Authored By: Mayuri Rahul Mahamuni
University of Mumbai
Abstract
The explosive growth of online ecosystems has triggered an unprecedented issue: minors are building extensive digital footprints long before they reach the cognitive maturity necessary to understand or consent to data aggregation. As natural guardians, parents must navigate an uncharted legal landscape where they are expected to manage their child’s internet presence despite the absence of a structured jurisprudence. This paper evaluates the boundaries and restrictions of parental oversight concerning a minor’s digital identity and data footprint. By examining constitutional protections, international conventions, the Digital Personal Data Protection Act, 2023, and evolving case law, this analysis demonstrates that India lacks a dedicated digital rights framework for children. Ultimately, it advocates for a principled regulatory system built around the foundational doctrine of the child’s best interests.
I. Introduction
In today’s interconnected world, a minor’s data trail begins at birth — or even earlier. Parents routinely publish ultrasound photos on social networks, healthcare facilities digitize medical records, state authorities issue digital identification, and educational institutions log student performance on cloud servers. Consequently, by the time an individual reaches adulthood, a complex network of biometric, behavioral, and demographic information has been logged, rarely involving the individual’s conscious input. This practice, often called “sharenting” when referring to parental social media posts, represents only the surface of a deep data network tracking minors from infancy.
These realities prompt urgent legal and philosophical inquiries. Does traditional parental guardianship naturally extend to internet spaces? Can a parent legally grant consent for third-party platforms to collect and monetize a minor’s data? If a parent profits from a child’s online persona — such as through sponsored social media accounts — does the minor have a legal right to stop it? Furthermore, once that minor becomes an adult, what legal control do they have over a digital identity built in their name during their youth?
The current Indian legal framework offers few clear answers. The Supreme Court of India established the right to privacy as an essential component of Article 21 of the Constitution in its landmark, unanimous nine-judge ruling in K.S. Puttaswamy v. Union of India (2017). While statutes like the Juvenile Justice (Care and Protection of Children) Act, 2015, the Protection of Children from Sexual Offences Act, 2012, and the Digital Personal Data Protection Act, 2023 (DPDP Act) regulate aspects of youth welfare, none directly resolve the clash between parental management and a minor’s developing autonomy over their data. This paper charts this legal tension and outlines a balanced path forward.
II. The Concept of Digital Identity: A Preliminary Framework
To properly analyze parental authority, it is first necessary to define the components that make up a minor’s “digital identity.” This concept can be divided into four intersecting areas.
- Technical Data: This comprises the raw identifiers and metrics collected by online entities, such as names, birth dates, device signatures, search habits, and location histories. Under the DPDP Act, 2023, personal data is defined as any information pointing to an identifiable individual — a definition broad enough to cover almost all information generated by a minor online.
- Reputational Persona: This reflects the public image and social narrative built through an online history. A child whose life is consistently documented online by a parent develops a public persona that can heavily influence their future personal relationships, career opportunities, and mental health.
- Creative Assets: This covers the unique material a child produces independently, including digital artwork, prose, videos, and music. These creations are eligible for intellectual property safeguards under the Copyright Act, 1957.
- Economic Assets: This modern category includes virtual currency, valuable in-game assets, and advertising revenue generated by child-focused social media channels. This area involves questions of fiduciary responsibility, minor contract validity, and property rights that Indian courts have yet to address.
Because each category triggers a different legal framework, evaluating parental rights requires analyzing all four simultaneously.
III. Constitutional Foundations: Privacy, Dignity, and the Child’s Personhood
The baseline for this discussion is the Constitution of India, specifically the right to privacy affirmed in the Puttaswamy judgment. Writing for the majority, Justice D.Y. Chandrachud emphasized that privacy is an inherent human right rather than an elitist luxury. This protection guarantees informational self-determination, meaning an individual retains the right to control how, when, and to what extent their personal information is shared with others.
If informational self-determination is a fundamental right, it raises a difficult question: do minors hold this right independently, and does parental authority restrict or simply guide its expression? Under Indian jurisprudence, parental guardianship — regulated by the Hindu Minority and Guardianship Act, 1956, and the Guardians and Wards Act, 1890 — is framed as a protective obligation rather than an absolute parental right. Every action taken by a guardian must prioritize the welfare of the minor as the ultimate consideration.
This focus matches India’s constitutional principles. Article 39(f) of the Directive Principles of State Policy directs the government to ensure children can develop healthily in an environment of freedom and dignity. Similarly, India’s 1992 ratification of the United Nations Convention on the Rights of the Child brings in Article 16 (prohibiting arbitrary interference with a child’s privacy) and Article 17 (ensuring access to beneficial information while protecting against harmful material).
These provisions show that a minor is an independent subject of rights, not merely an object of parental control. The constitutional goal is to ensure parental guidance is exercised in the child’s best interests — a duty that becomes far more complex in digital spaces.
IV. The DPDP Act, 2023: A Critical Analysis of the Consent Framework
The Digital Personal Data Protection Act, 2023, is India’s primary statutory data protection law. Section 9 of the Act governs the processing of minors’ personal data and introduces several important legal elements.
First, the law defines a “child” as anyone under eighteen years of age, matching the standard civil age of majority. Although straightforward, this binary threshold ignores the graduated capability models used in other legal areas. Contract law, for example, recognizes that mature minors can participate in voidable agreements. Developmental research also indicates that adolescents aged fourteen and older exhibit adult-level decision-making skills in everyday, low-stakes scenarios.
Second, Section 9(1) dictates that data fiduciaries must secure verifiable consent from a parent or legal guardian before processing a minor’s information. While this safeguard correctly assumes that young children cannot evaluate data agreements on their own, it fails to establish a standard of care for how parents use this authority. The statute does not explicitly require parents to act in the child’s best interests, lacks a system for minors to challenge parental consent choices, and offers no remedies when a parent uses consent to exploit a child commercially.
Third, Section 9(3) bans data fiduciaries from conducting behavioral tracking, user monitoring, or targeted advertising aimed at minors. If properly enforced, this rule would disrupt the business models of major tech firms. However, because the exact rules for age verification and consent are left to future executive rulemaking, Section 9 remains an incomplete law (lex imperfecta — a law lacking a fully specified enforcement mechanism) that has little practical force until those rules are formally implemented.
V. Sharenting and the Child’s Right Against Parental Digital Exploitation
The practice of sharenting highlights the direct conflict between parental choices and a child’s privacy interests. With India’s social media user base surpassing hundreds of millions, parenting blogs and family vlogs are highly lucrative categories on networks like Instagram and YouTube. Many parents run these accounts as commercial enterprises, earning significant advertising revenue from content focused entirely on their children.
This trend brings together three distinct legal issues:
| Legal Issue | Statutory / Case Law Context | Core Impact on the Child |
|---|---|---|
| Privacy Violation | Article 21 (Puttaswamy framework) | Publicizes intimate childhood milestones and daily habits globally without the child’s consent. |
| Economic Exploitation | Child Labour Act, 1986 (amended 2016) | Treats commercial content creation in home studios as unregulated child labor under Section 3A. |
| Breach of Fiduciary Duty | Nil Ratan Kundu v. Abhijit Kundu (2008) | Fails the “welfare of the minor” standard by exposing children to structural privacy and security risks for commercial gain. |
While international models offer solutions — such as France’s 2020 law mandating that earnings from child-centric content be locked in a protected trust until the minor turns eighteen — India currently has no equivalent statutory protections.
VI. Deletion, Correction, and the ‘Right to Be Forgotten’ in the Child’s Context
An important practical challenge involves an individual’s right, upon turning eighteen, to purge or correct the digital trail generated during their childhood. This concept of erasure, or the “right to be forgotten,” is beginning to gain recognition in Indian law.
Section 13 of the DPDP Act, 2023, grants data principals the right to erasure, allowing individuals to revoke consent and demand the deletion of data that is no longer required for its original purpose. Even so, the statute fails to address the transition from minority to majority. It remains unclear whether a young adult can retroactively revoke consent granted by a parent during their childhood and force platforms to delete those historical logs.
Evolving case law supports this right. In Jorawar Singh Mundy v. Union of India (2021 SCC OnLine Del 3919), the Delhi High Court noted that an individual’s power to shape their digital identity is a protected interest under Article 21, ordering search engines to de-index an old legal judgment. This logic applies strongly to young adults wanting to remove a childhood digital presence they did not choose to create.
This mirrors global standards like the European Union’s GDPR. Article 17(1)(b) of the GDPR permits data subjects to delete personal information by revoking consent, and Recital 65 emphasizes that this protection applies directly to consent given during childhood. The EU framework explicitly addresses the successor-consent issue: adults are not legally bound by the data agreements their parents signed for them during youth.
VII. Intellectual Property and the Child’s Digital Creations
A separate issue involves the intellectual property rights of content produced by minors. When a child writes a blog post, uploads digital art, or creates an online video, they are legally considered the author under Section 2(d) of the Copyright Act, 1957. Indian copyright law requires originality and human authorship, without setting a minimum age threshold.
However, Section 6 of the Hindu Minority and Guardianship Act, 1956, gives natural guardians the power to manage a minor’s affairs and execute transactions on their behalf. This allows parents to sign platform terms-of-service, license a minor’s work, or assign copyrights to corporate platforms. Current regulations do not require these assignments to benefit the child, nor do they require the resulting revenue to be placed into a trust.
This regulatory gap creates a clear risk of exploitation. Parents can permanently transfer a minor’s intellectual property to online platforms for short-term financial returns. While a court could theoretically void these agreements for failing to prioritize the child’s welfare, there is no established Indian precedent addressing this issue.
VIII. Comparative Perspectives and Legislative Reform
Global regulatory models reveal a wide range of approaches to managing youth data.
- The Children’s Online Privacy Protection Act (COPPA) bans data harvesting from children under thirteen without verified parental consent. While the Indian DPDP Act shares a similar structure, it lacks COPPA’s rigorous enforcement tools and private rights of action.
- California’s Age-Appropriate Design Code Act (2022) moves past basic parental consent by forcing platforms to design their interfaces to protect children’s safety and privacy by default.
- The UK Age Appropriate Design Code sets the threshold for digital data consent at thirteen, while Germany sets it at sixteen. This reflects a graduated view of a minor’s capacity.
By setting eighteen as a single threshold for all data interactions, India’s DPDP Act creates a practical contradiction. A seventeen-year-old can legally drive, work, and enter into voidable civil contracts, yet cannot independently consent to a website’s cookie policy. Moving to a graduated framework — allowing older adolescents to manage non-sensitive personal data while keeping parental consent for sensitive assets like financial or biometric profiles — would better match real-world developmental milestones.
IX. Towards a Child-Centric Digital Rights Framework for India
To address the systemic gaps in India’s legal structure, future updates to the law should incorporate the following core principles.
Paramountcy: Statutes should explicitly require that parental consent decisions serve the child’s best interests. Commercial contracts involving a minor’s data or creative assets should require independent oversight, similar to the judicial clearance needed for selling a minor’s physical property under the Guardians and Wards Act.
Successor Consent: At age eighteen, young adults should gain full rights to erase minority-era data. Upon turning eighteen, individuals should receive a statutory right to audit all data collected under parental consent during their minority, with the unconditional power to order its erasure or correction.
Operational Trusts: When a minor is the primary subject or creator of a profitable online account, all earnings should be placed into a statutory trust. This matches the existing labor protections used for child performers in traditional media.
Graduated Capacity: Minors aged fourteen and up should be allowed to independently manage basic, non-sensitive data. This replaces the rigid eighteen-year rule, preserving parental co-consent exclusively for sensitive assets like biometrics, healthcare logs, and financial information.
Digital Erasure as a Constitutional Right: Building on the Puttaswamy and Jorawar Singh Mundy rulings, Indian courts should recognize a child’s constitutional right to an unarchived life, ensuring their childhood errors or public profiles do not permanently compromise their adult lives.
X. Conclusion
The intersection of parental oversight and youth data privacy remains an urgent, unaddressed frontier in Indian law. While children generate enormous amounts of data and form a highly valuable demographic for online platforms, they are largely invisible within current regulatory frameworks. Their digital rights are managed entirely by adults whose financial interests do not always match their own.
The DPDP Act, 2023, provides an initial foundation, but it is incomplete. It sets up a consent framework without defining its core duties, ignores the commercial exploitation of online childhood identities, and applies a strict minority threshold at eighteen that ignores adolescent development. These are structural flaws that will affect the digital privacy of millions of minors.
The evolution of Indian digital law must be guided by a clear principle: children are not the property of their parents in the digital world any more than they are in the physical one. They are independent individuals whose information, creations, and privacy deserve protection from online platforms, strangers, and the choices of their guardians. For a legal system built on dignity and individual liberty, a comprehensive framework protecting these rights is vital.
Reference(S):
K.S. Puttaswamy v. Union of India, (2017) 10 S.C.C. 1 (India).
Nil Ratan Kundu v. Abhijit Kundu, (2008) 9 S.C.C. 413 (India).
Jorawar Singh Mundy v. Union of India, 2021 SCC OnLine Del 3919 (India).
The Digital Personal Data Protection Act, 2023, §§ 2, 9, 13, No. 26, Acts of Parliament, 2023 (India).
The Guardians and Wards Act, 1890, No. 8, Acts of Parliament, 1890 (India).
The Hindu Minority and Guardianship Act, 1956, No. 32, Acts of Parliament, 1956 (India).
The Child Labour (Prohibition and Regulation) Act, 1986, No. 61, Acts of Parliament, 1986, amended by The Child Labour (Prohibition and Regulation) Amendment Act, 2016, No. 35, Acts of Parliament, 2016 (India).
The Protection of Children from Sexual Offences Act, 2012, No. 32, Acts of Parliament, 2012 (India).
Convention on the Rights of the Child arts. 16, 17, Nov. 20, 1989, 1577 U.N.T.S. 3.
Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), art. 17, recital 65, 2016 O.J. (L 119) 1.
Children’s Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6501–6506.
Loi 2020-1266 du 19 octobre 2020 visant à encadrer l’exploitation commerciale de l’image d’enfants de moins de seize ans sur les plateformes en ligne [Law 2020-1266 of October 19, 2020 on regulating the commercial exploitation of the image of children under sixteen on online platforms], Journal Officiel de la République Française [J.O.] [Official Gazette of France], Oct. 20, 2020.
California Age-Appropriate Design Code Act, Assemb. B. 2273, 2021–2022 Reg. Sess., 2022 Cal. Stat. ch. 320 (codified at Cal. Civ. Code §§ 1798.99.28–1798.99.40).
The Copyright Act, 1957, §§ 2(d), 17, No. 14, Acts of Parliament, 1957 (India).





