Addressing the White Elephant in the Room
A critique of Section 9 of the DPDP Act
**Abhijeet Menon and Sandhyashree Karanth
A child’s access to the internet in India is now mediated not only by devices or connectivity, but by their parents’ ability to verify their identity. The Digital Personal Data Protection Rules, 2025 (DPDP Rules) introduce a verifiable parental consent framework for all persons below the age of eighteen. The objective is clear: to strengthen protections for children in an increasingly data-driven ecosystem. The design, however, produces a paradox: a privacy law that mandates the collection of more sensitive data than the platforms it regulates ever would.
Consider a common scenario: A seventeen-year-old seeks to use an online learning platform. Under the Rules, the platform must first obtain verifiable consent from her parent through approved mechanisms such as existing identity records or authorised digital verification systems. Where such verification is unavailable, due to limited digital access, lack of documentation, or unfamiliarity with these systems, the platform is legally constrained from processing the child’s data. Access to the service thus becomes contingent not on the child’s needs or the nature of the platform, but on the parent’s ability to satisfy a technical verification requirement.
This outcome flows directly from Section 9 of the Digital Personal Data Protection Act, 2023, (DPDP Act) read with Rules 10 and 11 of the DPDP Rules, 2025. Rule 10 requires data fiduciaries to obtain verifiable parental consent before processing a child’s data, either through existing identity records or authorised virtual tokens (such as DigiLocker). Rule 11 extends a similar framework to persons with disabilities, conditioning data processing on verification that the consenting individual is a court-appointed lawful guardian under the Rights of Persons with Disabilities Act, 2016. Together, they establish a uniform model of verifiable, parent-mediated consent, applied across all children and persons with disabilities, across all platforms and contexts.
This article argues that while the aim of child protection is both necessary and legitimate, the current model of verifiable parental consent risks producing unintended barriers to access and participation. By making digital access dependent on parental identity verification, the framework may inadvertently reproduce existing inequalities and overlook the varied realities in which children engage with digital services.
The Paradox
The most serious critique of the verifiable parental consent framework is not that it is difficult to implement. At the heart of the DPDP Act lies a clear normative commitment: data minimisation and purpose limitation. Personal data is to be collected only to the extent necessary for a specific, lawful purpose. Yet, the operational design of Rule 10 of the DPDP Rules pulls in the opposite direction. To demonstrate compliance, data fiduciaries are required to verify that the consenting individual is an identifiable adult. In practice, this creates strong incentives to rely on identity-heavy verification mechanisms, government-issued IDs, Aadhaar-linked credentials, DigiLocker tokens, and records that establish the relationship between parent and child. The law that mandates minimal data collection ends up encouraging maximal identity verification. Compliance, in this context, becomes difficult to demonstrate without accumulating precisely the kinds of sensitive personal data that the statute was enacted to regulate. What emerges is not simply an implementation challenge, but a design contradiction, one in which the protective mechanism risks generating the very harms it was intended to prevent.
This tension is not unfamiliar in the Indian context. The trajectory of Aadhaar offers a useful point of comparison. It was initially started as a targeted welfare delivery tool, and gradually expanded into a near-universal identity infrastructure across both public and private sectors. Over time, concerns around function creep and surveillance capacity emerged, even as judicial interventions attempted to impose limits. The takeaway is not that identity systems are inherently problematic, but that compliance incentives tend to drive expansion beyond original purposes. The verifiable parental consent framework risks a similar dynamic: in seeking to prove compliance, platforms may begin to collect and retain sensitive family-linked data at a scale that exceeds what child protection requires.
The implications of this design become sharper when placed alongside emerging policy directions. Proposals such as Karnataka’s social media ban for children under sixteen, and ongoing national-level consultations on age-gating, suggest a regulatory trajectory in which access itself becomes contingent on verifiable identity. Comparative experience offers some caution here. The United States’ Children’s Online Privacy Protection Act (COPPA), which applies to children under thirteen, has been widely studied for its unintended effects. Empirical work indicates that strict age-gating often leads to age misrepresentation, account sharing, and migration toward less regulated spaces. Recently, even Australia’s Online Safety Act (OSA), which applies to children under sixteen, has come under tremendous backlash, for not only threatening the freedom of expression, but also for its inconsistent application to specific platforms for unknown reasons. The Australian Information Security Association (AISA) has also raised cyber-security concerns, noting that mandating age verification would require numerous organizations, many of which are headquartered overseas to collect identity data, which could create a honeypot for hackers. This “silver bullet” to protect the younger demographic leads to the ignorance of a potential society-wide approach that could instead include algorithmic transparency measures, improved educational support, and even information literacy initiatives. India’s framework, with a higher threshold of eighteen, operates on a significantly broader population. The likelihood of similar evasive behaviour, false birthdates, borrowed credentials, and use of VPNs is correspondingly greater. The consequence is not that adolescents disengage from the internet. It is that they move away from regulated, observable platforms into environments that are harder to monitor and often less safe. A child protection framework must ultimately be judged by the environments it creates. If the design of regulation pushes those it seeks to protect toward less secure alternatives, the problem is not one of enforcement alone, but of reasoning at the level of the rule itself.
The constitutional problem
This gap between protective intent and actual outcomes also raises a deeper constitutional difficulty. The DPDP Act was enacted in the constitutional shadow of Justice K.S. Puttaswamy (Retd.) v. Union of India, which elevated informational privacy to the status of a fundamental right under Article 21. Puttaswamy articulated a four-pronged test, legality, legitimate aim, necessity, and proportionality. Section 9 clears three prongs easily. Child protection is a lawful and legitimate aim. Given the asymmetry of power between digital platforms and minors, some degree of regulatory intervention may indeed be necessary to secure meaningful protection in the online environment thereby satisfying the necessity requirement. However, it fails at the fourth prong of proportionality.
The proportionality prong requires that a restriction must not impose a disproportionate burden upon the rights-holder when weighed against the importance of the State objective. In other words, there must exist a proper relation between the social importance of achieving the legitimate aim and the constitutional cost imposed upon individual rights. Here, it plainly does not. Meaningful alternatives exist and have been operating in other countries. The EU’s General Data Protection Regulation (GDPR) sets the digital consent default at thirteen, permitting member states to raise it to a maximum of sixteen. The COPPA applies only below thirteen. Even Singapore, in their advisory guidelines on Personal Data Protection Act (PDPA) for children’s personal data in the digital environment, have stated that a “child between the age of 13 and 17 may give valid consent, when policies and disclosure of their personal data are readily understandable by them”. India’s blanket eighteen-year threshold is the most expansive child-consent regime among major jurisdictions, and it is the least tethered to evidence about adolescent development. Thus, Section 9 consequently imposes substantial burdens upon adolescent autonomy, informational privacy, and access to digital spaces that are increasingly integral to education, expression, and social participation, thereby violating the proportionality standard and infringing the right to privacy.
The Article 19(1)(a) dimension is equally serious. In Shreya Singhal v. Union of India, the Supreme Court read the right to receive information as integral to freedom of expression. Mandatory parental gatekeeping conditions every digital interaction on parental approval. For adolescents with parents who are abusive, absent, or simply unwilling, and for adolescent girls in households where parental knowledge of online activity is itself a form of surveillance, this does not protect their right to information. It extinguishes it. Consider the seventeen-year-old seeking reproductive health resources, mental health support, or peer communities for gender-based violence. The parental consent gate is not a safeguard for her. It is a lock.
The VPC framework violates Article 14 framework by creating an overbroad and arbitrary classification that treats unequal’s as if they were identical, while also producing deeply unequal outcomes in practice. The framework does not differentiate between younger children and adolescents, nor between children and persons with disabilities with varying levels of autonomy and decision-making capacity. It similarly fails to distinguish between low-risk and high-risk services, or between households with differing levels of digital access and literacy. By treating both minors and persons with disabilities as homogenous categories, and by positioning parental or guardian verification as a universally workable safeguard, the framework overlooks the diversity of lived realities, degrees of independence, and support needs within these groups. It collapses all Persons with Disabilities (PwDs) and individuals below eighteen into a single category of incapacity, failing to distinguish between a six-year-old and a seventeen-year-old, despite clear differences in maturity, autonomy, and decision-making ability, thereby lacking any intelligible differentia with a rational nexus to the objective of child protection. At the same time, its implementation disproportionately burdens children based on their socio-economic context, poverty, geography, gender, disability, and digital literacy. Children from rural or low-income households often lack personal devices, stable internet access, or digitally literate parents capable of completing verification requirements, while girls frequently face greater restrictions on digital access and online autonomy, thereby transforming existing digital inequalities into barriers to participation. This dual failure, formal over inclusiveness and practical discrimination, renders the framework manifestly arbitrary under the standard articulated in E.P. Royappa v. State of Tamil Nadu and reaffirmed in Shayara Bano v. Union of India, where the Supreme Court held that arbitrariness itself is antithetical to equality. A law that both erases meaningful distinctions and entrenches structural inequalities cannot withstand scrutiny under Article 14. The scheme produces these divergent outcomes not by accident but by design, because it was built for an India of full digital inclusion that does not yet exist. Consequently, the framework converts existing structural disadvantage into unequal access to digital spaces, online education, communication platforms, informational resources, and forums for expression and association, all of which increasingly constitute essential sites of social, educational, and democratic participation.
Consent fatigue
A 2008 study estimated that reading American privacy policies word-for-word would cost the nation over $781 billion annually. The conclusion is not that people should read faster. It is that privacy policies are not designed to be read, they are designed to be accepted. The structural consequence is consent fatigue: the phenomenon where individuals, overwhelmed by complex and repetitive consent requests, mechanically agree without engaging with the substance. This is not individual failure. It is an engineered outcome.
For parents under Rules 10 and 11, this fatigue operates on two simultaneous layers. There is identity verification fatigue: each time a child wishes to access a new application, the parent must restart the entire authentication cycle, DigiLocker navigation, Aadhaar authentication, OTP completion, adulthood confirmation, independently and from scratch for each platform. And there is consent fatigue: even after verification, the parent must separately review the privacy notice of every individual service, each purpose-specific and non-transferable.
Dark pattern design compounds the problem. India’s Guidelines for Prevention of Dark Patterns, 2023, acknowledge that deceptive interface design, false urgency, confirm-shaming, forced action, systematically undermines voluntary consent. The DPDP Act requires that consent be free, specific, informed, unconditional, and unambiguous. But behavioural psychology is unambiguous: status quo bias leads users to the pre-selected default; decision fatigue depletes the deliberative capacity needed for genuine evaluation. By the time a fatigued parent reaches the high-stakes consent request for a child’s data, they may no longer have the cognitive resources to meaningfully assess it. They click ‘accept.’ While the law may be technically satisfied, the child is not meaningfully safer.
Rule 11 and the ableist architecture
The most overlooked critique in this framework is the application of the same standards of Verifiable Parental Control towards Persons with Disabilities (PwDs). Rule 11 of the DPDP Rules is legally problematic because it irrationally classifies persons with disabilities on the basis of the mere existence of a lawful guardian, rather than their actual decision-making capacity, thereby conflating disability with incapacity. This approach runs contrary to the framework of the Rights of Persons with Disabilities Act, 2016, particularly Section 14, which recognises limited guardianship as a system of supported decision-making, where the individual retains autonomy and the guardian only assists, rather than substitutes, their choices. By mandating guardian consent wherever a guardian exists, Rule 11 effectively imposes a regime of substituted decision-making, stripping capable individuals (including those with purely physical disabilities or even intellectual disabilities with functional capacity) of their legal agency. This not only undermines the statutory guarantee of equal legal capacity under Section 13 of the RPwD Act, but also places India in tension with its obligations under the United Nations Convention on the Rights of Persons with Disabilities, especially Article 12, which mandates recognition of legal capacity on an equal basis and prioritises support over substitution. Consequently, Rule 11 creates an overbroad and constitutionally suspect classification, failing the test of reasonable nexus under Article 14 of the Indian Constitution by treating unequals alike, and unjustifiably curtailing decisional autonomy under Article 21, making it vulnerable to challenge as an arbitrary and regressive departure from India’s disability rights framework.
Disability exists on a spectrum. Autism, cerebral palsy, and mental retardation, the conditions specified in Rule 11’s definition, are not uniform categories. Many individuals with these conditions retain full or partial decision-making capacity for everyday digital choices. The rule cannot see this. It sees only the existence of a guardian and transfers control accordingly. Where that guardian is controlling, neglectful, or exploitative, the framework becomes a tool of coercion rather than protection. Rule 11 takes the framework’s worst instincts and applies them to the population least equipped to challenge them, and it does so while violating the very statutory provisions designed to prevent it.
Conclusion
The proposition in this article is not that child protection regulation is wrong. It is that the existing mechanism harbors uniform, identity-intensive, parent-mediated consent, and when applied to everyone below the age of eighteen, it produces structural harms that a more carefully designed framework would not. The operational realities in comparable jurisdictions that India’s rules chose not to adopt illustrate the potential effectiveness that such a rule could have in shaping adolescent autonomy.
**Abhijeet Menon and Sandhyashree Karanth are third-year students at the School of Law, RV University.
**Disclaimer: The views expressed in this blog do not necessarily align with the views of the Vidhi Centre for Legal Policy.