INTRODUCTION :

In the present world in which nearly everything has been digitalised, It has become very important to keep children's privacy safe. From social media to educational apps, businesses are increasingly targeting and profiling children's data on digital platforms for their own benefit, without considering the harm it may cause to children. It's easy to harm children because they don't know how to protect their personal information. The case of Avnish Bajaj v. State (NCT of Delhi)¹ was the first in which a court said that a child's online privacy needs to be protected. The case dealt with MMS involving minors. The Delhi High Court acknowledged the need and significant gaps in the laws and infrastructure protecting the privacy of children. This resulted in the passing of the Digital Personal Data Protection Act in 2023. The Act aims to set up a legal framework that treats children as separate groups of data principals who need more protection. This article talks about the legal provisions relating to the privacy of children under Digital Personal Data Protection Act, 2023 (DPDP), fundamental principles and the challenges in its implementation in the real world. Legislative provisions of the Digital Personal Data Protection Act, 2023 safeguarding the privacy of children

1. Processing of Children's Data:

Any processing of personal data pertaining to a child under the age of 18 must first get verified parental consent, as stated in the Act. There can be no tracking, behavioural monitoring, or targeted advertising of children of any kind.²

2. Duty of Data Fiduciaries Processing Children's Data:

It is the responsibility of those entities that deal with children's data to ensure that it does not injure children. Data fiduciaries that meet the government's defined standards of being verifiably safe may be exempted.³

3. Exemptions for Certain Entities:

Some government-approved organisations, schools, and healthcare providers may be able to handle children's data without parental consent if doing so is in the child's best interest.⁴

4. Penalty for Non-Compliance:

The Data Protection Board of India (DPBI) has the authority to set guidelines and enforce punishments. Any violation that is related to a child’s data processing could result in hefty financial penalty (up to ₹250 crores).⁵

Fundamental principles under the Digital Personal Data Protection Act, 2023:

1. Best interests of a child:

When dealing with children's personal information, data fiduciaries (DFs) have a responsibility to act in their best interests. Prior to reaching a conclusion regarding a child's best interests, all factors affecting the kid must be taken into account, including:

a. Gender and age;

b. Dysfunctions of the brain;

c. Affiliation with a marginalised community;

d. Level of mental development;

e. Social surrounding of the child

f. Parental literacy disparities;

g. Ethnicity or caste; and

h. A child's practical, emotional, and ethical needs.

2. Evolving capacities of a child:

As a child grows, he or she learns new things, becomes more advanced, and feels more in charge of his or her own life, all of which contribute to increased independence and a stronger feeling of personal agency. Even if parental agreement has been secured for the use of a child's personal data, a Data Fiduciary must still be able to recognise the child's capability, as the Act does not address the child's growing capacities. Because parental consent does not alter a child's age, data custodians must consider the age range of children to determine their ability to handle the processing threats.

3. The right to a bright future:

It is the parental right to set limits on a child's activities that do not affect the child's ability to participate in society. Children should have a future unfettered by digital footprints, which can remain forever. So, after the goal is achieved, a Data Fiduciary needs to make sure that children's personal information is deleted.⁶

Comparative Perspective:

The General Data Protection Regulation (GDPR) is a law in the European Union that protects people's privacy and data. Unlike GDPR, which allows member states to lower the age of consent to 13, the DPDP Act retains 18 as a blanket threshold. This arguably over-regulates older minors while under-regulating actual data practices.

The Age-Appropriate Design Code in the UK, for example, mandates platforms to consider the developmental needs of children rather than rely solely on consent. India’s law lacks such nuanced calibration.

The Children's Online Privacy Protection Act in the US says that parents must agree to data collection from children under the age of 13. This is the lowest level of protection. People say that COPPA is good in theory, but that it doesn't do enough to enforce the rules and that the standards are too old for mobile apps and AI-based profiling. In the meantime, the General Data Protection Regulation says that European Union member states can set an age range of 13 to 16 for digital consent. Most states choose 13 or 14. This model is more in accordance with the UN Convention on the Rights of the Child because it takes into account that children's skills change over time.

The UK's Age-Appropriate Design Code makes things even safer for children by ensuring that platforms automatically think about the child's best interests when it comes to design, minimisation of the use of data, and privacy settings. The same measures are being taken in countries like South Africa, Brazil, and Australia. These changes around the world shows that more and more people are acknowledging the fact that children's rights should be an integral part of the digital infrastructure. This means getting rid of designs that rely on consent and moving towards designs that put responsibility as its priority.⁷

Challenges in Implementation:

The Digital Personal Data Protection Act, 2023 (DPDP Act) in India makes it hard to protect children's data in a number of ways, including legally, practically, and in terms of infrastructure. These problems make the law less effective, especially when it comes to protecting kids' safety and privacy online.

Following are some of the challenges:

1. Problems with age verification: The law says that data fiduciaries can't process a child under 18 without getting verifiable parental consent first. There aren't many age verification systems on platforms that are reliable, scalable, and respect privacy. As a result of which children can easily get around age limits by lying about their age, and platforms may not be able to tell if a user is underage.

2. Uniform Age Cutoff: Indian laws say that anyone under the age of 18 is a child, which is different from COPPA and GDPR. The challenge is treating all minors the same means ignoring how adolescents are becoming more digitally mature. Older teens can't be as independent or involved, and younger children might not be adequately protected in real life.

3. Weak enforcement mechanism: The Data Protection Board of India is still at its early stages of being set up, so there isn't enough institutional infrastructure. There aren't enough guidelines to follow, and it takes a very long time to enforce them.

4. Consent Fatigue and Practicality: Parents might click "consent" without really thinking about what it means or what the terms are. A lot of parents, especially in rural areas, don't know how to use computers. The protection loses its meaning and becomes merely a symbolic consent.

5. Scope of Government Exemptions: The Act lets the government exempt certain data fiduciaries or services from following the rules. This includes healthcare apps and ed-tech apps. This flexibility could make protections for children weaker in the name of innovation or national interest.

6. Platforms aren't responsible: There are no clear technical rules or penalties for platforms that don't stop harmful content or the profiling of children. Data custodians may keep doing things that are dangerous because the law is not clear.

7. Not enough people know about the new responsibilities: Parents, kids, schools, and even platforms often don't know about their responsibilities towards children’s data privacy. Rights can't be protected or used if people don't know how the system works.

8. No Standards for Child-Specific Data Design: India hasn't set up design-based rules like the UK's Age-Appropriate Design Code, which says that privacy settings should be set to default or tracking should be turned off. Children are just as likely as adults to be hurt by UI/UX designs.

CONCLUSION:

India’s DPDP Act, 2023 reflects an important recognition of children’s unique vulnerabilities in digital spaces. While it introduces key protections like guardian consent and advertising bans, the law still requires refinement in scope, clarity in enforcement, and sensitivity toward children’s evolving capacities. Moving forward, a more child-centric approach balancing protection with participation will be crucial in upholding children’s digital rights in a meaningful way.

REFERENCES:

1. Delhi High Court. Avnish Bajaj V. State (NCT of Delhi), (2008) 150 DLT 769

2. Digital Personal Data Protection Act, 2023, S. 9

3. Digital Personal Data Protection Act, 2023, S. 10

4. Law.asia. (2023, July 27). Indian perspective on protecting children’s personal data. https://law.asia/indian-perspective-on-protecting-childrens-personal-data/

5. Digital Personal Data Protection Act, 2023, S. 15

6. Law.asia. (2023, July 27). Indian perspective on protecting children’s personal data. https://law.asia/indian-perspective-on-protecting-childrens-personal-data/

7. Narayanan, A. The digital wellbeing laws in India: Need for Bhartiya Digital Kalyan Sanhita. White Black Legal Law Journal. ISSN 2588-503.

8. Digital Personal Data Protection Act, 2023 (India).

9. United Nations Convention on the Rights of the Child, Article 16.

10. General Comment No. 25 (2021) on children’s rights in the digital environment.

11. Children's Online Privacy Protection Act (COPPA), United States.

12. General Data Protection Regulation (GDPR), European Union.

13. Age-Appropriate Design Code, United Kingdom.

14. Ikeda, M. (2023). Data Protection and Children’s Rights in the Global South. Journal of Law and Technology.

15. Ministry of Electronics and Information Technology (MeitY), DPDP Explanatory Notes, 2023.

16. SS Rana. Safeguarding children’s data under DPDP law. Retrieved July 7, 2025, from https://ssrana.in/articles/safeguarding-childrens-data-under-dpdp-law/

17. Bharat Law AI. How to protect children’s data under DPDPA Act. Retrieved July 8,2025, from https://www.bharatlaw.ai/post/how-to-protect-children-s-data-under-dpdpa-act

18. DPDP Consultants. Home. Retrieved July 8, 2025, from https://www.dpdpconsultants.com/

Received on 14.07.2025 Revised on 02.08.2025

Accepted on 27.08.2025 Published on 12.11.2025

Available online from November 19, 2025

Int. J. Ad. Social Sciences. 2025; 13(4):177-180.

DOI: 10.52711/2454-2679.2025.00027

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Creative Commons License.