Authenticated consent from a parent or guardian required before processing any child's personal data under DPDPA.
Verifiable parental consent under DPDPA Section 9 requires that before processing any child's personal data, the Data Fiduciary must obtain consent from the child's parent or lawful guardian with reasonable verification that the consenting person is indeed the parent or guardian. Rule 10 prescribes verification methods which may include: email verification to parent's registered account, OTP verification to parent's phone, digital signature, or other reliable mechanisms. The verification must be proportionate to the risk.
If your product serves users under 18, you need a technical mechanism to: verify age at signup, identify the parent/guardian, verify their identity, obtain their consent, and record proof — before any data processing occurs. This is significantly more complex than adult consent.
An EdTech app for school students implements: age gate (DOB entry), parent email collection, OTP sent to parent's mobile, parent views consent notice with all purposes, parent explicitly consents via OTP verification, and the consent proof is stored with parent verification evidence.
Self-declaration ("I am over 18" checkbox) is NOT verifiable consent. DPDPA requires actual verification that the consenting person is a parent/guardian — not just their claim to be one.
DPDPA Shield automates Consent Management. See how →