Homepage / IJLT Blog / Gimmicking the Gillick Test: Evaluating the Age of Consent under India’s DPDPA, 2023

Gimmicking the Gillick Test: Evaluating the Age of Consent under India’s DPDPA, 2023

This article critiques India’s rigid, age-based consent regime under the DPDPA, 2023, arguing that it overprotects children at the cost of their autonomy. Drawing on the Gillick competence test and Singapore’s hybrid model, it proposes a capacity-based framework that recognises minors as active participants in their digital privacy decisions.

Nandinii Tandon* and Mehul Sharma**

February 8, 2026 13 min read
Share:

Introduction

With the advent of the dot-com era, the vulnerability of children in digital environments has continued to increase. Specific precautions for the processing of the personal data of children are mandated by almost all data protection laws worldwide, including those recently enforced in India. However, the protection of children is a two-way street. It is imperative to recognise the vulnerability of a child, but it is also crucial to understand that no processing of a child’s personal data can occur without the child being a stakeholder. If the age of consent under a data protection framework is set excessively high, it risks jeopardising the autonomy of the child. Section 2(f) of the Digital Personal Data Protection Act, 2023 defines a “child” as an individual who has not completed 18 years of age. Consequently, Section 9(1) of the DPDPA requires data fiduciaries to obtain verifiable consent of the parent of such a child before the processing of her personal data. Despite coming from a protectionist perspective, this strict, age-based criterion often ignores the maturity of teenagers, whose understanding is usually underestimated. In this article, we examine the limitations of India’s age-based consent framework under the DPDPA. First, we trace the rationale of the Gillick competence test. Second, we argue for a capacity-based model through comparative analysis. Finally, we advocate for a revised age threshold, to assess children’s capacity to consent in the digital data protection context.

Understanding the Gillick Test

In 1985, the case of Gillick v West Norfolk and Wisbech Area Health Authority arose when a government policy that allowed doctors to give contraceptive advice to girls under 16 without parental consent in the United Kingdom (“UK”) was challenged. The House of Lords ruled that a child under 16 could consent to their own medical treatment if they had sufficient understanding and intelligence to comprehend the nature and consequences of the treatment. This ruling introduced the ‘Gillick competence’ test, which recognises that a minor’s capacity to make decisions is a matter not of age, but of maturity and understanding. Although the Gillick test originated in the UK, its logic has also found resonance in India. Indian courts have invoked similar capacity-based reasoning not only in medical treatment cases, but also in guardianship-related disputes, where the preferences of a sufficiently mature minor have been accorded due weight. In contrast, a stark departure from the Gillick test appears in the draft Medical Treatment of Terminally Ill Patients (Protection of Patients and Medical Practitioners) Bill, 2016 (“the Medical Bill”). The Medical Bill, read alongside the DPDPA, reflects India’s inclination toward a strict, age-based model that leaves no leeway for individual assessment of capacity. Under Section 2(d), an “incompetent patient” includes any minor below sixteen, any person of unsound mind, or anyone unable to understand, retain, weigh, or communicate information relevant to a medical decision. By categorically deeming every child below 16 as incompetent for medical decision-making, the Medical Bill prima facie rejects the possibility that a minor may even possess sufficient maturity or understanding to provide valid consent.

Child Consent & Data Protection: Comparative Perspectives

This rigidity, however, needs re-examination of alternative frameworks that recognise capacity rather than fixed age thresholds. One such approach is embodied in the Gillick test. Advancing on Gillick, J. Cobb in the case of Re S (Parent as Child: Adoption: Consent) summarised the approach and held that to be Gillick competent, a child should:

i) Understand the nature and implications of the decision and the process of implementing that decision;
ii) Understand the implications of not pursuing the decision;

iii) Retain the information long enough for the decision-making process to take place;

  1. iv) Weigh up the information and arrive at a decision;
  2. v) Communicate that decision.

This test can, by extension, be used to determine a child’s competence to consent to lawful processing of her personal data. The White Paper released by J. B.N. Srikrishna (p. 86) had supported the development of a UK-based approach of Gillick-style framework in respect of the Indian context for processing a child’s data. While Indian law is not unfamiliar with capacity-based assessment of children, most notably under the Juvenile Justice (Care and Protection of Children) Act, 2015 (“the JJ Act”), the structural design of such frameworks makes them incompatible for the data protection context. Section 15 of the JJ Act mandates assessments of mental and physical capacity, along with the ability to understand consequences. These assessments are typically ex post, adversarial, and exceptional in nature, aimed at attributing criminal culpability. Contrastingly, data protection consent is an ex-ante, rights-enabling mechanism and requires an understanding of immediate risks and consequences of data processing that function regularly throughout digital activities. Moreover, under the JJ Act, the assessment of capacity is undertaken by a quasi-judicial body, namely the Juvenile Justice Board. In the data protection framework envisaged here, however, such assessments would necessarily be conducted by data fiduciaries in real time and at a massive scale. In this case, therefore, establishing a standard framework to ‘guide’ data fiduciaries to enable their assessment of whether a child is mature enough to provide consent ensures consistency, such as through J Cobb’s five-part Gillick test.

By comparison, the data protection law in Australia adopts a subjective, case-by-case competence approach, assessing a child’s capacity to consent based on their understanding of data processing rather than a fixed age threshold. Interestingly, the criteria framed by the Office of the Australian Information Commissioner to assess the capacity of the child to consent closely aligns with J. Cobb’s five-part test, thereby confirming the argument that the Gillick test can very well be embedded into the data protection laws. In contrast, similar to India, certain jurisdictions follow an age-based approach, prescribing a minimum age below which a parent’s or guardian’s consent is required for processing the child’s personal data, namely the United States (13; Section 312.2 of Children’s Online Privacy Protection Act of 1998), European Union (16; Article 8 of General Data Protection Regulation) and South Africa (18; Section 1 of Protection of Personal Information Act, 2013).

Building on this comparative spectrum, Singapore offers a hybrid model. The Personal Data Protection Act, 2012 (“PDPA”) adopts a dual capacity-based and practical approach to take a child’s consent for processing of her personal data. The Personal Data Protection Commission of Singapore (“PDPC”) took the view that Gillick-type competence should be applied to determine whether minors are capable of giving valid consent regarding the processing of their personal data under the PDPA. Though this has never been explicitly approved by the Singaporean court, the approach is evident as the PDPC has reiterated that “organisations should generally consider whether a minor has sufficient understanding of the nature and consequences of giving consent” in assessing whether the minor can independently and meaningfully give consent for the purposes of the PDPA.

In the Advisory Guidelines on the PDPA for Children’s Personal Data in the Digital Environment (“the PDPC Guidelines”), the PDPC holds that children aged between 13-17 can provide valid consent if the organisation’s policies on the collection, use, disclosure, and withdrawal of personal data are presented in a manner they can easily understand. However, if an organisation has reason to believe that a child lacks sufficient understanding of the nature or consequences of such consent, it should instead seek consent from the child’s parent or guardian. Evidently, this mirrors the Gillick approach. Simultaneously, the PDPC Guidelines state that if the child is under 13 years of age, the organisation is required to obtain consent from the child’s parent or guardian as per Section 14(2) of the PDPA. The PDPC does not provide a blanket age for consent but considers 13 to be an age of sufficient understanding’, below which a parent or guardian’s consent is required on behalf of the child.

Granting Autonomy

In the Puttaswamy judgement, J. Sapre observed that the right to privacy is inherent from birth. Since privacy and autonomy are conceptually intertwined, a child cannot be made to wait until the age of 18 for that autonomy to be granted. While reasonable safeguards are necessary, India must proactively revisit the age of consent prescribed under the DPDPA. The adoption of Singapore’s hybrid model may provide a more balanced approach. Under such a framework, consent by parents or guardians could be mandated for children below a certain age, while those within an intermediate age band could be permitted to exercise independent consent and thus be treated as sole data principals with respect to the processing of their personal data. Nevertheless, the DPDPA retains 18 as the age of consent, for the sake of consistency with contract law. Strikingly, this remains unchanged despite the acknowledgment in the Free and Fair Digital Economy Report (p. 50) that “from the perspective of the full, autonomous development of the child, the age of 18 may appear too high.” In India, where nearly 76% of children aged 14–16 use smartphones (and engage on social media), such a high threshold can compromise autonomy.

For the reasons and arguments explored above, it is suggested that the government should lower the age of consent for data processing from 18 to 16 under the DPDPA (should 13 be regarded as too low a threshold), with the Gillick test framework applied for minors aged between 16 and 18. This choice of 16 as a threshold finds support within Indian law itself. The Medical Bill proceeds on the assumption that individuals above the age of 16 may possess sufficient understanding to participate in decisions concerning their own medical treatment, while those below 16 are deemed incompetent. If Indian law is prepared to recognise decisional capacity at 16 in the context of life-altering medical choices, it would be doctrinally inconsistent to deny similar recognition for decisions relating to the processing of one’s personal data. Exceptions can be made for certain data fiduciaries in case a higher age of consent is considered more appropriate, depending on the business context, heightened sensitivity of personal data, power imbalances etc. For instance, as the PDPC Guidelines state, an educational organisation may deem it necessary to obtain consent from parents rather than directly from the children aged 16-18.

Applying J.Cobb’s Five Part Test

To concretise the foregoing discussion, consider a 16-year-old seeking online mental health counselling. In this context, J. Cobb’s Gillick principles may be applied to assess the child’s capacity to consent to the processing of her personal data. The assessment does not concern the decision to seek therapy, but the child’s maturity and understanding of the implications of data processing. While this illustration draws from a specific context, it is emphasised that the application of J. Cobb’s five-part test is not confined to a single domain. The same assessment framework can be applied across diverse data processing contexts involving children, including social media platforms, online gaming services, and edtech platforms, where consent similarly defines the collection, use, and disclosure of personal data. In such contexts, the nature of the information assessed under each criterion may vary, but the governing criteria remain constant.

First, whether the child understands the nature of consenting to data processing and its consequences. This includes awareness that therapy may involve disclosure of sensitive personal data, that such data may be accessed or shared as specified in the Section 5 privacy notice. Moreover, the data fiduciary must ensure that the child understands the rights available under the DPDPA, including the right to withdraw consent at any time under Section 6(4).

Second, whether they understand the implications of not pursuing the decision. That is, refusal to provide consent as per Section 6 may restrict their ability to access certain features fully/partially (which may include personalised sessions or follow-up consultations). The data fiduciary must ensure that opting out of a service partially/fully does not have an effect detrimental to the well-being of the child as per of the DPDPA.

Third, whether they can retain this information long enough to make a reasoned decision. A situation may arise where the child gives consent under emotional distress and hurriedly clicks on “I agree”. Such a consent is based on momentary understanding and would not qualify to be ‘free’ and ‘informed’ as per Section 6(1). To assess retention, the data fiduciary may conduct a follow-up with the child 48–72 hours after initial consent to verify consistency. Where retention or capacity is reasonably doubtful, parental consent should be obtained.

Fourth, whether they can weigh up the information and arrive at a decision. That is, whether the child can evaluate the trade-off between disclosing personal information for therapy and the risks of data storage or algorithmic processing, including data retention, secondary use, or profiling, against the benefits of accessing the service. The assessment at this stage, therefore, is not whether the child makes a wise decision, but whether they can reasonably weigh the possible risks and benefits involved.

Fifth, whether they can communicate that decision clearly. Here, the data fiduciary must make sure that the communication is not limited to “clear affirmative action” (for e.g., usage of tick-boxes for confirming consent) as required under Section 6(1), but can employ measures such as requiring the child to express decision using her own words. To clarify, it is not sufficient that the child merely possesses the capacity to meet these five requirements; they must demonstrably exercise that capacity at the time of giving consent.

In case the answers to all these criteria are positive, the child aged 16 would not need parental consent to process their personal data. However, if the data fiduciary is unsure if the child possesses the capacity to give meaningful consent, they should not rely on the child’s decision and should turn to parental consent. In this sense, the child may fall under the 16–18 age bracket; however, they might still not possess sufficient understanding and intelligence as the law envisages a 16–18-year-old to do, thus preventing the data from being processed based on their independent consent and necessitating parental authorisation instead. By contrast, had the child been 15 years old, parental consent would be mandatory, admitting no exceptions. A data fiduciary would have to formulate a capacity assessment checklist to verify that the child is not only capable in theory but is, exercising her capacity while giving consent. Such a checklist may operationalise the five Gillick criteria into practical indicators, before the consent is deemed valid. The Data Protection Board under the DPDPA could issue sector-specific codes of practice for data fiduciaries to maintain uniform standards.

Conclusion
In conclusion, incorporating the Gillick test within India’s DPDPA would avoid overprotection and further affirm, in law, the autonomy to which every child is entitled. It would mark a progressive shift by recognising that capacity, rather than age alone, determines the validity of consent. A Singapore-style Gillick model would allow robust protection for younger children while acknowledging the evolving maturity of older adolescents. The Medical Bill’s assumption that individuals above 16 may possess decisional capacity in medical contexts strengthens the case for lowering the DPDPA’s age of consent from 18 to 16, with the Gillick test guiding assessments for those aged 16–18. This would align India with international best practices and ensure that children are no longer mute spectators in the privacy theatre, but protagonists shaping their own digital story.

*Nandinii Tandon is a 4th-year BA LLB (Business Law Hons.) student at the Rajiv Gandhi National University of Law, Punjab.
**Mehul Sharma is a 3rd-year BA LLB (Hons.) student at the Rajiv Gandhi National University of Law, Punjab.

AI in the Everyday in India – A Socio-Legal Workshop January 23, 2026