Sector wise readiness
Children and disability data: the layer no sector escapes
Every sector post in this series has said "not every box applies from day one." This one is different.
If you knowingly process the data of a child under 18, or of a person with a disability who has a lawful guardian, a specific set of duties applies from the very first record. There is no size gate, and there is no sector you can sit in that switches it off. The trigger is not your business. It is who the data belongs to.
That is why this one layers on top of whatever sector you are in. An EdTech platform, a gaming operator, a hospital app, a matrimonial site, all of them inherit this the moment a minor is in the data.
The baseline still applies as always
- ✅ Notice
- ✅ Consent and easy withdrawal
- ✅ Security safeguards
- ✅ Rights handling
- ✅ Grievance mechanism
- ✅ Processor contracts
- ✅ Breach response
Because the data subject is a child or a protected adult, these apply from record one
- ✅ Verifiable parental consent before any child's data is processed, with real due diligence that the "parent" is an identifiable adult, not a checkbox.
- ✅ No tracking, behavioural monitoring or targeted advertising directed at children. This is switched off unless a Fourth Schedule exemption squarely applies. It is a hard stop, not a consent setting.
- ✅ Guardian verification for persons with disability. Confirm the guardian is court, authority or local committee appointed, not merely self declared.
- ✅ Exemption mapping. If you rely on a Fourth Schedule exemption, match each claimed exemption to its exact condition. It is never a blanket waiver.
The trap the auditors look for
Age gating that still behaviourally targets verified minors. Putting an age check at the door does not fix the legal problem if your systems then profile the child anyway. The tool does not cure the breach. The prohibition does.
The better question
The better question is not "are we a children's platform that needs these rules?"
It is "could a child or a protected adult be in our data, and have we actually switched off targeting and monitoring for them?"
Law creates obligations. Scale and risk influence implementation. But these duties do not wait for scale. The moment a minor's data enters your system, they apply in full, whatever your sector and whatever your size.
Could a minor be in your data today without a verifiable parental consent behind it?