Personal data of any individual below 18 years of age, requiring verifiable parental consent for processing.
Under DPDPA, a child is any individual below 18 years of age. Processing children's data requires verifiable consent from the parent or lawful guardian before any collection occurs. The Act prohibits tracking, behavioural monitoring, and targeted advertising directed at children. Data Fiduciaries must not process children's data in any manner detrimental to their well-being. These are among the strictest provisions in the Act.
If your product has users under 18 — even incidentally — you must implement age verification, obtain parental consent, and disable tracking features for minors. Violations carry penalties up to Rs 200 crore.
An EdTech startup in Pune with students aged 14-18 must implement age gates, send OTP-verified consent requests to parents, and ensure no ad targeting or behavioural profiling occurs on minor accounts. The platform must also restrict data sharing with third parties for these accounts.
The age threshold is 18, not 13 as in US COPPA. Many Indian startups build for the 13+ threshold based on US law, but DPDPA requires parental consent for all users under 18.
DPDPA Shield automates Consent Management. See how →