Target Audience: EdTech, Gaming, Social Media, and Toy manufacturers. Focus: Protection of minors and technical hurdles.
Introduction: Section 9 of the DPDPA is perhaps the most stringent part of the Act. It treats anyone under 18 as a child and mandates “verifiable parental consent” before any data is processed.
The Three Pillars of Children’s Data Protection:
- Verifiable Parental Consent: The burden is on the business to prove that the person giving consent is indeed the parent or legal guardian.
- No Tracking or Profiling: Businesses are strictly prohibited from tracking or monitoring the behavior of children or targeting advertisements at them.
- No Harmful Processing: Any processing that is “likely to cause any detrimental effect on the well-being of a child” is strictly banned.
Technical Challenges: How do you verify a parent’s identity without collecting more sensitive data (like Aadhaar or Credit Card info)? This is the “Privacy Paradox” that Indian tech firms must solve.
The Mentor’s Take: If your primary users are minors, your monetization model cannot rely on behavioral advertising. You must pivot to subscription-based or contextual advertising models immediately.
