India’s DPDP Act reshapes the under-18 digital economy

India’s Digital Personal Data Protection (DPDP) Act introduces new requirements for the country’s children-focused digital market. By defining all users under 18 as “children” and requiring verifiable parental consent for data processing, the law creates updated compliance obligations that affect gaming, ed-tech, advertising, and content for minors.

With identity verification processes in place, digital businesses are adapting their operations to meet these requirements while continuing to serve the under-18 audience. The math indicates that commercial viability may be challenging, and these outcomes reflect deliberate regulatory design.

A Compliance Requirement Reshaping the Economics

The DPDP Act classifies all users under 18 as a high-risk category, requiring platforms to obtain verifiable parental consent before processing their personal data. The Rules notified in November 2025 specify operational procedures for this verification and prohibit behavioural tracking, personalised advertising, profiling, and targeted content for minors.

Read On: DPDP Rules 2025: A compliance mandate that could redefine digital business

This combination significantly affects the commercial dynamics of the children’s digital ecosystem. The key inflection point lies in the cost of verifying parental identity at scale.

Aadhaar e-KYC, the most affordable government-backed verification method, costs about ₹3 per check, translating to roughly ₹30 lakh for a million verifications. Costs rise for DigiLocker or other government ID-based verification methods, with independent policy analyses and NGO assessments estimating up to ₹1.5 crore per million checks, depending on implementation complexity, fallback processes, and vendor charges. Additional human review or biometric checks can further increase per-user costs.

The financial impact is significant in a sector where average annual revenue per child user (ARPC) for ad-supported products is around ₹40. A single Aadhaar verification at ₹30 per child consumes most of that yearly revenue. If DigiLocker-based verification reaches ₹150 per child, the economics become highly challenging, as even multi-year lifetime value calculations cannot offset the cost in an ad-led model.

As a result, small gaming studios, children’s content apps, and early-stage digital publishers are reconsidering their strategy for users under 18.

Gaming Industry Begins Strategic Recalibration for Minors’ Market

Few industries depend on minors as heavily as gaming. India’s mobile gaming sector has expanded through high-frequency, low-ticket players, many under 18. The DPDP Act is prompting a reorientation of product strategies, investor perspectives, and growth plans.

Rohit Agarwal, Founder and Director of Alpha Zegus, captures this shift sharply. He notes that the Act “fundamentally raises the cost of serving under-18 users because every single data interaction now needs verifiable parental consent. That makes the sub-18 audience a structurally expensive segment, and early-stage gaming companies will find it far more viable to build for adult users where consent, optimisation and monetisation remain straightforward.” According to him, India’s unicorn pipeline is already tilting. Instead of “gaming for everyone,” the country will see “gaming built on over-18 use cases.”

Read On: Era of Dark Patterns Ends: DPDP 2025 forces a rethink of UX, consent and digital trust

This does not end the gaming unicorn story, but it changes its shape. Large companies with deeper capital reserves may still invest in children’s gaming verticals, absorbing compliance costs through economies of scale. Smaller studios, however, are expected to pivot to adult-first genres such as mid-core, strategy, real-money and skill-based games.

At a product level, the removal of behavioural tracking and personalised optimisation forces a shift in how growth is engineered. Agarwal points out that “for minors, the traditional growth engine gets switched off” because apps can no longer rely on data-driven segmentation or personalised nudges. Studios will need to compete on pure gameplay quality, transparent mechanics and family-friendly experiences while monetising primarily through adults. He describes this as a “split-model approach that balances compliance and commercial viability.”

Fresh Regulatory Rules Emerge Months After the Gaming Framework

The DPDP Act’s impact is notable because India had only recently established itself as a global gaming hub with a dedicated regulatory framework introduced earlier this year. Many companies had expected stability or only incremental changes.

But DPDP introduced one of the world’s strictest child-data regimes almost immediately afterward. As Ishan Rathi, Counsel at Sarvaank Associates, notes, while most countries define a child as under 13 or 14, “India has raised this threshold to under 18 and continues to require verifiable parental consent before any data processing takes place.” He stresses that this is not a routine compliance update but “a fundamental change in how platforms must design their user journeys, identity verification systems, data minimisation practices and consent frameworks.”

Many had anticipated a flexible, sector-specific approach for gaming, such as purpose-based permissions or tiered consent aligned with in-app behaviour. However, as Rathi notes, no exemptions or carve-outs were provided. The policy intention is clear: data belonging to minors is considered high-risk, and the government expects the ecosystem to adapt accordingly.

He flags the possibility that future updates could introduce phased compliance timelines or category-based reliefs. But as of now, the obligation applies in full. The question facing the industry is whether it can rebuild its architecture around this new reality or whether the under-18 digital segment will shrink to only a few large operators.

Read On: DPDP Act 2025: Penalties for violations can reach Rs 250 crore

Redesigning Digital Architecture Amid New Compliance Requirements

Beyond raw verification expenses, companies must also overhaul their data systems. Minors’ data must be isolated from adult environments, and technical blocks must prevent profiling, behavioural monitoring or targeted advertising.

Chirag Jain, Associate Partner at DSK Legal, emphasises that the change is far from cosmetic. Companies “must now treat all under 18 users as a high-protection category, requiring a fundamental redesign of their data architecture.” He notes that platforms will need reliable age-verification frameworks, parent-approved OTP flows, document checks or consent-manager integrations while creating segregated data environments that block prohibited processing functions. The architecture must be privacy-first at a system level, not a surface-level compliance layer.

This is a significant burden for smaller publishers or indie developers who historically operated with lean backends. Many will not have the resources to build dual data stacks for minors and adults.

Advertising Strategies Recalibrated Under New Regulations

The DPDP Act also restricts targeted advertising to minors, allowing it only in limited contexts such as education and healthcare. For the wider market, advertising must rely on aggregated or anonymised data rather than individual-level insights.

This shift is likely to reduce advertiser interest in children’s digital inventory. As Arya Tripathy, Partner at Cyril Amarchand Mangaldas, explains, platforms “will be left with the option of using aggregated and anonymised data for improving their offerings” while personalised ads and behavioural targeting will no longer be permitted. This affects every use case that previously depended on unique user profile insights and forces a “complete change in how businesses undertake outreach activities.”

For sectors such as toys, FMCG, ed-tech, apparel, and entertainment, which rely on granular segmentation, the market could see a significant adjustment.

Read On: How DPDP will rewrite growth playbooks for Indian brands

Looking Ahead: A Streamlined Kids’ Digital Market

If verification costs consume most of the annual revenue per child, many platforms may choose to age-gate users to 18 and above. Early adjustments are likely among ad-funded kids’ apps, casual games, small educational publishers, and children’s content creators.

The survivors will be firms able to manage verification costs, redesign their systems, and secure parental consent at scale. This will likely lead to a more consolidated market, where larger enterprises are best positioned to serve minors. These outcomes reflect deliberate policy choices rather than unintended effects.

The DPDP regime is designed to enhance children’s online safety, while placing the economic responsibility on platforms. This could lead to a safer digital environment, though one that is likely smaller in scale. In seeking to protect its youngest users, India may find that it has significantly reshaped, and potentially reduced, the ecosystem designed to serve them.