Protecting Children's Data: Special Obligations for Businesses

The Vulnerability of Digital Natives

Children are the most active yet most vulnerable users of the internet. The DPDPA 2023 recognizes this and places a protective ring around the data of individuals under the age of 18.

Verifiable Parental Consent

The golden rule for processing children's data is obtaining **verifiable consent** from the parent or lawful guardian. The challenge for businesses is the "verifiable" part. Simply asking "Are you 18?" is no longer sufficient. Mechanisms may include:

• Token-based verification.
• Aadhaar-based age verification (subject to privacy norms).
• Consent routing through registered Consent Managers.

Strict Prohibitions

To prevent exploitation, the Act explicitly prohibits:

• Tracking and Behavioral Monitoring: You cannot track a child's activity to build a profile.
• Targeted Advertising: Ads based on a child's data are banned. Contextual ads (based on the content of the page, not the user) may still be permissible.
• Detrimental Processing: Any processing that is likely to cause any detrimental effect on the well-being of a child is forbidden.

Exemptions

The Government may notify certain exemptions where the processing is "verifiably safe," but until then, businesses must adopt a conservative approach: treat all users as potential minors until proven otherwise, or implement strict age-gating.