New Delhi, 25 September 2025: Esya Centre has released a first-of-its-kind report, An Empirical Appraisal of the Children’s Data Privacy Provisions in the DPDPA, assessing how the Digital Personal Data Protection Act (DPDPA) and its accompanying rules are shaping children’s online experiences in India.
Drawing on a stratified survey of 1,032 children across ten Indian cities and interviews with micro, small and medium enterprises (MSMEs), the study provides fresh insights into how the DPDPA’s provisions on verifiable parental consent (VPC) and the prohibition of personalisation and targeted advertising negatively impact children’s safety, access to quality information, and development, as well as the viability of small businesses in the digital ecosystem.
Key Findings
- VPC requirements may adversely affect Indian start-ups and SMEs:
- Studies estimate that firms deploying VPC mechanisms may have to spend anywhere between INR 30 lakh in setup costs to INR 1 crore annually in operations and training. This high compliance cost may be steep for Indian start-ups and SMEs.
- MSMEs surveyed by us report that parental consent prompts introduce friction that often leads to “rage clicks” and drop-offs, reducing their ability to acquire and directly engage with customers.
- VPC requirements may cut off children’s access to valuable online services:
- A large number of children surveyed go online for school work (83%), online searches (81%) and other learning and educational activities (72%). The DPDPA’s requirement of obtaining VPC to process the personal data of anyone under 18 risks cutting off children’s access to valuable online services.
- Many parents lack the digital literacy required to navigate VPC mechanisms. The DPDPA’s VPC requirements risks widening India’s digital divide and limiting access for children from less privileged households.
- Prohibition on personalisation may adversely affect children’s ability to access information and online safety:
- 76% of children surveyed stated that they prefer apps and websites to recommend content based on their interests. Personalisation plays a key role in ensuring children can access relevant information online.
- 73% of children surveyed stated that they would feel uncomfortable or unsafe if they encountered depersonalised content. Prohibiting personalisation may create unintended safety risks for children online and prevent exposure to traumatic experiences.
- Most importantly, restrictions on tracking and behavioural monitoring also prevent platforms from keeping children safe, this includes things like providing them with safety notices, or preventing sextortion or sexploitation based on the collection of intelligence signals.
- Prohibition on targeted ads may adversely affect children’s well-being, as well as industries making products for them:
- Three in every four surveyed children stated that if stricter rules prohibit online services from recommending educational and non-educational products to them, it would negatively affect their ability to discover them.
- 81% of surveyed children stated that they would be unhappy if they lost access to age-appropriate products due to stricter privacy rules. 75% of children stated that this loss would negatively affect their routine, with 27% reporting an extremely negative impact.
- Interviews with an Micro Small and Medium Enterprises (MSMEs) indicate that prohibiting targeted ads will lower the discoverability of services meant for children, and lead to a drop in content, products, and services made for them. It may also significantly reduce revenue for Indian businesses, with one MSME expecting a 90% drop in revenue because of the restrictions on personalisation and targeted advertising. This has key implications for the Audio-Visual Gaming and Comics (AVGC) sector.
- Evidence from other jurisdictions shows similar impacts. For example:
- Quebec’s long-standing ban on advertising directed at children correlated with a 35% decline in household toy spending over eight years.
- Global context: Unlike other international privacy regimes, which permit personalisation and targeted advertising with safeguards or parental consent, India’s DPDPA imposes blanket prohibitions under Section 9(3). This places Indian firms at a disadvantage compared to global peers, with fines of up to INR 200 crore for violations.
Policy Recommendations
The study calls for a balanced approach that safeguards privacy without limiting children’s safety, wellbeing, or access. Key steps include:
- Creating an Age-Appropriate Design Code under the DPDPA after consulting a cross-section of stakeholders. Businesses compliant with this code should be exempted from VPC requirements as per Section 9(4) of the DPDPA.
- Amending Section 9(3) of the DPDPA to permit both personalised content and targeted ads in order to retain children’s crucial online safety, access to age-appropriate information and relevant services meant for children’s benefit and safety.
- Carve out exemptions in the rules to enable platforms to continue to protect children online and enable targeted ads from businesses that produce products and services that are beneficial for children.
- Supporting complementary measures like digital literacy, and parental engagement.
