Children's data under DPDP Section 9: a parent's guide.

Section 9 of the Digital Personal Data Protection Act, 2023 deals with personal data of children. It is one of the strictest parts of the Act, and the implementing Rule 10 fills in the operational detail. If you are a parent or guardian of an Indian minor, this is the section you should know.

Who counts as a child.

The Act defines a child as any person under the age of eighteen years. This is a higher threshold than under most international privacy regimes, including GDPR (sixteen) and COPPA in the United States (thirteen). It is deliberate. The Act's framers wanted to bring all minors under one regime, and to set the bar high enough that platforms would have to design for it.

What platforms must do for children.

Section 9 requires Data Fiduciaries to obtain verifiable consent of the parent or lawful guardian before processing the personal data of a child. The verifiability is the operative word: a tick-box that says "I am over 18" is not verifiable consent. A signed declaration that can be authenticated through Aadhaar OTP, a parent-validated email chain, or an attested document is verifiable consent.

Section 9 also prohibits Data Fiduciaries from:

• Tracking or behavioural monitoring of children.
• Targeted advertising directed at children.
• Processing children's data in any manner likely to cause "detrimental effect" on the well-being of the child.

These prohibitions apply regardless of consent. A parent cannot consent to behavioural tracking of a minor; the prohibition is structural.

How Rule 10 makes this operational.

Rule 10 of the Digital Personal Data Protection Rules, 2025 specifies the verifiability mechanisms a Data Fiduciary must use. Acceptable methods include:

1. Verification of the parent or guardian through a government-issued identity document (typically Aadhaar OTP).
2. A declaration submitted under a digital signature.
3. A verified entry through a Consent Manager (once Consent Managers are licensed and operational, expected in 2026 to 2027).

The Rule also requires Fiduciaries to maintain a record of the consent and the method by which it was verified, and to be able to produce that record on demand from the Board.

What this means for your child's existing accounts.

If your child has an account at any Indian Data Fiduciary, including ed-tech platforms, gaming services, social networks, or matrimony sites in the case of older minors, the company is required to have on file a verifiable parental consent. If they do not, the account is being processed in contravention of Section 9.

You can write to the Fiduciary and ask:

1. Did you obtain my verifiable consent before processing my child's data?
2. If yes, please provide a copy of the consent record and the method of verification.
3. If no, please erase the data under Section 12, and confirm completion within ninety days as required by Rule 14.

We have seen high compliance from Indian ed-tech platforms (Byju's, Unacademy, Vedantu, WhiteHat Jr) on Section 9 requests. They have spent the past year cleaning up their consent records, and a Section 9 request typically gets a faster response than a generic Section 12 request because the legal exposure is sharper.

What to do if you find your child's image or detail on a non-consenting site.

Take three steps in this order.

1. Capture the evidence.

URL, screenshot, date and time. If your child's image is on the site, do not share the image elsewhere; reference it by URL only.

2. Send a Section 9 + Section 12 notice.

State plainly that the child is a minor, that you are the parent or lawful guardian, that you did not provide verifiable consent under Section 9, and that you demand erasure under Section 12 within ninety days. Include the URL and the date of evidence capture.

3. If the content is harmful or sexually explicit, also report to cybercrime.

Non-consensual intimate imagery of minors is a criminal matter under the POCSO Act, 2012 in addition to being a DPDP violation. File at cybercrime.gov.in. The CERT-In and local cyber cell can take down content faster than the DPB in these cases.

What Vault.in does for your family.

On the Family plan, you can add up to four members. Children added as minors trigger a special set of behaviours.

• The minor's profile is flagged in our system. Tracking-style processing is disabled by default.
• Adding a minor requires verifiable parental consent, captured via our own Rule 10 flow (Aadhaar OTP for the parent, signed declaration, attested relationship document).
• The minor's daily scan focuses on the platforms most likely to expose minors: ed-tech, gaming, child-targeted social networks, image hosts, and matrimony sites (for older minors).
• All Section 12 notices for minors are sent with explicit Section 9 invocation, which we have found accelerates response times.
• The minor's monthly report is sent to the parent, not to the minor.

We treat children's data with the higher standard the law demands. If you want to add a child to your Vault.in account, the verifiable parental consent flow is in Settings → Family.