The DPDP Act treats every Data Principal under 18 as a child. That means verifiable parental consent, no behavioural tracking, and no targeted advertising. Here's how to ship a §9-compliant experience without breaking onboarding.
Before processing any personal data of a child, the Data Fiduciary must obtain verifiable consent from the parent or lawful guardian.
Behavioural monitoring and targeted advertising directed at children are prohibited outright.
Processing likely to cause detrimental effect on the well-being of the child is barred.
Self-declared DOB at signup. If <18, branch into the parental consent flow before any data collection beyond name and parent contact.
OTP to parent's mobile + Aadhaar OKYC age check + small refundable token transaction. Crawlshark ships all three out of the box.
Parent grants itemised purposes (account, learning records, community) — not a blanket OK.
On the child's 18th birthday, auto-trigger fresh consent from the now-adult Data Principal.
Use Crawlshark's age-gating + verifiable parental consent SDK and stay defensible against the ₹200 Cr penalty.