DPDPA is now in force in India. Run a free privacy scan on your site. Scan now

DPDP Act · Section 9

DPDPA Section 9: Children's data

DPDPA Section 9 explained: verifiable parental consent for under-18s, the ban on tracking, behavioral monitoring and targeted advertising directed at children, and how to build an age-gate.

In short
Section 9 of the DPDP Act requires a data fiduciary to obtain verifiable consent from a parent or lawful guardian before processing the personal data of a child (anyone under 18) or a person with a disability who has a lawful guardian. It also prohibits processing that is likely to cause a detrimental effect on a child's well-being, and bans tracking, behavioral monitoring and targeted advertising directed at children. In practice this means an age-gate and a verifiable parental-consent flow.
Last updated 2026-06-03

Verifiable parental consent

For anyone under 18, you must obtain verifiable consent from a parent or lawful guardian before processing. A child simply self-asserting an adult age with no check does not meet the verifiable standard.

Design an age-gate at the point of collection and a parental-consent flow that records who consented and how, so the consent is verifiable later. ConsentX includes an age-gate and parental flow built for this requirement.

Prohibited processing

Section 9 prohibits processing likely to cause a detrimental effect on the well-being of a child, and specifically bans tracking, behavioral monitoring and targeted advertising directed at children.

That means your analytics and advertising trackers must stay blocked for any user identified as a child, not merely de-personalised. Pre-consent blocking plus a child flag that keeps trackers inert is the safe pattern.

Exemptions

The Act allows the Government to exempt certain classes of fiduciaries or processing (for example, where processing is verifiably safe) and to lower the age threshold for specified purposes. Until such exemptions apply to you, treat the under-18 rule and the advertising ban as binding.

This page is a plain-English summary of the Digital Personal Data Protection Act, 2023 for general information and is not legal advice. Confirm your obligations with qualified counsel.

All DPDPA sectionsDPDP Act explainedDPDPA overviewConsentX for India

Meet this DPDPA requirement with ConsentX

DPDPA-native consent, Section 9 age-gate and verifiable receipts. Start free or take the DPDPA quiz.

Get started free Take the DPDPA quiz

DPDPA Section 9 questions

Who is a child under the DPDP Act?+

Anyone under the age of 18. Processing their personal data requires verifiable consent from a parent or lawful guardian.

Does Section 9 ban ads to children?+

Yes. It bans tracking, behavioral monitoring and targeted advertising directed at children, so advertising and analytics trackers must stay off for users identified as children.

Do I need an age-gate for DPDPA?+

In effect yes. To obtain verifiable parental consent and avoid targeting minors, you need to determine age and run a parental-consent flow.

More DPDPA sections

DPDPA Section 5: NoticeDPDPA Section 6: Consent and withdrawalDPDPA Section 7: Certain legitimate usesDPDPA Section 8: Duties of a data fiduciaryDPDPA Section 10: Significant Data FiduciariesDPDPA Sections 11-14: Data principal rightsDPDPA penalties: Section 33 and the Schedule