Child Data Protection Rules 2025 Under India’s DPDP Act
Chakrapani KVC | 25 Nov 2025 | 4 Feb 2026
In a world where children are growing up online before they can even spell their own names, child data protection is no longer a checkbox—it’s a moral imperative and a regulatory priority. As India prepares for the Child Data Protection Rules 2025 under the DPDP Act, every organization handling young users’ data is standing at a crucial crossroads.
The rules aren’t just about compliance; they signal a new era of accountability, transparency, and ethical responsibility. With stricter verification mandates, heightened consent requirements, and sharper penalties on the horizon, the spotlight is now firmly on how businesses safeguard children’s digital footprints. Are you ready for what’s coming next?
Parental Consent Requirement Under the DPDP Act
The newly released DIGITAL PERSONAL DATA PROTECTION (DPDP) RULES 2025 say that online platforms must check the age and identity of the individual identifying as a parent when obtaining verifiable parental consent for processing the data of an under-18 user.
The DPDP Act, notified in August 2023, says that platforms cannot process the data of anyone under 18—who the act classifies as a ‘child’—before obtaining verifiable parental consent from the parent or lawful guardian of such an individual.
They must take “appropriate technical and organizational measures” to ensure that they obtain this consent before processing the data of a child.
When a child’s personal data is involved, verifiable consent from a parent or guardian is required. This consent is needed unless the processing relates to essential services such as healthcare, education or real time safety.
Key Child Data Protection Rules in DPDP Act You Must Know
Definition of “Child”:
- A child is defined as any individual under 18 years of age.
- Data Principal includes the child and their parent or lawful guardian.
Verifiable Parental / Guardian Consent:
- Mandatory before any processing of children’s data.
- Rule 10 operationalizes this requirement with technical measures like OTP, ID verification, and secure portals.
- Consent must be easy to give and withdraw.
Prohibited Activities:
- Strict prohibition on behavioral tracking, profiling, and targeted advertising directed at children.
- Intended to prevent exploitation and manipulation of minors.
Purpose Limitation & Data Minimization:
- Collect only necessary data for lawful purposes.
- Retention periods specified, advance notice before deletion.
Special Provisions for Children with Disabilities:
- Rule 11 allows processing by lawful guardians for essential services like healthcare and education.
Exemptions for Essential Services:
- Rule 12permitsprocessing without parental consent for essential services such as safety monitoring and transportation.
Role of Significant Data Fiduciaries (SDFs):
- Entities handling large-scale or sensitive children’s data must register as SDFs.
- Annual DPIAs, audits, and appointments of Data Protection Officers are mandatory.
Technical & Governance Measures:
- Implement encryption, access controls, and breach notifications within 72 hours.
- Consent Managers must maintain interoperable platforms and retain records for 7 years.
Rights of Children / Principals:
- Children/guardians have rights to know, access, correct, delete, and withdraw consent at any time. Withdrawal must be as simple as granting consent, with links provided in notices
Best Interests & Evolving Capacity:
- Fiduciaries must consider factors like maturity, disabilities, and social environment.
- Respect evolving capacities of children in compliance decisions.
Penalties & Enforcement:
- Monetary penalties for violations range up to ₹200–250 crore, especially for breaches involving children’s data.
Data Protection Board of India (DPBI):
- DPBI enforces the rules and appeals to go to Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
Grievance:
- Must resolve within 90 days, with public DPO details
Global Comparison:
- India’s threshold of under-18 is stricter than COPPA (under-13) and GDPR (13–16).
Implementation Timeline:
- Initial notification in November 2025; full compliance within18 months.
Compliance Checklist
A practical compliance checklist helps organizations quickly align with Child Data Protection Rules under the DPDP Act. It ensures they verify age, obtain parental consent, implement strong safeguards, avoid prohibited activities, maintain clear retention policies, and document every action to demonstrate continuous compliance.
| Area | Requirement |
| Age Definition | Child = under 18 years; parent/guardian is Data Principal |
| Parental Consent | Rule 10: Verifiable consent before processing |
| Use Restrictions | No profiling, tracking, or targeted ads |
| Data Minimization | Collect only necessary data; notify before deletion |
| Exemptions | Essential services and children with disabilities |
| SDF Safeguards | Annual DPIA, audits, and DPO appointment |
| Security Measures | Encryption, breach notification within 72 hours |
| Transparency | Clear notices, easy withdrawal of consent |
| Penalties | Fines up to ₹200 crore; DPB enforcement |
Comparison with Global Standards
- Age threshold of under 18 extends protections beyond COPPA (<13) and GDPR (13–16).
- Consent mechanics align with COPPA 2024 amendments, including no targeted ads and retention limits.
- Indian rules resonate with US state privacy laws restricting profiling and targeted ads for minors.
Consent Managers provide a regulated, neutral, standardized channel ensuring that consent under DPDP is informed, verifiable, revocable, and securely managed. Governed by Rule 4, First Schedule, BRD guidance, and DPB oversight, they elevate consent processes to meet global interoperability and build trust in India’s digital landscape.
Consent Withdrawal
Under the DPDP Rules 2025, consent withdrawal is designed as a user-first, transparent, and enforceable right:
- Easily accessible—via clear notices and dedicated interfaces
- Purpose-specific—granular selection for different data uses
- Instant enforcement—cessation of related data processing
- Logged and verifiable—ensuring accountability and auditability
- Monitored by DPBI and Consent Managers—supporting user experience, fairness, and compliance
This approach aligns with global best practices and ensures meaningful control for Data Principals over how their personal data is used.
Protection Measures for Log Data
Encryption at Rest and in Transit
- All consent and withdrawal logs must be encrypted using strong algorithms (e.g., AES-256).
- Secure transport protocols (TLS) for any API or data exchange.
Access Control
- Logs are accessible only to authorized personnel (e.g., DPO, compliance team).
- Role-based access and multi-factor authentication for internal systems.
Tamper-Proof Storage
- Logs must be immutable—often implemented via:
- Hashing or blockchain-based audit trails.
- Digital signatures to verify integrity.
Separation of Data
- Logs store metadata only (Consent ID, timestamp, purpose withdrawn), not actual personal data.
- This minimizes risk if logs are compromised.
Retention & Secure Deletion
- Logs retained for 7 years (Consent Managers) or as per fiduciary audit rules.
- After retention period, logs must be securely erased using certified deletion methods.
Monitoring & Alerts
- Continuous monitoring for unauthorized access attempts.
- Breach detection and reporting within 72 hours to DPB.
Audit & Compliance
- Regular security audits and DPIAs (Data Protection Impact Assessments).
- Logs must be verifiable for DPB inspections without exposing personal data.
These points constitute the core child-centric data protection regime introduced by the DPDP Act and Rules—designed to mirror global best practices while aligning with India’s unique demographic context. This protected regime places legal, technical, and operational responsibilities squarely on Data Fiduciaries and Significant Data Fiduciaries, with heavy penalties for non-compliance, ensuring robust safeguarding of children’s digital privacy in India.
