The newly drafted legislation, DPDP rules 2025, has exceeded its mandate from its parent legislation, the DPDP Act. This act was vague, ambiguous, and much was left on the interpretation.
Privacy of children needs special social protection not only from the real world but now also from the virtual world. Their virtual life starts long before their birth. Children do not understand the importance of their privacy while sharing information online. This was emphasized by the apex court in 2017 in the case of K.S. Puttaswamy vs. Union of India,[1] in which the right to privacy was recognized as a fundamental right under Article 21[2] of the Indian constitution.
The newly drafted rules of 2025[3] say that before having access to any online platform, it checks the age and identity of the person identifying as the parent or a legal guardian of the child. The act also says that the platforms cannot access the personal information of anyone who is below 18.
Ambiguity in the definition of a child: Given in section 2(f) of the DPDP rules 2025[4], which defines a child as “someone who is below 18 years of age.” The meaning itself is ambiguous on the fact that everyone below the age of 18 cannot be kept on the same page. This indirectly limits the access of children to the online services. They didn’t consider the solution urged by the experts in the Data Protection Bill of 2022[5], which says that age is to be taken in different grades from 13 to 16 are to be different differently than those below 13 years of age.
Lack of proper definition of the word “harm[6]”: In the current bill there is an absence of the word “harm”; instead, there is a very wide or general section that says, “any detrimental effect on the well-being of a child.” There has been a drastic change when compared to the earlier versions of the bill that used to specifically mention things like mental or bodily injury, discrimination, and others.
This, on paper, might seem to be very wide and increases the scope of the government by having an upper hand in deciding what does and what doesn’t constitute a detrimental harm. This also places the child below age in a bad condition because if the child goes to the DPB (Data Protection Board) and says that my rights are violated. Whether it is a violation or not is not in his hands because a proper definition of what constitutes a detrimental harm is not given. It goes like something is a detrimental effect, but what is a detrimental effect? It should also be noted that the detrimental effect is also very firm, and it is much harder to prove when the impact on the child is “intangible.”.
Behavioural monitoring can be both a friend and a foe under section 9(3)[7]: The act mentions that tracking and behavioural monitoring cannot be practised. But if the government believes that the platform tracks or uses the data in a “verifiably simple manner,” then the same can be exempted by the government to seek parental or guardian consent. The government also has the power to exempt the platforms to use the data for certain purposes.
This if seen carefully benefits the platform and the government. Here, both can use the data and other information for their personal use or other benefits can also be achieved by violating their right to privacy.
This can be seen in the TQH’s policy dialogue in 2023 where Hui Lin Tan, being the product quality in Asia Pacific, said that behavioural tracking is necessary so that children do not get exposed to the harmful or vulgar content on Youtube. He further argued that if there is no behavioural tracking then there is a chance that certain useful material that is useful for a child’s development and learning is undiscoverable. They can also make harmful content reach them very easily.
This illustration clearly shows that there is ambiguity in this section the law should be clearer on this point. As several other platforms may also be facing the same problem. Similarly, there can be misuse of this section by excessive surveillance or unnecessary tracking and later justifying the same by using this section.
What is Verifiable Parental Consent and how it is taken?
The 2025 DPDP rules[8] say that online platforms must check the age and identity of the parent or legal guardian giving consent on behalf of the child, which should be properly checked and verified. Then can the online platform have the tracking of children’s data. Around this only the issue revolves.
This can be done in 2 ways in which age and identity can be verified:
Where parents already use the platform: If the child wants to use a platform that the parent or guardian already uses then it can take into consideration the same information provided there.
When the parents do not use the platform: In this case the platform can have the age and identity check through a legally authorized entry or government body.
Do the parents even know what the real meaning of consent is? Here we should know that only 20% of the population are literate and digitally aware. But the rest 80% don’t know the meaning of consent and if they know they do not know the consequence or aftereffect of giving it because they are not digitally aware of the privacy issues. This can also pose a threat to the child’s learning and development online. They are just giving consent just for the sake. They don’t know the real meaning and the legal consequence later.
Here, the platform verifies the age and identity of the parent or the legal guardian given verification. The rules are silent on the same point that how will the platforms go about verifying the relationship between the child and the parent? If due diligence is applied, it will be said that if the relationship has to be verified there has to be verification of personal information to justify the relationship. This favours government. This violates more rights and privacy of an individual which was meant to protect it.
It is also necessary to note that what if the child himself inputs wrong information and acts like an adult thereby giving consent by him only. The rules remain silent on this point, when the child gives wrong information through his consent and acts as an adult.
Online platforms to verify the age and identity of a person would need some specific information like Aadhar number, date of birth and other details. In this process asking for an Aadhar card number to link it with the consent as the Aadhar card does not act as a proof for DOB, it acts as a loop to benefit the government. This increases the chance of violation of their privacy and defeats the purpose of data protection and maintaining privacy. This may also avert parents from giving their consent for their child. This acts as an indirect barrier to child’s learning. This makes the rules counterintuitive to the protection of children’s privacy.
This issue of verifiable parental consent makes the data companies and online platforms to work with full care and diligence. This may lead to the collection of a substantial amount of Aadhar card number and other governmental information. This makes us think that the same information can be used wrongly or not as per the law. Making the whole of this process counterproductive and make privacy implications.
As the parental consent is final and the data can then be processed. But if we see this from another point of view, what if a child searches by his own some harmful content hate speech or anything that is illegal that directly or indirectly affects the mental consciousness of the child. Then there is no need to have consent it simply becomes immaterial.
Conclusion
DPDP Rules 2025. The said rules, no doubt, promise to protect and preserve the digital privacy and rights of children are yet to show what they truly have in the context of practicability. In fact, it has many ambiguities and lacunae. There is no ample clarity related to many points of this bill and who is considered an adult and who is child etc. The absence of a well-defined framework for the definition of “detrimental effects” and its subsequent mitigation poses serious problems in terms of enforcement and places a vast amount of discretion on the authorities and online platforms. By not defining detrimental effects it may well be used to over-survive and track causing exactly what is intended to be protected.[9]
Additional privacy and data misuse concerns arise from the requirements to verify age, identity, and parental relationships, particularly through mechanisms such as Aadhaar and other information sharing platforms. In addition, the undue burden on parents, many of whom are digitally illiterate, may inadvertently hinder children’s access to educational and developmental resources online.
The DPDP Rules 2025, as of now, present a paradox: it attempts to safeguard children’s privacy while inadvertently creating barriers to their development and exposing them to new vulnerabilities.
There is a need to clearly define this law and remove all the discrepancies. More robust safeguards are also needed to prevent data breach and protect data of the parents and children. The best interests of children must be the focus, respect for privacy rights, and ensuring inclusive implementation, in order to achieve the desired outcome.
[1] K.S. Puttaswamy (Aadhar/Privacy-3J.) v. Union of India, (2015) 8 SCC 735.
[2] INDIA CONST. Art.21.
[3] The Digital Data Protection Rules, 2025, Acts of Parliament, 1949 (India).
[4] The Digital Data Protection Rules, 2025, §2(f) Acts of Parliament, 1949 (India).
[5] The Digital Data Protection Rules, 2025, Acts of Parliament, 1949 (India).
[6] The Digital Data Protection Rules, 2025, Acts of Parliament, 1949 (India).
[7] The Digital Data Protection Rules, 2025, §9(3) Acts of Parliament, 1949 (India).
[8] The Digital Data Protection Rules, 2025, Acts of Parliament, 1949 (India).
[9] The Digital Data Protection Rules, 2025, Acts of Parliament, 1949 (India).
Author: Shreyankar Shahi and Anushka Rathore, are students at Dharmashastra National Law University.
