Disclaimer

By clicking, "I Accept" below, you accept and acknowledge the following:

The purpose of this website is to provide general information and insights about TLH, Advocates & Solicitors, and not to advertise or solicit work in any manner whatsoever.

Please note that as per the Bar Council of India Rules, advocates in India are prohibited from advertising or soliciting work in any form or manner. You acknowledge that you are visiting this website at your discretion and that there has been no solicitation, invitation, or inducement of any sort whatsoever from TLH, Advocates & Solicitors or any of its professionals in relation to this website.

The content available on this website does not constitute legal or other professional advice and should not be substituted for advice relevant to particular circumstances.

The access and use of this website does not establish any fiduciary or other relationship between you and TLH, Advocates & Solicitors or any of its advocates.

Please read the ‘Terms of Use’ and our ‘Privacy Policy’ before accessing this website.

I Accept
Blog default background
Blog
Corporate Law

Navigating Child Personal Data Protection: A Comparative Analysis of the Indian DPDP Regime and the GDPR

Authors:
Anirudh Krishna
March 31, 2025
5 min read
Share this post
Copied!

Introduction

Children’s data is the most susceptible to misuse and exploitation in the current digital world. In India, the Digital Personal Data Protection Act, 2023 read with the draft Digital Personal Data Protection Rules, 2025 (collectively “Indian DPDP Regime”) proposes to establish strict safeguards to protect the data of children, ensuring that their data is handled ethically and responsibly. As we await the draft Digital Personal Data Protection Rules, 2025 to be notified, it becomes crucial to understand India’s stance on protection of data of children, in comparison with the standards laid down in the General Data Protection Regulation (“GDPR”) regime. This article outlines the key differences between the Indian DPDP Regime and the GDPR regarding consent requirements and data processing exemptions, applicable to children’s data.

Consent Requirements

Under both the proposed Indian DPDP Regime and the GDPR, personal data can only be processed with the individual’s consent. However, for processing children’s personal data, consent must be obtained from a parent or guardian. While both the regimes enforce this requirement, they set different age thresholds. Under the GDPR, parental or guardian consent is required only if the child is below 16 years of age [1] . Additionally, the GDPR allows EU member states to amend the regulations to lower the age of a child for applicability of parental consent regulations to as low as 13 years. In contrast, the proposed Indian DPDP Regime sets a higher age limit of 18 years, meaning for access, process and storage of data of individuals under the age of 18 years requires parental or guardian consent [2] . India proposes to establish a higher and stricter age requirement for parental consent as compared to the GDPR.

Consent Verification

In addition to obtaining parental or guardian consent to process a child’s personal data, under both the proposed Indian DPDP Regime and the GDPR, data processors must also take reasonable steps to verify the identity of the parent or guardian giving the consent. Under the GDPR, there are no prescribed methods for verification of the individuals giving parental or guardian consent, leaving it up to data processors to determine the verification process. In contrast, the Indian DPDP Regime requires data processors to adopt technical and organizational measures to verify the identity of the individuals providing consent, such as the usage of reliable identity and age verification methods, like government-issued credentials [3] . The GDPR allows for flexibility, but the proposed Indian DPDP Regime enforces a structured verification process to ensure compliance for parental or guardian consent for data usage of children. For example, a company handling children’s personal data in the European Union, may only need an email confirmation from a parent or a guardian, but in India, the company may have to use an Adhaar or a PAN card to verify the parent’s identity.

Exemptions from Parental Consent Requirements

Parental consent is not required under the GDPR, when processing a child’s personal data for counselling or preventive services [4] . Whereas, the proposed Indian DPDP Regime provides specific exemptions where parental consent is not required, such as for healthcare services, behavioral monitoring by educational institutions for educational activities, or for the safety of the child. Further, processing of a child’s personal data by daycare centers for their safety has also been exempted [5] .

Additionally, the Indian DPDP Regime allows processing of a child’s personal data for certain circumstances without parental or guardian consent, which are referred to as ‘legitimate uses’. These legitimate uses include providing government benefits and subsidies, blocking access to harmful content, and fulfilling legal obligations in the child’s interest [6] . A key distinction is that the Indian DPDP Regime explicitly lists the exempted sectors, while the GDPR provides broad exemptions.

Conclusion

As digital platforms continue to grow, protecting children’s personal data has become more crucial than ever. The proposed Indian DPDP Regime implements stronger safeguards that directly address the growing risks that children face online, whereas the GDPR takes a more flexible approach to the requirements of parental consent. Strict laws help prevent the misuse and exploitation of children’s personal data, but it is also important to ensure they do not place needless restrictions on companies that collect such data. As the Indian DPDP Regime develops, it remains to be seen how companies adjust and operate within this framework, balancing their commercial interests with the need to protect children's rights.

References
[1] Global Data Protection Regulation, Article 8, Acts of European Union.

[2] Digital Personal Data Protection, 2023, Section 9(1), No. 22, Acts of Parliament, 2023 (India).

[3] Draft Digital Personal Data Protection Rules, 2025, Rule 10.

[4] Global Data Protection Regulation, Recital 38, Acts of European Union.

[5] Draft Digital Personal Data Protection Rules, 2025, Rule 11.

[6] Digital Personal Data Protection, 2023, Section 7, No. 22, Acts of Parliament, 2023 (India).

No items found.
tatva legal , legal services hyderabad, Telangana legal services, corporate law hyderabad, corporate law Telangana

Footnotes

Share this post
Copied!

Latest posts

Corporate Law
September 16, 2025
Distinguishing Downside Protection from Assured Exit Rights
Read more
Arrow Right
Dispute Resolution
September 8, 2025
Employment Disputes in India: A Legal and Practical Guide (Part 1)
This article launches our series examining new age employment law disputes in India in the backdrop of emerging legal challenges and evolving jurisprudence
Read more
Arrow Right
Dispute Resolution
September 8, 2025
Order XII Rule 6 of the Civil Procedure Code, 1908: Judgment on Admissions: An Analysis
Read more
Arrow Right
Employment Law
September 8, 2025
Employment and Labour Laws Newsletter
Employment and Labour Laws Newsletter | August 2025
Read more
Arrow Right
Corporate Law
September 8, 2025
A Fair Market Value Conundrum: Applicability of Pricing Guidelines for a Rights Issue
The article examines the applicability of pricing guidelines under FEMA NDI Rules for a direct subscription to shares by a non-resident through rights issue
Read more
Arrow Right
Corporate Law
September 8, 2025
Foreign Investment Rights in Prohibited Sectors: Decoding the 2025 Non-Debt Instruments Rules Amendment
This article examines the 2025 Amendment to the FEMA Non-Debt Instruments Rules, which permits bonus share issuance to non-resident shareholders in FDI-prohibited sectors.
Read more
Arrow Right
View All Blogs
Arrow Right