Between Protection and Paternalism: Reconceptualising Children’s Data Rights under the DPDP Act, 2023

Section 9 of the Digital Personal Data Protection Act, 2023 establishes a regime for the processing of children's personal data that is, at first glance, among the most protective in the world. Every individual under eighteen is treated as a "child"; verifiable parental consent is mandatory; tracking, behavioural monitoring, and targeted advertising directed at children are categorically prohibited. The Digital Personal Data Protection Rules, 2025—notified on 13 November 2025—operationalise this regime through Rule 10, which channels parental consent verification through DigiLocker and a virtual-token architecture anchored in government-issued identification. This article argues that the Indian regime, beneath its protective surface, is substantially paternalistic. By treating every adolescent as a child until the eve of her eighteenth birthday, by requiring verifiable parental consent uniformly across the entire under-eighteen population, and by routing verification through state-issued identification, the regime forecloses the participatory and autonomy-respecting dimensions of children's rights that the United Nations Convention on the Rights of the Child and General Comment No. 25 (2021) on Children's Rights in Relation to the Digital Environment have placed at the centre of the international consensus. Drawing on the doctrine of evolving capacities, comparative regimes (COPPA, GDPR Article 8, the UK Age-Appropriate Design Code), and the constitutional framework of Articles 14 and 21 as elaborated in Puttaswamy, this article proposes a reconceptualisation of children's data rights in India: from a paternalistic regime of binary consent to a tiered, evolving-capacities-based architecture that recognises the participation, autonomy, and access rights of adolescents alongside the protection of younger children.