Would you let your 13-year-old sign a legal contract without a parent present? As a parent myself, for me, the answer would be a resounding “no.” Yet every day, millions of children effectively do exactly that online.
A quick change in a birth year. One click on “I agree.” And suddenly, a minor becomes an adult in the eyes of the internet.
Across India, children interact with digital platforms designed for adults — not because companies intend it, but because verifying age online is far harder than it sounds. And this raises a far bigger question for India’s digital economy:
Are we protecting children online or simply pretending to?
Because if age verification relies largely on self-declaration, the entire system rests on an uncomfortable assumption: that children will tell the truth when the internet asks how old they are.
This quiet gap between policy intent and digital reality sits at the heart of one of the most important debates triggered by India’s Digital Personal Data Protection Act (DPDP).
Should we protect children through bans and restrictions?
Or through infrastructure that makes responsible digital participation possible?
This is the “Ban vs Infrastructure” debate now emerging across India’s digital ecosystem.
The law is clear. The internet is not
The DPDP framework takes a strong position on children’s data.
Platforms must obtain verifiable parental consent before processing a child’s personal data. The law also prohibits behavioural tracking, monitoring, and targeted advertising directed at minors.
These protections are not just necessary — they are overdue. India now has one of the world’s largest populations of young internet users, and children are increasingly growing up as digital natives.
But translating these rules into real-world digital experiences is far more complicated than the law itself.
Consider the first step in compliance: determining whether a user is a child in the first place.
Today, most digital platforms still rely on self-declared age fields. A user simply enters their birth date when signing up.
The system assumes honesty.
Anyone who has ever watched a teenager create an account knows how fragile that assumption is.
A different birth year.
One click.
The internet now believes a minor is an adult.
From a regulatory standpoint, that creates a fragile ecosystem where the burden of verification effectively rests on the honesty of a child.
The three-step challenge of protecting children online
Operationally, implementing children’s data protections requires platforms to solve three distinct problems.
First is age assurance — determining whether a user is a minor.
Second is parental invitation — identifying and inviting a parent or guardian to approve access.
Third is verifying that the person granting consent is actually an adult.
Each step introduces technical complexity and product friction.
Without reliable verification systems, platforms risk accepting consent from another minor pretending to be a parent.
At scale, these challenges become even more difficult. Large consumer platforms manage millions of user sign-ups every day, making manual verification impossible.
The result is a difficult balancing act between compliance, usability, and privacy.
Why bans are gaining traction globally
When verification mechanisms are weak, regulators often respond with restrictions.
Globally, policymakers are increasingly exploring stronger guardrails around children’s digital access.
The UK’s Information Commissioner’s Office fined TikTok £12.7 million in 2023 for allowing children under 13 to access the platform without adequate parental consent mechanisms. In the United States, regulators have repeatedly enforced the Children’s Online Privacy Protection Act (COPPA) against companies that failed to properly verify parental authorisation.
Closer to home, discussions around restricting minors’ access to certain digital services have also surfaced in India.
On the surface, these restrictions appear protective.
But bans introduce their own complications.
Platforms may respond by blocking younger users entirely to avoid regulatory exposure. Others may adopt heavy-handed verification processes, collecting even more sensitive personal data such as government IDs or financial details.
Ironically, attempts to protect children’s privacy can sometimes lead to greater data collection and surveillance.
The infrastructure alternative
There is another way to approach the problem.
Instead of forcing every platform to individually solve age verification and parental consent, India could treat children’s data protection as an infrastructure challenge.
India has already shown the world how digital public infrastructure can solve trust problems at population scale.
Identity verification through Aadhaar.
Real-time payments through UPI.
Consent-based financial data sharing through the Account Aggregator ecosystem.
These systems succeeded because they created shared trust rails that multiple industries could rely on.
Children’s data protection may ultimately require a similar approach.
Imagine a privacy-preserving consent layer where a parent verifies their relationship with a child once through a regulated entity. From there, they can manage permissions across multiple digital services through a single interface.
Platforms would receive confirmation that parental consent exists — without needing to collect or store sensitive identity documents themselves.
This approach aligns with a core principle of privacy engineering: the safest data is the data you never collect.
Guardrails need rails
None of this suggests that restrictions are unnecessary.
The DPDP Act rightly prohibits behavioural tracking and targeted advertising directed at children. Those boundaries are essential.
But regulation alone cannot guarantee outcomes.
Without reliable systems to determine age and verify parental consent, enforcement becomes inconsistent and compliance fragmented.
The real lesson from the global debate is not that we must choose between bans and infrastructure.
It is that effective digital regulation requires both.
Guardrails define what companies must not do.
Infrastructure ensures those guardrails can actually work.
As India’s privacy regime moves from legislation to implementation, the real test will not be the strength of the law alone — but the systems we build to support it.
Because when it comes to protecting children online, laws set the intent.
But infrastructure delivers the outcome.
(Ashok Hariharan, CEO and Co-Founder, IDfy.)
Views are personal, and do not represent the stand of this publication.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
