(1) The provisions of sub-sections (1) and (3) of section 9 of the Act shall not be applicable to processing of personal data of a child by such class of Data Fiduciaries as are specified in Part A of Fourth Schedule, subject to such conditions as are specified in the said Part.
(2) The provisions of sub-sections (1) and (3) of section 9 of the Act shall not be applicable to processing of personal data of a child for such purposes as are specified in Part B of Fourth Schedule, subject to such conditions as are specified in the said Part.
Short summary: Rule 12 permits limited, conditional exemptions from specified obligations in Section 9 of the DPDP Act for processing personal data of children (persons under 18 years), where the processing is undertaken by specified classes of Data Fiduciaries or for specified purposes set out in the Fourth Schedule. These exemptions are subject to strict conditions, safeguards and documentation requirements.
Which obligations are affected?
Rule 12 targets sub-sections (1) and (3) of Section 9 of the DPDP Act, principally the verifiable parental/guardian consent regime and related prohibitions (for example, restrictions on behavioural tracking and targeted advertising for children). The exemptions are not blanket: they apply only where the Rules list an entity or purpose and where the stated conditions are met.
Two pathways for exemption
- Entity-based exemptions (Part A, Fourth Schedule): Certain fiduciaries such as hospitals/healthcare establishments, schools/educational institutions, day-care/creches and child-transport services may process child data with limited relief from the verifiable-consent requirement, subject to conditions.
- Purpose-based exemptions (Part B, Fourth Schedule): Specific purposes e.g., emergency medical care, child safety monitoring, statutory compliance or narrowly defined research/archival activities may be permitted without the ordinary consent formalities, again subject to conditions.
Core conditions and constraints
- Necessity & proportionality: Processing must be strictly necessary and proportionate to the stated institution/purpose.
- Data minimisation & purpose limitation: Only the minimum data necessary for the permitted purpose may be processed.
- Documentation & DPIA: The Data Fiduciary must document the legal basis and carry out Data Protection Impact Assessments where required; Significant Data Fiduciaries have enhanced reporting/audit obligations.
- Safeguards & transparency: Technical and organisational safeguards, explicit purpose binding and clear notices (where possible) are required.
Practical note: For compliance, operationalize an 18-year age threshold in onboarding, age verification, privacy notices and consent flows. Claims of exemption should be supported by written evidence and processing records.
Advice for counsel & compliance teams
- Map all processing activities involving persons under 18 and classify them by Part A / Part B categories.
- Apply a strict necessity test: document why parental verifiable consent is impracticable for the specific activity and how the exemption is narrowly tailored.
- Conduct DPIAs and annual audits (as mandated for Significant Data Fiduciaries) and retain records.
- Implement access controls, retention limits, and contractual clauses with processors prohibiting secondary use such as targeted advertising unless explicitly allowed and conditioned by the Rules.
- Maintain complaint/grievance and reporting channels, and be ready to justify reliance on any exemption before the regulator or courts.
Risk & enforcement
Relying on Rule 12’s exemption does not remove regulatory risk. The regulator will evaluate whether the exemption’s conditions were honestly and reasonably applied, and whether processing remained within the permitted scope. Non-compliance may attract enforcement, fines, and reputational damage.
© 2025 Advocate (Dr.) Prashant Mali