Imagine Dr. Shrawan Kumar Pathak opening his daughter Kashvi's tablet and finding she has signed up to a new game that asks for her name, photo and location. He wonders what the law actually says about a child sharing data online in India. This guide answers that question in plain terms for parents.
The short version: a new rule will soon require apps to get a parent's verified permission before they collect or use a child's data. That rule is already notified, but the duty on apps becomes enforceable from 13 May 2027. Until then, parents rely on existing app controls and grievance channels.
Here is the core of the new protection, in plain bullets. These obligations on platforms become enforceable from 13 May 2027.
This comes from Section 9 of the Digital Personal Data Protection Act 2023, read with Rule 10 of the DPDP Rules 2025, notified on 13 November 2025 by the Ministry of Electronics and Information Technology (Gazette G.S.R. 846(E)).
Under the new framework, yes. Section 9 of the DPDP Act 2023 treats anyone below 18 years as a child. An app that acts as a Data Fiduciary, meaning it decides why and how personal data is processed, will have to obtain verifiable parental consent before it processes a child's personal data.
This is a higher bar than a simple tick-box. The app cannot just ask the child to confirm “I am over 18” or “my parent agrees”. It will have to actually verify that a real, identifiable adult is giving the consent on the child's behalf.
Remember the timing. Rule 10 is notified, so the text of the law is fixed, but the duty on apps to follow it starts on 13 May 2027. Before that date, apps are not legally bound by Rule 10, though many already offer parental controls you can use today.
The DPDP Rules 2025 expect the app to use appropriate technical measures to check that the person giving consent is an identifiable adult. There are two main routes the rules contemplate.
Route one: identity already verified on the platform. If the parent's identity and age are already reliably known to the app, for example because the parent holds a verified adult account, the app can rely on that existing verification when the parent consents for the child.
Route two: independent verification using a DigiLocker Age Token. Where the parent's identity is not already known, the app can rely on an independent check. This can use an Aadhaar-linked DigiLocker “Age Token”, a virtual token that confirms the adult's identity and age without handing the app a full copy of the parent's Aadhaar.
In simple terms, the Age Token is a digital slip from DigiLocker that says “this person is a verified adult” without revealing every detail on the document. It lets the app trust that a genuine parent or guardian is giving consent, while sharing as little personal information as possible.
No, not once Rule 10 is in force. The DPDP Act 2023 prohibits tracking, behavioural monitoring and targeted advertising directed at children. So an app will not be allowed to build a profile of your child's activity to push tailored ads at them.
This is one of the clearest protections in the new law. It is aimed at the common pattern where a child's clicks, watch time and in-app behaviour are quietly used to serve advertising. From 13 May 2027, that practice directed at children will not be permitted.
The same protection extends to a person with a disability who has a lawful guardian. The guardian steps into the role the parent plays for a child, and the app must seek verifiable consent from that guardian in the same way.
You do not have to wait until 2027 to protect your child. Practical steps you can take today:
The older information technology law framework from the year 2000 still applies to sensitive personal data in the meantime, so platforms are not operating in a vacuum before the DPDP duties begin.
If a public authority, school or government portal is involved and you want to know what data it holds or what rules it follows, a formal information request can help. You can use the AI RTI Drafter to prepare one, and the RTI Act 2005 explains your right to that information. For a wider view of how citizen rights and complaints work, see The RTI Playbook.
Start with the app's own grievance officer. If that does not resolve matters, India has separate regulators for different sectors, and it helps to know which one covers your issue. The guide on which regulator to complain to can point you in the right direction. Once the DPDP enforcement machinery is fully active, the data protection authority created under the Act will be the body for data-related complaints.
Anyone below the age of 18 years. This is set by Section 9 of the DPDP Act 2023. Until a person turns 18, an app handling their personal data will need verifiable parental consent.
No. Rule 10 of the DPDP Rules 2025 is notified, but the obligations it places on apps become enforceable from 13 May 2027, which is 18 months after the rules were notified on 13 November 2025.
It is a virtual token from DigiLocker, linked to Aadhaar, that confirms an adult's identity and age to an app. It lets an app verify a parent without the parent handing over a full copy of their Aadhaar.
Targeted and behavioural advertising directed at children is prohibited under the DPDP Act 2023. Once Rule 10 is in force, apps will not be able to profile your child to serve them tailored ads.
Yes. The same heightened protection applies to a person with a disability who has a lawful guardian. The guardian gives the verifiable consent in place of the person, just as a parent does for a child.
Use the app's parental controls, tighten its permissions, review its privacy policy, and complain to the platform's grievance officer if needed. The older information technology framework from 2000 still protects sensitive personal data in the meantime.