, a mobile game, or a consumer app with a teenage user base, that is a design and engineering task, not a checkbox you tick the week before a deadline.
Here is the part most founders miss. A 17-year-old signing up for a coding bootcamp, a multiplayer battle royale, or a social app is legally a child in India. You cannot process their personal data until a parent or lawful guardian has given consent you can verify.
What Section 9 actually requires
Section 9 of the DPDP Act sets three obligations. Under Section 9(1), you must obtain verifiable consent from a parent or lawful guardian before processing a child's personal data. Section 9(2) bars any processing likely to cause a detrimental effect on a child's well-being. And Section 9(3) prohibits tracking, behavioural monitoring, and targeted advertising directed at children.
That third point tends to catch product teams off guard. Behavioural analytics, retargeting pixels, and personalised ad feeds are standard growth tooling. Applied to a user you know is under 18, they are off the table. If your monetisation model depends on ad targeting and a meaningful share of your users are minors, that is a business-model conversation, not just a privacy one.
The penalty for getting children's data wrong runs up to ₹200 crore per instance under the Act's schedule. That sits just below the ₹250 crore ceiling for a failure to maintain reasonable security safeguards.
How verifiable consent works under Rule 10
Rule 10 of the DPDP Rules, 2025 is where the abstract obligation becomes an implementation spec. A Data Fiduciary has to take reasonable technical and organisational measures to check that the person giving consent is an identifiable adult acting as the child's parent.
The Rules point to two workable routes. If the parent is already a registered, age-verified user of your service, you can rely on the identity and age details you already hold. Otherwise, you can use a virtual token mapped to government-issued identity and age details, with DigiLocker named as the reference mechanism. In that flow, the parent authenticates through DigiLocker, which issues an encrypted age token confirming they are an adult, without handing your systems the underlying Aadhaar or document.
Two things follow for your product roadmap. You need a reliable way to tell, at signup, whether a user is likely a child. And you need a parent-linking flow that produces a verification record you can show the Data Protection Board later. Neither is easy to retrofit onto an existing signup screen, which is why this belongs on the roadmap now rather than in early 2027.
The global backdrop is not theoretical
Regulators elsewhere are already writing cheques against children's-data failures, and the pattern is instructive. In December 2025, a US federal court approved a $10 million settlement between Disney and the FTC over children's data collected on YouTube. The core allegation was mundane and worth remembering: Disney set the audience label at the channel level instead of per video, so some child-directed videos were tagged "not made for kids," and data was collected and used for targeted advertising without parental consent. A labelling shortcut became a seven-figure penalty.
The United States also tightened its rules. Amendments to the Children's Online Privacy Protection Rule (COPPA) took effect on 23 June 2025, with a compliance deadline of 22 April 2026, expanding what counts as a child's personal information to include persistent identifiers and biometric data. In Europe, the Irish Data Protection Commission has issued GDPR fines of €345 million against TikTok and €405 million against Instagram over children's data handling. India's ₹200 crore ceiling sits comfortably within that global range.
None of this predicts how the Data Protection Board of India will act. It is a signal about where enforcement attention goes once a children's-data regime exists, and India now has one on the books.
What to do in the next two quarters
Start with discovery. Map where minors could plausibly enter your product, including places you did not design for them, like a parent sharing an account or a school bulk-enrolling students. A privacy impact assessment is a sensible way to document this rather than relying on hallway estimates.
Then look hard at your ad and analytics stack. If you cannot switch off behavioural tracking for known-minor accounts today, that is an engineering ticket to raise this quarter, not next year.
Design the parent-linking flow early and test it with real families. Age assurance and consent capture are the features users complain about most, and a clumsy DigiLocker handoff will cost you signups. Build the consent record so it is auditable: what was consented to, by whom, when, and how identity was checked.
Finally, write it down. A short internal policy on how you handle children's data, reviewed by someone who knows the DPDP Act compliance requirements, turns scattered decisions into something you can defend.
The substantive obligations, including the children's-data rules, are expected to take full effect around 13 May 2027. Eighteen-odd months is enough time to build age assurance, parent-linking, and consent-record infrastructure properly. It is not enough time to start in April 2027.
This article is general guidance for Indian businesses and not legal advice. For your specific situation, take professional counsel. If you want a starting point, our DPDP readiness checklist covers the first steps, and you can reach our team to talk through children's-data obligations for your product.
Get help implementing this
Turn this reading into a compliance plan.
Book a free 30-minute consultation. We'll map your DPDP Act exposure and give you a prioritized 90-day action list — no obligation.
Book a free 30-minute consultation