Think about the last time you used an app on your phone. Maybe you opened Instagram, played a game or searched for something on YouTube. Now imagine you are a ten-year-old doing the same thing. You have no idea that the app just noted down your location, your browsing habits and possibly even your face through the front camera. You have no idea because nobody told you. And in India, nobody was legally required to.
That is the uncomfortable reality of children and digital privacy in our country right now. We talk a lot about child safety online — stranger danger, cyberbullying, screen time — but the conversation about data privacy specifically, about who is collecting children’s information and what they are doing with it, is barely getting started.
WHAT IS DIGITAL PRIVACY AND WHY DOES IT MATTER MORE FOR CHILDREN?
Digital privacy, simply put, is your right to control what personal information about you is collected, stored and shared online. For adults, this is already a complex and often overlooked issue. For children, it is far more serious.
Children are not just smaller adults. They do not fully understand consent. A seven-year-old clicking “I Agree” on a terms and conditions page is not giving informed consent. They are just trying to get to the game faster. And yet, the moment they click that button, they may have handed over their name, age, location, device information and browsing behaviour to a company sitting thousands of miles away.
The consequences are not just abstract. Data collected on children can be used to serve them targeted advertisements, manipulate their preferences or worse — it can be breached and fall into the hands of people who mean them harm. In 2019, the United States Federal Trade Commission fined TikTok (then Musical.ly) USD 5.7 million for illegally collecting personal information from children under 13 without parental consent.[1] The data collected included names, email addresses and precise locations. This was not a small breach but a systematic, deliberate collection of children’s data.
The troubling part? India had millions of children on that same app at the same time, and there was no law specific enough to address it.
WHAT DOES INDIAN LAW SAY RIGHT NOW?
India is not completely silent on data privacy. The Information Technology Act, 2000[2] and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011[3] from our basic digital law. Section 43A of the IT Act requires companies to protect sensitive personal data. But these rules were written before smartphones became what they are today, and they do not specifically mention children even once.[4]
The Protection of Children from Sexual Offences Act, 2012[5] and the Juvenile Justice (Care and Protection of Children) Act, 2015[6] do protect children in important ways but they deal with abuse, exploitation and care, but not data collection. For a long time, India’s most anticipated answer to this gap was the Personal Data Protection Bill, 2019, which went through years of revision and debate before being withdrawn in 2022. In its place, the Digital Personal Data Protection Act, 2023 [7] was passed, and this is the most significant development we have had.
THE DPDPA 2023: A STEP FORWARD, BUT IS IT ENOUGH?
The Digital Personal Data Protection Act, 2023, is India’s first dedicated data protection law, and it does mention children. Section 9 of the Act specifically deals with the processing of personal data of children who are defined as anyone below the age of eighteen. The Act generally requires verifiable parental consent before a data fiduciary processes the personal data of a child, subject to certain exceptions and exemptions that may be prescribed. It also prohibits platforms from tracking children’s behaviour, targeting them with advertisements and profiling them.
On paper, this sounds exactly like what was needed. And honestly, it is a big leap from where we were. But once you look at the details, questions begin to appear.
First, the Act allows the central government to exempt certain classes of data fiduciaries from the parental consent requirement. This is a wide discretionary power, and who gets exempted and why is not clearly defined. Second, the mechanism for verifiable parental consent is not spelt out in the Act itself. It is left to future rules to determine. In a country where digital literacy among parents varies enormously, this gap is significant. Third, and perhaps most critically, the Data Protection Board that will oversee complaints and violations is yet to be fully constituted. Without an active regulator actually watching platforms, even the best law becomes a suggestion.
Compare this to the General Data Protection Regulation in Europe,[8]which has been operational since 2018. GDPR sets the age of consent for data processing at sixteen (or thirteen with parental consent, depending on the member state), requires platforms to use clear and plain language when dealing with children and has actually levied massive fines on violators. In 2022, Ireland’s Data Protection Commission fined Instagram EUR 405 million for mishandling children’s data.[9] That kind of regulatory muscle is what makes companies take compliance seriously. India is not there yet.
THE GAP BETWEEN LAW AND REALITY
Even setting aside the new law for a moment, there is a practical reality that Indian children face every day. Most popular apps and platforms have a minimum age of thirteen. But millions of children below that age are on Instagram, YouTube and WhatsApp. How? They simply enter a false birth year. No verification happens. No parent is informed. The platform has technically complied with its own terms of service, and the child’s data starts getting collected anyway.
There is also the question of EdTech platforms – an area that exploded during and after the COVID-19 lockdowns. Apps like BYJU’S, Unacademy and many others collected enormous amounts of data from students, including learning patterns, performance analytics and sometimes biometric data through online proctoring features. The question of who owns this data, how long it is stored and whether children or their parents can ask for its deletion remains murky.
And then there is social media itself. A 2021 report by the Internet and Mobile Association of India found that children between twelve and seventeen years of age spend an average of three hours online daily.[10] That is three hours of data being generated, collected and potentially monetised every single day — by platforms whose entire business model is built on advertising.
WHAT NEEDS TO CHANGE?
It would be unfair to say nothing is happening. The DPDPA 2023 is a genuine milestone. But for it to actually protect children, several things must follow.
Rules need to be notified quickly. The Act is a framework. The actual implementation details come through rules that the government has yet to fully publish. Until those rules are out, enforcement cannot meaningfully begin. Digital literacy also needs to be part of the solution. Laws alone cannot protect children who do not understand their own rights. Schools need to teach children and parents what data privacy means. Whether the solution is Aadhaar-linked age verification or some other mechanism, it must be thought through carefully, because any verification system carries its own privacy risks if mishandled.
Most importantly, platforms must be held accountable. India is one of the largest markets for almost every major technology company. That gives us leverage. Regulators need to use it.
CONCLUSION
The internet grew up faster than our laws did. That is true everywhere, not just in India. But children who had no say in being born into the digital age should not be the ones paying the price for that lag.
India has made a start with the DPDPA 2023. The recognition that children deserve special protection in the digital space is there, in black and white. What remains is the harder, slower work of implementation, enforcement and genuine accountability.
As someone about to study law, what strikes me most is how this issue sits right at the intersection of rights, technology, childhood and the relationship between the state and its citizens. Getting this right matters. And if our generation of lawyers does not push for it, who will?
Author(s) Name: Chhavi Poplani
References:
[1] ‘Video Social Networking App Musical.ly Agrees to Settle FTC Allegations That it Violated Children’s Privacy Law’ (Federal Trade Commission, 27 February 2019) <https://www.ftc.gov/news-events/news/press-releases/2019/02/video-social-networking-app-musically-agrees-settle-ftc-allegations-it-violated-childrens-privacy> accessed 14 May 2026
[2] Information Technology Act 2000
[3] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011
[4] Information Technology Act 2000, s 43A
[5] Protection of Children from Sexual Offences Act 2012
[6] Juvenile Justice (Care and Protection of Children) Act 2015
[7] Digital Personal Data Protection Act 2023
[8] General Data Protection Regulation 2016
[9] ‘Data Protection Commission announces conclusion of two inquiries into Meta Ireland’ (Data Protection Commission, 04 January 2023) <https://www.dataprotection.ie/en/news-media/data-protection-commission-announces-conclusion-two-inquiries-meta-ireland> accessed 14 May 2026
[10] Internet in India 2021 (Internet and Mobile Association of India 2022)

