DPDPA 2023 Section 9: Processing of Personal Data of Children
Section 9 of India's Digital Personal Data Protection Act, 2023 (DPDPA) requires every Data Fiduciary to obtain verifiable consent of a parent or lawful guardian before processing the personal data of any child under 18 years of age, and prohibits tracking, behavioural monitoring and targeted advertising directed at children. It applies uniformly to schools, hospitals, hotels, photographers, event organisers, retailers, media houses and any other entity in India that handles a minor's identifiable information, including photographs and videos.
Key facts
| Statute | Digital Personal Data Protection Act, 2023 |
|---|---|
| Section | Section 9 |
| Child Defined As | Individual under 18 years (Section 2(f)) |
| Consent Standard | Verifiable parental or guardian consent |
| Effective | 2025-2026 phased rollout under DPDP Rules |
| Penalty Ceiling | Up to ₹200 crore per instance |
What Section 9 says
Section 9 imposes three distinct duties on every Data Fiduciary. First, before processing a child's personal data, the Fiduciary must obtain verifiable consent of the parent or lawful guardian — self-declaration of age is insufficient. Second, no processing may be undertaken that is likely to cause any detrimental effect on the well-being of a child. Third, tracking, behavioural monitoring and targeted advertising directed at children are categorically prohibited and cannot be cured by parental consent. These duties extend to persons with disabilities having a lawful guardian. The Central Government may exempt specified Fiduciaries by notification, but until then the full obligations apply, adjudicated by the Data Protection Board under Section 33.
What it means in practice
- A child is any individual under 18 — far stricter than GDPR (16) or COPPA (13).
- Verifiable parental consent must precede collecting, storing, displaying or publishing a minor's name, face, biometrics or location.
- Photographs and videos of children at schools, weddings, marathons, hospitals or retail events are personal data under Section 9.
- Behavioural tracking, analytics profiling and retargeting aimed at users known to be children are prohibited outright.
- Targeted advertising to children is banned regardless of consent; parental consent cannot override this prohibition.
- Consent must be withdrawable at any time, and processing must cease immediately upon withdrawal.
Who Section 9 applies to
- Schools, coaching centres, ed-tech platforms and crèches handling student records, ID cards and classroom photos
- Hospitals, paediatric clinics and diagnostic chains processing minors' health records and case imagery
- Wedding photographers and photo studios capturing images of children at family functions
- Event management companies running school annual days, kids' carnivals and family festivals
- Marathon and sports event organisers registering junior participants and publishing finisher galleries
- Hotels, resorts and hospitality groups collecting guest data including accompanying minors
- Retail brands and e-commerce platforms operating kids' loyalty programs or in-store kiosks
- Media houses, news outlets and publishers featuring minors in coverage or imagery
- Ad agencies and marketing tech vendors running campaigns reaching under-18 audiences
- Corporate HR teams processing dependants' data for insurance, education and family benefits
Common violations
School publishes student photos without parental consent
A school uploads classroom and annual-day photographs to its public website or Instagram without obtaining verifiable consent from each child's parent, breaching Section 9(1).
Wedding photographer posts portfolio images of children
A studio shares sangeet or baraat images featuring identifiable minors on its website or Instagram reel without written parental consent from each child shown.
Marathon organiser publishes junior finisher gallery
A fun-run organiser hosts a searchable bib-number photo gallery of under-18 participants without verifiable guardian consent, breaching Section 9(1) and 9(3).
Ed-tech app runs behavioural analytics on minor users
A learning platform deploys retargeting pixels and engagement-tracking SDKs on accounts known to belong to school students, violating Section 9(3) outright.
Hospital shares paediatric case imagery for marketing
A hospital chain features before-and-after photos or testimonial videos of child patients on social media without verifiable lawful-guardian consent.
Retail brand profiles minors for targeted ads
A kids-apparel retailer uses loyalty-program data of under-18 customers to serve personalised ads on Meta or Google, breaching Section 9(3) regardless of parental sign-up.
Penalty for breach
Breach of Section 9 attracts a financial penalty of up to ₹200 crore per instance under Entry 4 of the Schedule to the DPDPA 2023, adjudicated by the Data Protection Board of India under Section 33. This is the second-highest penalty tier in the Act, exceeded only by failure to prevent a personal data breach (₹250 crore). Penalties are imposed per instance, with the Board weighing nature, gravity, duration, repetitive conduct and gains realised under Section 33(2).
Use the DPDPA Penalty Calculator to estimate your exact exposure.
Frequently asked questions
What is the age of a 'child' under DPDPA Section 9?
Section 2(f) defines a child as any individual who has not completed eighteen years of age. India's threshold is significantly higher than GDPR (16) or COPPA (13).
Can a school rely on a one-time admission consent form for all future photo and data use?
No. Consent under Section 6 must be specific, informed and withdrawable. A blanket admission clause is unlikely to meet Section 9(1)'s verifiability standard. Schools should obtain purpose-specific consent for marketing, website use and third-party sharing.
Does a wedding photographer need parental consent to photograph children at a private function?
Capturing during the assignment is generally covered by the client's contract, but publishing in a portfolio, social media, competitions or stock libraries requires verifiable consent from each minor's parent or guardian under Section 9(1).
Are marathon and event organisers liable for finisher photo galleries showing minors?
Yes. Hosting searchable, publicly accessible galleries of under-18 participants is processing of personal data and may also constitute tracking under Section 9(3). Organisers must obtain guardian consent at registration and offer takedown.
Can hotels collect ID details of accompanying minors at check-in?
Yes, where required by law enforcement or hospitality regulations, but such data must be limited to the stated purpose, secured under Section 8, and not used for marketing or imagery without verifiable guardian consent.
Is targeted advertising to teenagers ever permitted under Section 9?
No. Section 9(3) imposes an absolute prohibition on targeted advertising directed at children. Unlike the consent obligation in 9(1), this prohibition cannot be cured by parental consent.
What is the maximum penalty for a Section 9 violation?
Up to ₹200 crore per instance under Entry 4 of the Schedule to the DPDPA 2023, imposed by the Data Protection Board after inquiry under Section 28 and adjudication under Section 33.
Related sections
Not sure if your workflow complies with Section 9?
Free 48-hour DPDPAReady audit — we map your exact workflow against this section and quantify exposure.
Get your free audit →Article reviewed against DPDPA 2023, Schedule, and DPDPA Rules 2025.