Guardian In The Code: Critical Analysis Of Children's Data Protection Under The Digital Personal Data Protection Act, 2023 And Rules, 2025

Parastish Dubey, Amity University, Lucknow

Dr. Reshma Umair, Amity University, Lucknow

ABSTRACT

The Digital Personal Data Protection Act, 2023 (DPDPA) and the Digital Personal Data Protection Rules, 2025 (DPDP Rules) together constitute India's first comprehensive legislative framework for personal data protection. Section 9 of the DPDPA occupies a position of singular importance within this framework — it establishes a specialized regime for the protection of children's personal data, predicated on three pillars: verifiable parental consent, an absolute prohibition on tracking and behavioural monitoring, and a categorical ban on targeted advertising directed at minors. This paper critically analyses the architecture of Section 9, the operationalising provisions under Rules 10–12 and the Fourth Schedule, and the practical and doctrinal lacunae that persist even after the finalization of the Rules. Drawing on comparative frameworks including the EU's General Data Protection Regulation (GDPR), the United States' Children's Online Privacy Protection Act (COPPA), and the UK Age Appropriate Design Code (AADC), this paper argues that while Section 9 represents a paradigm shift in India's approach to child digital rights, significant gaps remain — particularly around age verification infrastructure, enforcement capacity, and the tension between child protection and data minimization. The paper concludes with recommendations for bridging these gaps in the implementation phase.

Keywords: DPDPA 2023, DPDP Rules 2025, Children's Data Protection, Verifiable Parental Consent, Section 9, Data Fiduciary, Behavioural Tracking, GDPR, COPPA, Digital Child Rights.