DPDPA Rule 12: Conditional Exemptions for Processing Children’s Personal Data

DPDPA Rule 12: Conditional Exemptions for Processing Children’s Personal Data

Processing children’s data in India requires strict controls. Discover how DPDP Act Rule 12 offers conditional exemptions to verifiable parental consent.

Himanshu Jotwani

Written by

Himanshu Jotwani

Date

Read time

6 min

What Rule 12 Covers

Processing children data in India under the DPDP Act usually means hitting a wall of verifiable parental consent. DPDP Act Rule 12 offers a door through that wall. But it is not a free pass. It is a highly conditional trade-off.

Rule 12 of the Digital Personal Data Protection Rules 2025 creates limited, conditional exemptions from specific obligations in Section 9 of the Act when processing the personal data of a child (defined as any person under 18 years).

Specifically, the exemptions target Section 9 sub-sections (1) and (3). In practice, this means relief from the DPDP verifiable parental consent regime and its related prohibitions, including the strict restrictions on behavioural tracking and targeted advertising for children.

These are not blanket waivers. They apply only if:

  • The processing is done by a class of Data Fiduciaries listed in Part A of the Fourth Schedule, or
  • The processing is for a purpose listed in Part B of the Fourth Schedule.

And in either case, all stated conditions in the relevant Part must be satisfied.

Where Exemptions Apply

There are two pathways to bypass the standard consent requirements.

Illustration showing two pathways for exemptions under DPDP Act Rule 12: entity-based and purpose-based.

1) Entity-based exemptions under Part A of the Fourth Schedule:

  • Examples include hospitals or healthcare establishments, schools or educational institutions, day-care or creches, and child-transport services.
  • The relief focuses on the verifiable parental consent requirement for activities intrinsic to those entities, provided all conditions in the Schedule are met.

2) Purpose-based exemptions under Part B of the Fourth Schedule:

  • Examples include emergency medical care, child safety monitoring, statutory compliance, or narrowly defined research or archival purposes.
  • The relief targets the specific purpose and is available only if the purpose is strictly necessary and all listed conditions are implemented.

If your entity or purpose is not listed, or the conditions are not met, the standard Section 9 obligations apply in full. No exceptions.

Conditions You Must Meet

Rule 12 is built on safeguards. Relying on it requires you to satisfy and evidence several controls. You cannot just claim an exemption; you have to prove you earned it.

  • Necessity and proportionality: The processing must be strictly necessary for the listed entity function or purpose. Anything beyond the minimum needed scope or duration will undermine the exemption.
  • Data minimisation and purpose limitation: Collect and process only what is needed for the permitted activity. Do not repurpose the data. Do not expand use cases without a fresh analysis and, if needed, full Section 9 compliance.
  • Documentation and DPIA: Maintain clear documentation of the legal basis and the exemption relied upon. Conduct Data Protection Impact Assessments where required. Significant Data Fiduciaries face enhanced reporting and audit duties.
  • Safeguards and transparency: Implement technical and organisational measures aligned with the risk to the child. Provide clear notices where feasible, and ensure explicit purpose binding across systems and vendors.

The exemption narrows obligations under Section 9(1) and 9(3) only. Other duties under the Act continue to apply.

Practical Implementation

Start by operationalising the age threshold at 18. Your onboarding, age verification, notices, and consent flows must be designed to reliably identify children and trigger either the standard consent regime or a tightly controlled exemption workflow.

Translate Rule 12 into day‑to‑day controls:

  • Build decision points into intake flows. If the entity or purpose qualifies under the Fourth Schedule, route the case to an exemption pathway with minimised data fields and standard justifications.
  • Suppress behavioural tracking and targeted advertising by default for child profiles. Activate only if an exemption clearly allows it and all conditions are locked in. Most organisations should assume these activities remain off-limits.
  • Enforce access controls and segregation. Limit access to teams and systems that genuinely need the data for the exempt activity.
  • Implement retention limits that match the specified purpose. Automate deletion or irreversible anonymisation once the purpose is complete. A retention policy that relies on someone remembering to hit “delete” is not a control,it is a liability.

Boundary Conditions You Cannot Ignore

Illustration showing boundary conditions for processing children’s data under DPDP Act Rule 12 exemptions.
  • No blanket pass: The exemption applies only to the specific listed entity class or defined purpose. Anything outside that scope reverts to full Section 9 compliance.
  • Conditions are not optional: If you cannot show necessity, proportionality, minimisation, and safeguards, the exemption fails.
  • Purpose drift voids the exemption: Secondary use, analytics beyond the permitted scope, or combining child data with other datasets for marketing will breach the Rules.
  • Vendors and processors bind you: Your processors must be contractually barred from secondary use, including targeted advertising or profiling, unless the Rules explicitly allow it and you have satisfied all conditions.

Steps for Counsel and Compliance Teams

Use a structured approach that can withstand regulatory review.

1) Map child data processing:

Catalogue all activities involving individuals under 18. Classify each activity under Part A entity-based or Part B purpose-based categories, or mark as non-exempt.

2) Apply a strict necessity test:

For each exempted activity, document why verifiable parental consent is impracticable or unnecessary and how the processing is narrowly tailored to the schedule entry.

3) Embed DPIAs and audits:

Run DPIAs where indicated. Track risks, mitigations, and outcomes. Significant Data Fiduciaries should schedule annual audits and maintain evidence of remedial actions.

4) Lock down safeguards:

Implement role-based access, encryption at rest and in transit, and logging. Establish retention schedules aligned to each exempt purpose and automate enforcement.

5) Set processor requirements:

Include explicit clauses prohibiting secondary use, behavioural tracking, or targeted advertising unless a listed exemption clearly permits it and you have met all conditions.

6) Maintain channels and evidence:

Keep complaint and grievance processes active and responsive. Maintain processing records, DPIAs, notices, and training logs. Be ready to justify reliance on any exemption to the regulator or a court.

How Regulators Will Evaluate Your Reliance on Rule 12

Regulators will not take your word for it. Their review will focus on whether:

  • Your activity fits precisely within a Part A entity category or a Part B purpose.
  • You applied necessity and proportionality in good faith, with written, contemporaneous evidence.
  • You respected data minimisation and purpose limitation without function creep.
  • Your safeguards matched the risk and were actually implemented, not just written on paper.
  • You monitored vendors and prevented prohibited secondary uses.

Non-compliance can trigger enforcement, fines, and reputational damage. The safest position is to treat Rule 12 as a narrow tool for specific, high-need scenarios, not as routine cover for convenience.

What Changes in Practice

For listed entities and purposes, you may process children’s data without the full parental verification step under Section 9 when the conditions are met. This can speed up emergency care, essential school operations, child safety responses, and certain statutory tasks.

What does not change is your accountability. You still need to document the legal basis, maintain safeguards, keep data use within strict boundaries, and be audit ready. If you are unsure that your case fits the schedule entry and its conditions, default to full Section 9 compliance.

Closing

The text of Rule 12 is brief, but the execution is not. The burden shifts from collecting verifiable parental consent to proving necessity, proportionality, and control. That requires disciplined mapping, evidence-driven DPIAs, and tight operational safeguards.

At Regodit, we know that proving compliance is often harder than achieving it. We provide a structured way to manage this shift. Regodit helps teams map child-related processing, anchor each activity to a lawful path, lock in retention and access controls, and retain the evidence you need when questions come.

If you want a clear, operational playbook for Rule 12 and Section 9, explore how Regodit can help your team implement it with discipline. Schedule a discussion to review your use cases and set up a defensible approach.

Disclaimer: The views and explanations shared in this blog are based on our team's understanding of the relevant compliance frameworks. While every effort has been made to ensure accuracy, readers are encouraged to refer to the original legal provisions and official notifications for authoritative guidance. Please reach out to us at connect@solsphere.ai.

Keep reading

All blogs →