Rule 10 of DPDP Rules 2025

Verifiable consent for processing of personal data of child.


(1) A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child and shall observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable if required in connection with compliance with any law for the time being in force in India, by reference to—
(a) reliable details of identity and age of the individual available with the Data Fiduciary; or
(b) details of identity and age, voluntarily provided —
(i) by the individual; or
(ii) through a virtual token mapped to such details, which is issued by an authorised entity.
(2) In this rule, the expression—
(a) “adult” shall mean an individual who has completed the age of eighteen years;
(b) “authorised entity" shall mean —
(i) an entity entrusted by law or by the Central Government or by the State Government with the issuance of details of the identity and age or a virtual token mapped to such details; or
(ii)a person appointed or permitted by the entity specified under clause (i), for such issuance, and also includes details of identity and age or token made available and verified by a Digital Locker Service Provider;
(c) “Digital Locker service provider” shall mean such intermediary, including a body corporate or an agency of the appropriate Government, as may be notified by the Central Government, in accordance with the rules made in this regard under the Information Technology Act, 2000 (21 of 2000);
Illustration.
C is a child, P is a parent, and DF is a Data Fiduciary. A user account of C is sought to be created on the online platform of DF, by processing the personal data of C.
Case 1: C informs DF that she is a child and declares P as her parent. DF shall enable P to identify herself through its website, app or other appropriate means. P identifies herself as the parent and informs DF that she is a registered user on DF’s platform and has previously made available her identity and age details to DF. Before processing C’s personal data for the creation of her user account, DF shall check to confirm that it holds reliable identity and age details of P and that P is an identifiable adult.
Case 2: C informs DF that she is a child and declares P as her parent. DF shall enable P to identify herself through its website, app or other appropriate means. P identifies herself as the parent and informs DF that she herself is not a registered user on DF’s platform. Before processing C’s personal data for the creation of her user account, DF shall, by reference to identity and age details issued by an entity entrusted by law or the Government with maintenance of the said details or to a virtual token mapped to the identity and age, check that P is an identifiable adult. P may voluntarily make such details available using the services of a Digital Locker service provider.
Case 3: P is opening an account for C and identifies herself as C’s parent and informs DF that she is a registered user on DF’s platform and has previously made available her identity and age details to DF. Before processing C’s personal data for the creation of her user account, DF shall check to confirm that it holds reliable identity and age details of P and that P is an identifiable adult.
Case 4: P is opening an account for C and identifies herself as C’s parent and informs DF that she herself is not a registered user on DF’s platform. Before processing C’s personal data for the creation of her user account, DF shall, by reference to identity and age details issued by an entity entrusted by law or the Government with maintenance of the said details or to a virtual token mapped to the identity and age, check that P is an identifiable adult. P may voluntarily make such details available using the services of a Digital Locker service provider.

Rule 11 →
DPDPA
Table of contents


Report error

Legal Interpretation: Rule 10 - Verifiable consent for processing of personal data of child.

I. EXECUTIVE SUMMARY

Rule 10 establishes a framework for exemptions from certain obligations applicable to the processing of personal data of children under Section 9 of the DPDPA 2023. This rule provides specific circumstances under which Data Fiduciaries may be relieved from the stringent requirements of obtaining verifiable parental consent before processing children's personal data.

II. STATUTORY FOUNDATION

A. Primary Legislative Provision - Section 9 DPDPA 2023

Section 9(1) mandates that Data Fiduciaries must, before processing any personal data of a child or person with disability, obtain verifiable consent from the parent or lawful guardian of such child or person with disability.

B. Rule 10 - Exemptions Framework

Rule 10 operates as a carve-out provision that creates two distinct categories of exemptions:

Rule 10(1) - Class-Based Exemptions

The provisions of sub-sections (1) and (3) of Section 9 shall NOT be applicable to processing of personal data of a child by such class of Data Fiduciaries as are specified in Part A of Fourth Schedule, subject to conditions specified therein.

Rule 10(2) - Purpose-Based Exemptions

The provisions of sub-sections (1) and (3) of Section 9 shall NOT be applicable to processing of personal data of a child for such purposes as are specified in Part B of Fourth Schedule, subject to conditions specified therein.

III. DETAILED LEGAL INTERPRETATION

A. Scope of Exemption

What is Exempted:

  • Section 9(1): The requirement to obtain verifiable consent from parent/guardian before processing child's personal data
  • Section 9(3): The prohibition on processing personal data that is likely to cause harm to the child

⚠️ CRITICAL NOTE: The exemption is NOT absolute. It is subject to:

  1. Specific classes of Data Fiduciaries (Fourth Schedule Part A)
  2. Specific purposes (Fourth Schedule Part B)
  3. Conditions prescribed in the respective Schedule parts

B. Two-Pronged Exemption Structure

Exemption Type Basis Reference Conditions
Class-Based Identity/Category of Data Fiduciary Fourth Schedule Part A Must be specified class + comply with Part A conditions
Purpose-Based Specific Processing Purpose Fourth Schedule Part B Must be for specified purpose + comply with Part B conditions

C. Interpretation of "Verifiable Consent"

Legal Meaning:

"Verifiable consent" in the context of child data processing means:

  • Consent from Parent/Guardian: Not from the child directly
  • Verification Mechanism: The Data Fiduciary must implement a reasonable method to verify that the person providing consent is indeed the parent or lawful guardian
  • Compliance with Section 6 Standards: The consent must still be:
    • Free
    • Specific
    • Informed
    • Unconditional
    • Unambiguous
    • With clear affirmative action

D. Persons with Disability - Parallel Provision

Rule 10 references Section 9, which also covers persons with disability. The definitions provided in the Rules clarify:

"Person with Disability" includes:

  1. Individuals with long-term physical, mental, intellectual, or sensory impairment who, despite adequate support, cannot take legally binding decisions
  2. Individuals with autism, cerebral palsy, mental retardation, or combination thereof, including severe multiple disability, who cannot take legally binding decisions despite adequate support

"Law Applicable to Guardianship" means:

  • Rights of Persons with Disabilities Act, 2016 (for category 1 above)
  • National Trust for Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999 (for category 2 above)

IV. PRACTICAL IMPLICATIONS & COMPLIANCE REQUIREMENTS

A. For Data Fiduciaries Processing Children's Data

Step 1: Determine Applicability of Exemption

  • Check if your organization falls within the class specified in Fourth Schedule Part A
  • OR check if the processing purpose falls within Fourth Schedule Part B

Step 2: Comply with Schedule Conditions

  • Even if exempt from verifiable consent requirement, you MUST comply with all conditions specified in the relevant Schedule part
  • Non-compliance with conditions = Loss of exemption benefit

Step 3: Document Exemption Reliance

  • Maintain records demonstrating:
    • Basis for claiming exemption
    • Compliance with Schedule conditions
    • Regular audits of continued eligibility

B. If Exemption Does NOT Apply

Data Fiduciaries MUST:

  1. Implement Verification Mechanisms: Establish reasonable methods to verify parental/guardian identity
  2. Obtain Verifiable Consent: Before any processing of child's personal data
  3. Comply with Section 9(3): Ensure no processing likely to cause harm to child
  4. Age Verification: Implement age-gating mechanisms to identify when data subject is a child

V. LEGAL OBLIGATIONS THAT REMAIN APPLICABLE

Important: Rule 10 exempts ONLY sub-sections (1) and (3) of Section 9. The following obligations remain applicable even when exemption applies:

  • Section 8: General obligations of Data Fiduciaries (notice, purpose limitation, data retention, etc.)
  • Section 6: Consent requirements (if consent is the legal basis)
  • Section 9(2): Any other provisions not specifically exempted
  • Other DPDPA provisions: Data breach notifications, grievance redressal, etc.

VI. INTERPLAY WITH CONSENT FRAMEWORK (SECTION 6)

Consent Requirements Under Section 6

When processing children's data (even under exemption), if consent is the legal basis, it must be:

Requirement Meaning Application to Children
Free Not coerced or forced Parent/guardian must give freely
Specific For identified purpose Clear purpose for child's data processing
Informed With full knowledge Parent/guardian fully informed of processing
Unconditional No bundled consent Cannot condition service on unrelated consent
Unambiguous Clear and explicit No confusion about what is consented to
Clear Affirmative Action Positive opt-in Active consent, not pre-ticked boxes

VII. BURDEN OF PROOF

Section 6(10) Application: Where consent is the basis of processing (including for children), and a question arises in any proceeding, the Data Fiduciary bears the burden of proving:

  • That proper notice was given to the Data Principal (parent/guardian in case of child)
  • That consent was obtained in accordance with the Act and Rules
  • That the exemption under Rule 10 is validly claimed (if applicable)

VIII. ENFORCEMENT & PENALTIES

Consequences of Non-Compliance

  • Loss of Exemption: Failure to meet Schedule conditions = automatic loss of Rule 10 exemption
  • Data Protection Board Action: Complaints can be filed with the Board under Section 27
  • Penalties: Subject to penalty provisions under Section 33 of DPDPA 2023
  • Reputational Risk: Violations involving children's data carry significant reputational consequences

IX. BEST PRACTICES FOR COMPLIANCE

Recommended Compliance Framework

  1. Age Verification Systems:
    • Implement neutral age-screening mechanisms
    • Use age-appropriate interfaces
    • Regular testing of age-gating effectiveness
  2. Parental Consent Mechanisms (if no exemption):
    • Email-plus verification
    • Credit card verification
    • Government ID verification
    • Video-based verification
    • Knowledge-based authentication
  3. Documentation & Record-Keeping:
    • Maintain audit trail of consent obtained
    • Document exemption claims with legal justification
    • Regular compliance audits
  4. Privacy by Design:
    • Minimize data collection from children
    • Enhanced security measures for children's data
    • Limited retention periods
    • Restricted access controls
  5. Transparency Measures:
    • Child-friendly privacy notices
    • Parent-accessible control panels
    • Clear opt-out mechanisms

X. COMPARATIVE ANALYSIS WITH INTERNATIONAL STANDARDS

Jurisdiction Child Protection Standard DPDPA 2023 Alignment
GDPR (EU) Parental consent for children under 16 (Art. 8) Similar verifiable consent requirement
COPPA (USA) Parental consent for children under 13 Comparable but DPDPA doesn't specify age
UK Age Appropriate Design Code 15 standards for online services DPDPA provides framework; details in Schedules

XI. CRITICAL UNANSWERED QUESTIONS

Areas Requiring Clarification (Awaiting Fourth Schedule Publication)

  1. Definition of "Child": What age constitutes a child under DPDPA? It is 18 years as per Juvenile Justice (Care and Protection of Children) Act, 2015 (GDPR: 16, COPPA: 13)
  2. Exempted Classes: Which specific Data Fiduciaries are included in Fourth Schedule Part A?
  3. Exempted Purposes: What specific purposes are listed in Fourth Schedule Part B?
  4. Conditions for Exemption: What are the exact conditions that must be met?
  5. Verification Standards: What constitutes "reasonable" verification of parental status?

XII. LEGAL OPINION & RECOMMENDATIONS

Expert Legal Opinion

Rule 10 represents a balanced approach that recognizes:

  • The need for enhanced protection of children's personal data
  • Practical challenges in obtaining verifiable parental consent in all circumstances
  • Legitimate use cases where strict consent requirements may be impractical or counterproductive

Key Recommendations for Organizations

  1. Assume Full Compliance Required: Until Fourth Schedule is published, assume no exemption applies
  2. Implement Robust Verification: Develop and deploy verifiable parental consent mechanisms
  3. Conduct Privacy Impact Assessment: Specifically for children's data processing activities
  4. Establish Governance Framework: Create dedicated policies for children's data protection
  5. Train Personnel: Ensure all relevant staff understand heightened obligations
  6. Monitor Regulatory Developments: Stay updated on Fourth Schedule publication and Board guidance
  7. Engage Legal Counsel: Obtain specific legal advice for your organization's use cases

XIII. CONCLUSION

Rule 10 is a conditional exemption provision that relieves certain Data Fiduciaries or certain processing purposes from the stringent requirements of Section 9(1) and 9(3) of DPDPA 2023, subject to:

  • Being within specified classes (Fourth Schedule Part A), OR
  • Processing for specified purposes (Fourth Schedule Part B), AND
  • Complying with conditions in the relevant Schedule part

The exemption is NOT a blanket waiver of child protection obligations. All other provisions of DPDPA 2023 remain fully applicable, and organizations must maintain the highest standards of data protection when processing children's personal data.

Until the Fourth Schedule is published, organizations should operate under the assumption that full compliance with Section 9 is required, including obtaining verifiable parental consent before processing any personal data of children.

Disclaimer: This legal interpretation is provided for informational purposes only and does not constitute legal advice. Organizations should consult with Advocate (Dr.) Prashant Mali for written Legal Opinion for advice specific to their circumstances. The interpretation is based on the DPDPA 2023 and DPDP Rules 2025 as available at the time of analysis.

Document Reference:

  • Digital Personal Data Protection Act, 2023
  • Digital Personal Data Protection Rules, 2025
  • Analysis Date: November 2025

Read more on BLOG : Childrens of illiterate parents BANNED from social media IN INDIA?

© 2025 Advocate (Dr.) Prashant Mali