Children and Persons with Disabilities Under DPDP
# Children & Persons with Disabilities Under DPDP
Designing Safer Digital Experiences for Vulnerable Users
Published by Vishwaas.ai | DPDP Series
1. Why DPDP Treats Children And Certain PwDs Differently
The DPDP framework recognises that not all users can fully understand or control what happens to their data. Children and certain persons with disabilities are more vulnerable to profiling, manipulation and harm, and the law treats their data with extra care.
Section 9 of the DPDP Act sets special rules for the personal data of children and persons with disabilities who have lawful guardians. The DPDP Rules 2025 build on this by introducing detailed requirements for verifiable consent, age and guardian verification, and strict limits on tracking and targeted advertising.
For product teams, this means that 'one-size-fits-all' data flows are no longer acceptable - your design must explicitly account for vulnerable users.
2. Who Counts As A Child Or A Protected Person Under DPDP
Under the DPDP Act, a child is anyone under the age of 18. A Data Principal with certain disabilities can also fall under a special regime where a lawful guardian acts on their behalf.
The definition of Data Principal in the Act explicitly includes a person with disability and their lawful guardian. The Rules then reference guardianship frameworks under the Rights of Persons with Disabilities Act, 2016 and the National Trust Act, 1999, to define who qualifies as a lawful guardian for consent purposes.
In simple terms: if a user is under 18, or if they have a court- or authority-appointed guardian because of specific disabilities, your platform must treat their data as subject to enhanced DPDP safeguards.
3. Verifiable Parental And Guardian Consent
Section 9 and the DPDP Rules 2025 require 'verifiable consent' from a parent or lawful guardian before processing children's data or data of protected persons with disabilities.
Verifiable consent means more than just a checkbox. The Rules expect Data Fiduciaries to:
- Confirm that the person giving consent is an adult.
- Confirm that they are the child's parent or lawful guardian using reliable information or tokens.
- Use technical and organisational measures to prevent impersonation or misuse of guardian identity.
Commentaries on Rules 10 and 11 highlight mechanisms such as government-issued tokens, age-gated accounts, and mapping to identity attributes from authorised sources. The goal is to ensure that consent is genuinely coming from someone with legal responsibility for the child or protected person.
4. Bans On Profiling, Tracking And Targeted Advertising For Children
One of the strongest protections in DPDP is its stance on behavioural tracking and advertising directed at children.
The Act and Rules broadly prohibit Data Fiduciaries from:
- Tracking or monitoring children's behaviour across services for behavioural analysis.
- Using profiling to make inferences about children's interests or vulnerabilities.
- Serving targeted advertising directed specifically at children based on such profiling.
Legal guides summarise this as a clear shift away from 'ad-tech for kids' toward safer, more neutral experiences. There are narrow exceptions for certain essential services - like educational platforms, healthcare, and regulated child transport - but the default is strict protection.
5. Separate Provisions For Persons With Disabilities
The DPDP Rules also create dedicated provisions for persons with disabilities, recognising that some may rely on guardians for legal decisions while still needing their privacy respected.
Key elements include:
- Requiring verifiable consent from lawful guardians for protected categories of disabilities, with due diligence to confirm legal status.
- Referencing designated authorities and local level committees under disability and guardianship laws to define who can act as a guardian.
- Emphasising security and due diligence obligations when handling guardianship-based consent.
This means your product must not only check that a consent-giver is an adult, but also that they are actually recognised under Indian law as the guardian for that person with disability.
6. Designing Age And Guardian Verification Flows
From a UX and engineering standpoint, age and guardian verification under DPDP can be implemented in several ways:
- Age gates at registration, with clear declarations and optional verification via trusted attributes.
- Separate account types or flows for children and protected PwDs, with mandatory guardian onboarding.
- Token-based verification where identity providers issue verifiable indicators of age or guardianship status.
- Logging verification steps so you can demonstrate due diligence to regulators.
The exact implementation will vary by product, but the principle remains: you must be able to show that you did more than take someone's word for it.
7. Content, Features And Default Settings For Young Users
DPDP does not prescribe your content strategy, but its spirit strongly influences what responsible defaults should look like for children.
Practical considerations include:
- Limiting high-risk features such as open chat, public profiles or geo-sharing for child accounts.
- Turning off personalised recommendations based on detailed behavioural histories for minors.
- Using neutral or educational content placements instead of manipulative design patterns.
- Providing simple, guardian-visible controls for managing a child's experience.
These choices will not only make DPDP compliance easier but also align your product with broader child-safety expectations in India and globally.
8. Handling Rights Requests From Children And Guardians
Children and persons with disabilities still enjoy DPDP rights - access, correction, erasure and grievance redressal - but these rights are typically exercised by their guardians.
A DPDP-aligned platform should be ready to:
- Verify that the requester is a guardian before releasing or erasing child or protected-person data.
- Provide clear, simple interfaces for guardians to see what data is held, for what purpose and for how long.
- Handle erasure and consent withdrawal with special care where other laws (like education or health records) mandate retention.
- Log every rights request and response for audit and regulator review.
This turns child and PwD rights handling from ad hoc support work into a structured governance process.
9. Risk And Penalty Landscape For Child And PwD Data
Because harm to children and vulnerable persons is taken very seriously, DPDP penalty schedules treat certain failures around their data more strictly.
Expert analyses highlight that:
- Breaches involving children's data or wrongful targeted advertising can attract penalties toward the higher tiers of the DPDP fine range.
- Failure to obtain verifiable parental or guardian consent - or to honour restrictions on profiling and tracking - can be treated as aggravated violations.
- Repeated non-compliance in child-safety controls may influence how the Data Protection Board calculates fines, especially where systemic issues are found.
In short, cutting corners on young or vulnerable users' data is both ethically and financially expensive.
10. How Vishwaas.AI Can Help Build Safer Journeys
For teams building products that serve families, students, patients or communities with diverse abilities, DPDP's child and PwD rules can feel complex at first. But they also offer a clear blueprint for safer design.
- Mapping where children and protected PwDs show up in your user base.
- Defining age-gating, guardian verification and consent workflows.
- Configuring tracking, profiling and advertising controls so they are automatically restricted for vulnerable accounts.
- Providing governance dashboards and logs that show regulators you took these obligations seriously.
Done well, compliance here is not just about avoiding fines - it is about being the product that parents, guardians and communities actively trust for the young and vulnerable people they care about.
(c) Vishwaas.ai | DPDP Compliance Made Simple

