top of page

COMPLIANCE ROUTE FROM GDPR TO DPDPA: MANAGING THE SHIFT IN REGULATORY EXPECTATIONS

  • Aman Shankar & Biyanka Bhatia
  • 4 days ago
  • 3 min read

PART IV

When comparing the Digital Personal Data Protection Act, 2023 (“DPDPA”) with the General Data Protection Regulation, 2016 (“GDPR”), one of the most significant points of divergence lies in the treatment of children’s personal data and the corresponding compliance obligations imposed upon entities processing such data. The regulatory approach adopted by each framework reflects distinct legislative priorities, particularly in relation to consent mechanisms, age thresholds, profiling restrictions, and the extent of fiduciary accountability.


In this final part of the blog series, we examine the legal and operational nuances governing children’s data under the DPDPA and the GDPR, while analysing the broader compliance implications for organisations navigating these evolving data protection regimes.


PROCESSING CHILDREN'S DATA

  1. The DPDPA defines a child as a person under 18 and requires data fiduciaries to obtain verifiable consent from the parent when processing the personal data of a child [1]. Notably, the DPDP Rules adopt a limited verification standard: they require data fiduciaries to exercise due diligence to confirm that the individual identifying as the parent is an adult, without mandating verification of the parent-child relationship itself [2]. A comparable approach exists under the GDPR, which requires parental consent where an information society service is offered to a child below the age of 16 and obliges controllers to make reasonable efforts to verify that such consent has been authorized by the holder of parental responsibility [3].

  2. In addition, the DPDPA prohibits processing that is likely to harm a child’s well-being, as well as tracking, behavioral monitoring, or targeted advertising directed at children. The DPDP Rules provide limited, context-specific exemptions from the requirement of verifiable consent, primarily for healthcare and educational institutions processing children’s data in a demonstrably safe manner.

  3. Organisations operating in India should therefore review whether their digital services are accessible to individuals under 18, update age-verification and parental consent mechanisms to meet the “verifiable consent” standard, and reassess existing analytics, tracking, and advertising practices to ensure compliance with the enhanced protections for children under DPDPA.

  4. For instance, Aarav, a minor, seeks to create an account on PlayRoll, an online free-to-play gaming platform operated by Vertex Games, an online gaming intermediary based in India.


SCENARIO I

CONSENT PROVIDED

BY THE CHILD

Aarav self-declares during sign-up that he is above 18 years of age. At present, self-declaration of age is sufficient to meet the due diligence standard under the DPDPA.


The Act and the DPDP Rules do not prescribe mandatory age-verification mechanisms, and further clarity is expected to emerge through regulatory guidance or enforcement practice, particularly on how platforms should respond to false age declarations.

SCENARIO II

CONSENT PROVIDED

BY A PARENT


Aarav asks his father, Rohit, to provide verifiable consent for account creation. Since Rohit has not previously used PlayRoll, Vertex Games requires him to submit proof of age and identity. Rohit provides his Aadhaar card to establish that he is an adult. This satisfies the due diligence requirement under the DPDP Rules. The DPDP Rules require the data fiduciary to exercise due diligence to confirm that the person providing consent is an adult; they do not mandate verification of the parent–child relationship itself.

SCENARIO III

CONSENT PROVIDED

BY A THIRD PARTY


Aarav instead asks his friend Kunal, aged 24, to provide verifiable consent. Vertex Games verifies Kunal’s age through his birth certificate and confirms that he is an adult. Under the DPDP Rules, Vertex Games is not obligated to verify whether Kunal is Aarav’s parent or legal guardian. Once due diligence establishes that the consenting individual is an adult, the statutory requirement for verifiable consent is met, even if the individual is unrelated to the child.


Check out PART I, PART II and PART III.


Footnotes :


[1] Section 9(1), DPDPA, 2023

[2] Rule 10, DPDP Rules, 2025.

[3] Article 8(2), GDPR, 2016


Please feel free to reach out to our Team to discuss any of the Technology Law, Competition Law, International Trade and Policy Issues.

Comments

Commenting on this post isn't available anymore. Contact the site owner for more info.
bottom of page