PRIVO Blog

India’s Digital Personal Data Protection Act: What Global Businesses Need to Know

Written by PRIVO | 9/18/25 4:16 PM

India has passed one of the most stringent new privacy laws in the world, the Digital Personal Data Protection Act (DPDP Act, 2023) and with it, one of the strictest requirements for protecting children online. Unlike COPPA in the U.S. which requires parent consent for children under 13 or the General Data Protection Act (GDPR) in the EU and UK which requires consent for children 15 or under, India’s DPDP Act requires verifiable parental consent for all users under 18.

For companies operating globally, this regulation sets a high bar and a new compliance challenge.

What Is the DPDP Act?

The DPDP Act is India’s first comprehensive data privacy law. It applies to both Indian and foreign companies processing personal data of individuals in India. Among its many provisions, the law includes specific protections for children.

Under the Act:

  • Children under 18 are considered minors for data processing purposes.
  • Platforms must obtain verifiable parental consent before processing a child’s personal data.
  • Companies cannot track, profile, or target advertising at minors without consent.
  • Non-compliance can lead to penalties of up to ₹250 crore (~$30M USD).

Why the DPDP Act Raises the Bar

While COPPA and GDPR-K already require parental consent, the DPDP’s under-18 threshold is one of the highest worldwide. This means platforms that already comply with U.S. and EU standards must adapt their workflows for the Indian market.

Key challenges include:

  • Jurisdiction awareness — knowing which age threshold applies for which user, based on location.
  • Scalable parental consent solutions — managing higher consent volumes in large markets such as India.
  • Cross-border compliance — aligning India’s law with global standards like COPPA, GDPR-K, and the UK’s Children’s Code.

Next Steps for Businesses

If you operate apps, platforms, games, or connected products in India—or if your services are accessible to Indian users—you must:

  1. Review how you collect and process children’s data.
  2. Implement age assurance and parental consent tools that meet DPDP requirements.
  3. Ensure your workflows adapt to multiple jurisdictions (under 13 in the U.S., under 16 in the EU, under 18 in India).
  4. Prepare to demonstrate compliance to regulators.

Effective Date

India’s Ministry of Electronics and Information Technology (MeitY) released draft Digital Personal Data Protection (DPDP) Rules, 2025 on January 3, 2025, and invited public and industry feedback through February 18, 2025. Once finalized and published in the Official Gazette, the rules tied to the Data Protection Board of India are expected to take effect immediately. Other requirements will likely carry a transition period, giving organizations additional time to align with compliance obligations. However, no specific timeline has yet been confirmed in the draft.

How PRIVO Helps

PRIVO is a global leader in youth privacy assurance, with FTC-approved COPPA Safe Harbor status and two decades of experience helping companies build safe, compliant digital experiences for children and families.

Our platform is jurisdiction-aware, meaning we can help you:

✔️ Implement age assurance tools
✔️ Adapt parental consent workflows by country or region
✔️ Scale compliance for India’s under-18 threshold
✔️ Align with COPPA, GDPR-K, the Children’s Codes, Australia’s Online Safety Act, and more

DIY Consent won’t work, your online service needs infrastructure to cope with global requirements.

👉 Contact PRIVO to Learn More

Additional Resources
View full post