Prohibition on Behavioral Tracking
Plain English Translation
Under Section 9(3) of the Act, there is an absolute prohibition on the tracking or behavioral monitoring of children India mandates. This means you cannot monitor a child's activity across your app or website to build a profile, nor can you engage in serving ads to minors India based on their behavior. Unlike adults who can consent to tracking, children are off-limits for any form of ad-tech surveillance. Your systems must actively detect if a user is a minor and immediately suppress any data collection used for analytics, profiling, or targeted marketing, ensuring total compliance with the targeted advertising ban DPDP.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Manually disable Google Analytics and Facebook Pixel on pages dedicated to children.
- Update the privacy policy to state no ads are shown to kids.
- Do not collect IDFA/GAID for users who self-identify as under 18.
Required Actions (scaleup)
- Implement a dynamic `is_child` flag in the identity management system that automatically toggles off tracking features.
- Audit third-party SDKs to ensure they are not silently collecting behavioral data.
- Differentiate between contextual advertising vs targeted advertising in the ad server configuration.
Required Actions (enterprise)
- Deploy Privacy-Enhancing Technologies (PETs) to strip personal identifiers before data hits any analytics pipeline.
- Automated regression testing to ensure no new release accidentally enables trackers for child accounts.
- Real-time monitoring of network traffic to detect and block unauthorized profiling of children ban violations.
While not defined in the definitions clause, in the context of Section 9(3), it implies observing the actions, habits, or preferences of a child over time to create a profile or predict behavior.
Section 9(3) prohibits 'targeted advertising directed at children'. This implies ads based on user profiles or behavior are banned. Non-targeted, purely contextual ads may be permissible if they involve no tracking.
The Act explicitly bans 'targeted advertising' and 'tracking'. Contextual advertising (ads based on the current page content without tracking the user) is generally distinct from targeted advertising, but care must be taken to ensure no underlying tracking occurs.
Yes. Section 9(3) states the Data Fiduciary shall not undertake tracking. It makes no distinction between first-party or third-party tracking; any monitoring of a child's behavior is prohibited.
Implement age-gating signals (e.g., `is_minor=true`) that conditionally prevent the loading of ad SDKs, analytics scripts, and marketing cookies for those user sessions.
Breach in observance of additional obligations in relation to children under Section 9, including the ban on tracking, can attract a penalty extending to two hundred crore rupees.
Section 9(4) allows the Central Government to prescribe exemptions. Certain classes of Fiduciaries (like educational institutions) may be allowed to process data if it is for the 'safety of a child', but this requires specific notification.
The Act applies to 'personal data' (Section 2(t)). If data is truly anonymized (not just pseudonymized) such that the child is no longer identifiable, it falls outside the Act. However, tracking usually requires identification to link behaviors.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-08 | WatchDog Security GRC Wiki Team | Initial publication from DPDP Workbook |
