Verifiable Parental Consent
Plain English Translation
Under Section 9(1) of the Act, before you process any data belonging to a minor, you must obtain verifiable parental consent. This is a stricter standard than standard consent; you cannot simply ask 'Are you a parent?' and accept a 'Yes'. You must implement a verifiable parental consent mechanism India standards require, which often involves technical steps to prove the identity of the guardian and their relationship to the child. Whether through a dedicated parent dashboard India DPDP interface or integration with government ID services, the goal is managing children's data consent securely to prevent unauthorized processing.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Use a credit card transaction (small charge refunded) as a proxy for verifying adult status.
- Send an email verification loop to the parent's address.
- Store the DPDP parental consent form response as a timestamped log.
Required Actions (scaleup)
- Deploy a dedicated consent manager for children interface.
- Implement video-based KYC or government ID checks for parents.
- Automate the suspension of accounts if parental consent is withdrawn.
Required Actions (enterprise)
- Full integration with government-notified verifiable credential tokens.
- Real-time lineage tracking to ensure no child data leaks into ad-tech pipelines.
- Automated periodic re-validation of guardianship status.
Section 9(1) requires obtaining verifiable consent in the manner prescribed. This involves confirming the identity of the parent and their relationship to the child, potentially using digital IDs or tokens.
Yes, the parent acts on behalf of the child. Section 6(4) grants the right to withdraw consent at any time, and this applies to the guardian providing consent for the child.
You need sufficient details to verify their identity (to prove they are an adult) and potentially their relationship to the child, as required by the 'verifiable' standard in Section 9(1).
Systems should create a logical link in the database between the child's user ID and the verified parent's identity to facilitate consent management and rights exercise.
While not explicitly detailed in the Act, re-verification may be necessary if the scope of processing changes (Section 6(1)) or to ensure the guardian relationship remains valid.
Once the individual ceases to be a child (attains 18 years), they become the Data Principal in their own right. The Data Fiduciary should obtain fresh consent directly from them.
Likely not. Section 9(1) demands 'verifiable consent'. Simple email does not prove the sender is a parent or an adult. Stronger guardian verification methods like ID checks are recommended.
Breach in observance of additional obligations in relation to children under Section 9 can attract a penalty extending to two hundred crore rupees under the Schedule.
"The Data Fiduciary shall, before processing any personal data of a child or a person with disability who has a lawful guardian obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed."
"A Data Fiduciary shall not undertake such processing of personal data that is likely to cause any detrimental effect on the well-being of a child."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-08 | WatchDog Security GRC Wiki Team | Initial publication from DPDP Workbook |
