New Delhi | Across legal systems and constitutional traditions worldwide, one principle remains undisputed—the State bears a fundamental duty to protect children from potential harm. This responsibility is not merely moral in nature; it flows from domestic laws, constitutional values and international obligations. In discharging this duty, the Government of India has brought into force the Digital Personal Data Protection (DPDP) Act, 2023, with a strong focus on safeguarding children from digital risks.
The Act places an explicit prohibition on the tracking of children’s data, monitoring of their online behaviour, and the use of targeted advertising aimed at minors. Under the law, a data fiduciary refers to any individual, institution or company that determines the purpose and means of collecting and processing personal data—whether an e-commerce platform, a bank or a digital service provider.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
The Digital Personal Data Protection Rules, 2025, notified on November 14, 2025, operationalise the Act by providing a clear, citizen-centric regulatory framework. These rules seek to strike a balance between individual rights and lawful data processing. Their stated objectives include curbing unauthorised commercial exploitation of personal data, reducing digital harm and fostering a safe environment for innovation. In doing so, they also aim to strengthen trust in India’s growing digital economy.
The notification comes at a time when children’s digital footprint is expanding rapidly. The DPDP Rules bring schools, colleges, ed-tech companies and education boards within a national compliance framework. Any collection or use of personal data of individuals below 18 years of age now requires verified parental or guardian consent, a provision of particular significance in an era of constant digital surveillance of children.
Data fiduciaries are further obligated to adopt enhanced security safeguards while handling children’s data. This includes processing data strictly for defined and necessary purposes and maintaining full transparency when sharing data with third parties. The Act reinforces a critical principle—that commercial interests cannot override a child’s right to a safe digital environment.
To oversee compliance and investigate violations, the Act provides for the establishment of a Data Protection Board, empowered to impose penalties for breaches involving children’s data. As a result, many institutions will need to audit existing practices, redesign consent mechanisms and reassess how student data is collected, stored and shared across systems.
Most key obligations under the Act—including verified parental consent, data minimisation, security safeguards and breach notifications—will come into force after an 18-month transition period. Limited exemptions have been granted to certain entities and purposes, such as healthcare services, mental health professionals, educational institutions, transport service providers for schools, crèches and childcare centres.
The effectiveness of these child-protection provisions will depend on three critical factors. First, the ability and willingness of parents to act as informed custodians of their children’s data. Second, the readiness of schools and educational institutions to conduct due diligence while outsourcing digital services, revisit vendor contracts and ensure secure data storage. Third, the autonomy, technical capacity and resourcing of the Data Protection Board will be decisive.
While social media platforms offer children avenues for expression and creativity, they also pose serious risks. Addressing these challenges requires a balanced regulatory approach—one that combines digital literacy, parental guidance, age-appropriate platform features and graduated access to online spaces.
Taken together, the DPDP Rules provide much-needed operational clarity to the DPDP Act and lay down a structured legal foundation for protecting children’s data privacy in India’s digital ecosystem.
About the author — Suvedita Nath is a science student with a growing interest in cybercrime and digital safety. She writes on online activity, cyber threats, and technology-driven risks. Her work focuses on clarity, accuracy, and public awareness.
