Disclaimer

By clicking, "I Accept" below, you accept and acknowledge the following:

The purpose of this website is to provide general information and insights about TLH, Advocates & Solicitors, and not to advertise or solicit work in any manner whatsoever.

Please note that as per the Bar Council of India Rules, advocates in India are prohibited from advertising or soliciting work in any form or manner. You acknowledge that you are visiting this website at your discretion and that there has been no solicitation, invitation, or inducement of any sort whatsoever from TLH, Advocates & Solicitors or any of its professionals in relation to this website.

The content available on this website does not constitute legal or other professional advice and should not be substituted for advice relevant to particular circumstances.

The access and use of this website does not establish any fiduciary or other relationship between you and TLH, Advocates & Solicitors or any of its advocates.

Please read the ‘Terms of Use’ and our ‘Privacy Policy’ before accessing this website.

I Accept
Blog default background
Blog
Corporate Law

Navigating Child Personal Data Protection: A Comparative Analysis of the Indian DPDP Regime and the GDPR

Authors:
Anirudh Krishna
March 31, 2025
5 min read
Share this post
Copied!

Introduction

Children’s data is the most susceptible to misuse and exploitation in the current digital world. In India, the Digital Personal Data Protection Act, 2023 read with the draft Digital Personal Data Protection Rules, 2025 (collectively “Indian DPDP Regime”) proposes to establish strict safeguards to protect the data of children, ensuring that their data is handled ethically and responsibly. As we await the draft Digital Personal Data Protection Rules, 2025 to be notified, it becomes crucial to understand India’s stance on protection of data of children, in comparison with the standards laid down in the General Data Protection Regulation (“GDPR”) regime. This article outlines the key differences between the Indian DPDP Regime and the GDPR regarding consent requirements and data processing exemptions, applicable to children’s data.

Consent Requirements

Under both the proposed Indian DPDP Regime and the GDPR, personal data can only be processed with the individual’s consent. However, for processing children’s personal data, consent must be obtained from a parent or guardian. While both the regimes enforce this requirement, they set different age thresholds. Under the GDPR, parental or guardian consent is required only if the child is below 16 years of age [1] . Additionally, the GDPR allows EU member states to amend the regulations to lower the age of a child for applicability of parental consent regulations to as low as 13 years. In contrast, the proposed Indian DPDP Regime sets a higher age limit of 18 years, meaning for access, process and storage of data of individuals under the age of 18 years requires parental or guardian consent [2] . India proposes to establish a higher and stricter age requirement for parental consent as compared to the GDPR.

Consent Verification

In addition to obtaining parental or guardian consent to process a child’s personal data, under both the proposed Indian DPDP Regime and the GDPR, data processors must also take reasonable steps to verify the identity of the parent or guardian giving the consent. Under the GDPR, there are no prescribed methods for verification of the individuals giving parental or guardian consent, leaving it up to data processors to determine the verification process. In contrast, the Indian DPDP Regime requires data processors to adopt technical and organizational measures to verify the identity of the individuals providing consent, such as the usage of reliable identity and age verification methods, like government-issued credentials [3] . The GDPR allows for flexibility, but the proposed Indian DPDP Regime enforces a structured verification process to ensure compliance for parental or guardian consent for data usage of children. For example, a company handling children’s personal data in the European Union, may only need an email confirmation from a parent or a guardian, but in India, the company may have to use an Adhaar or a PAN card to verify the parent’s identity.

Exemptions from Parental Consent Requirements

Parental consent is not required under the GDPR, when processing a child’s personal data for counselling or preventive services [4] . Whereas, the proposed Indian DPDP Regime provides specific exemptions where parental consent is not required, such as for healthcare services, behavioral monitoring by educational institutions for educational activities, or for the safety of the child. Further, processing of a child’s personal data by daycare centers for their safety has also been exempted [5] .

Additionally, the Indian DPDP Regime allows processing of a child’s personal data for certain circumstances without parental or guardian consent, which are referred to as ‘legitimate uses’. These legitimate uses include providing government benefits and subsidies, blocking access to harmful content, and fulfilling legal obligations in the child’s interest [6] . A key distinction is that the Indian DPDP Regime explicitly lists the exempted sectors, while the GDPR provides broad exemptions.

Conclusion

As digital platforms continue to grow, protecting children’s personal data has become more crucial than ever. The proposed Indian DPDP Regime implements stronger safeguards that directly address the growing risks that children face online, whereas the GDPR takes a more flexible approach to the requirements of parental consent. Strict laws help prevent the misuse and exploitation of children’s personal data, but it is also important to ensure they do not place needless restrictions on companies that collect such data. As the Indian DPDP Regime develops, it remains to be seen how companies adjust and operate within this framework, balancing their commercial interests with the need to protect children's rights.

References
[1] Global Data Protection Regulation, Article 8, Acts of European Union.

[2] Digital Personal Data Protection, 2023, Section 9(1), No. 22, Acts of Parliament, 2023 (India).

[3] Draft Digital Personal Data Protection Rules, 2025, Rule 10.

[4] Global Data Protection Regulation, Recital 38, Acts of European Union.

[5] Draft Digital Personal Data Protection Rules, 2025, Rule 11.

[6] Digital Personal Data Protection, 2023, Section 7, No. 22, Acts of Parliament, 2023 (India).

No items found.
tatva legal , legal services hyderabad, Telangana legal services, corporate law hyderabad, corporate law Telangana

Footnotes

Share this post
Copied!

Latest posts

Insolvency
October 14, 2025
The Treatment of Operational Creditors under the Insolvency and Bankruptcy Code, 2016: An Analysis of Recent Jurisprudence
Read more
Arrow Right
Dispute Resolution
October 13, 2025
Balancing (In)Equities – Revisiting Restoration of Restoration Applications under the CPC
Read more
Arrow Right
Insolvency
October 8, 2025
Concept Of An 'Aggrieved Person' Under Section 61 Of The IBC: A Settled Law?
Read more
Arrow Right
Real Estate
October 6, 2025
Alienation of Ancestral Property: Judicial Precedents
Read more
Arrow Right
General
October 1, 2025
Tatva Legal Hyderabad Rebrands as TLH, Advocates & Solicitors
Tatva Legal, Hyderabad has rebranded as TLH, Advocates & Solicitors
Read more
Arrow Right
Real Estate
October 1, 2025
Reliability on Registered Sale Deeds: Mahnoor Fatima Imran Case
Registration, though indispensable, does not by itself confer ownership: Supreme Court’s emphasis in Mahnoor Fatima Imran case
Read more
Arrow Right
View All Blogs
Arrow Right