Verifiable Age Gating
Plain English Translation
Under Section 9(1) of the Act, treating all users as adults by default is no longer a safe strategy. You are legally required to verify the age of your users to determine if they are minors (under 18). If a user is identified as a child, strict DPDP age gating requirements kick in: you must obtain verifiable parental consent before processing any of their data. Furthermore, Section 9(3) absolutely forbids tracking or behavioral monitoring of children. This means your system must be smart enough to distinguish a child from an adult and automatically disable advertising trackers for the former.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Implement a self-declaration date of birth field.
- Require a parent's email address for users under 18.
- Manually disable ads for self-declared minors.
Required Actions (scaleup)
- Integrate third-party age estimation tools (e.g., Yoti) for KYC for age verification.
- Automate the parental consent email loop.
- Regularly audit user behavior to identify potential minors lying about age.
Required Actions (enterprise)
- Full API integration with government-backed verifiable credential systems.
- Real-time blocking access to minors for age-restricted content.
- Advanced anomaly detection to flag accounts that behave like children but claim to be adults.
Section 2(f) of the Act defines a child as an individual who has not completed the age of eighteen years.
Yes, effectively. To comply with Section 9 obligations (obtaining parental consent and not tracking children), a Data Fiduciary must verify the age of the Data Principal to distinguish children from adults.
The rules suggest using mechanisms like virtual tokens mapped to government IDs (like DigiLocker) which confirm age (Y/N) or parental relation without revealing sensitive underlying data.
It is consent obtained from the parent or lawful guardian where the Data Fiduciary has verified the identity of the parent and their relationship to the child using prescribed technical measures.
Yes, exemptions exist. Section 9(4) allows the government to notify exceptions for processing that is verifiably safe, and certain sectors like education or health may have specific exemptions.
Breach in observance of additional obligations in relation to children under Section 9 can attract a penalty extending to two hundred crore rupees (Schedule).
While not explicitly demanded as a separate document, Section 5 requires notice. Since the child cannot give consent, the notice must be understandable to the parent/guardian to ensure informed consent.
If the B2B app processes personal data of individuals who happen to be children (e.g., interns under 18), Section 9 applies. However, generally, B2B data principals are adults.
"The Data Fiduciary shall, before processing any personal data of a child or a person with disability who has a lawful guardian obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-08 | WatchDog Security GRC Wiki Team | Initial publication from DPDP Workbook |
