← All articles · 2 May 2026 · compliance.hjlabs.in

Children's Data Under DPDPA: Schools, Apps, Games

Section 9 of the DPDPA is one of the strictest children's data regimes in the world. If your platform might be used by anyone under 18, you have specific, non-negotiable obligations — and the penalty for failure is ₹200 crore. This affects EdTech, kids' gaming, social apps, and even general consumer apps with mixed audiences.

What Section 9 says, in plain English

For Data Principals under 18 ("children") and persons with disabilities who have a lawful guardian:

The Government may, by notification, lower the age threshold or exempt certain Data Fiduciaries (such as healthcare or education) from some of these requirements where they are demonstrably acting in the child's interest.

Who this applies to

Obviously: EdTech (Byju's, Vedantu, Doubtnut), kids' content (YouTube Kids competitors, kids' Bharti Airtel content), gaming platforms (Roblox, Free Fire, Garena), creator-economy apps with under-18 creators.

Less obviously: general consumer apps where minors might sign up despite a TOS prohibition. Instagram, Snapchat, Discord, BGMI, Dream11 — all of them face Section 9 exposure unless they have actually kept under-18s out.

What is "verifiable parental consent"?

The DPDPA Rules and analogous laws (US COPPA, UK Age-Appropriate Design Code) suggest the following methods, in increasing order of strength:

  1. Email plus self-declaration — weakest, generally not "verifiable" enough
  2. Credit/debit card transaction (small amount) — proves the parent is an adult
  3. Aadhaar-based verification — strongest in India, but raises its own privacy issues
  4. Video call or signed form — used by some EdTech for premium signups
  5. Government-issued ID upload — strong but high friction

The standard you choose should be commensurate with the data sensitivity. A free educational app for ages 10-14 might use card-transaction verification. A health app for adolescents needs ID-grade verification.

Age verification: the hardest problem

Before you even ask for parental consent, you need to know the user is a child. Age gates ("Are you over 18?") are notoriously easy to bypass. Best practice in 2026:

Prohibitions on tracking and advertising

This is the part that catches general consumer apps off guard. If a 16-year-old signs up to your e-commerce site (in violation of your TOS but still successfully) and you fire Facebook Pixel events, you are conducting behavioural tracking of a child — direct Section 9 violation, ₹200 crore exposure.

The defensive design pattern: separate logged-in (verified-adult) tracking from logged-out tracking, and disable all third-party advertising tags for users you cannot positively confirm as adult.

Schools and education-tech

Educational institutions and EdTech platforms have a specific carveout possibility: the Government may exempt processing for educational purposes by notified Data Fiduciaries. As of 2026, this notification has not been issued, so EdTech operates under the full Section 9 regime. Practical posture: parental consent at signup, no third-party advertising, parent dashboard for data review.

Health-tech and adolescents

Mental health apps, period trackers, and reproductive health platforms face an additional ethical question: a 17-year-old may legitimately need to access services without parental notification. The DPDPA does not yet have a clear "Gillick competence" doctrine like UK law. Until clarification, the safest posture is parental consent for under-18s + a separate counsel/help workflow that does not require consent.

The minimum compliance stack for child-facing platforms

  1. Robust age verification (not just an age gate)
  2. Verifiable parental consent flow (card, ID, or Aadhaar)
  3. Parent dashboard for data review, correction, deletion
  4. Disabled third-party advertising for child users
  5. No behavioural profiling or recommendation engines for child users
  6. DPO appointed (likely SDF designation pending)
  7. Privacy policy with a dedicated children's section — generate one

Bottom line

Section 9 is the third-rail of the DPDPA. The penalty is ₹200 crore, and the Data Protection Board is expected to enforce strictly given public concern over child safety online. If your platform might touch under-18s, treat Section 9 as a board-level priority, not a check-box. See checklist item 11.

Generate your DPDPA privacy policy

Free. Two minutes. Section-by-section references. English & Hindi.

Open the generator →

More from the blog