DPDPA Compliance for EdTech
Protecting student and children data under DPDPA 2023. Guidance for online learning platforms, schools, coaching institutes, and educational technology providers.
Critical: Children Data Processing
Section 9 of DPDPA 2023 imposes special obligations for processing children data (persons below 18 years). EdTech platforms targeting students must obtain verifiable parental consent before any processing. Violations attract penalties up to Rs 200 crore.
Who This Applies To
Online Learning Platforms
MOOCs, skill platforms, K-12 online schools
Coaching Institutes
Test prep, competitive exam coaching, tutoring
Schools & Universities
K-12 schools, colleges, universities with digital systems
Early Learning Apps
Preschool apps, children educational content
EdTech Specific Compliance Requirements
1. Verifiable Parental Consent (Section 9)
For students below 18 years, DPDPA requires verifiable parental consent. Implementation requirements:
- Age Verification: Implement mechanism to identify users below 18 years at registration
- Parental Contact: Collect verified parent/guardian contact details
- Verification Method: Email/SMS verification, video KYC, or government ID based verification
- Consent Record: Maintain auditable record of parental consent with timestamp
Note: DPDP Rules 2025 may prescribe specific methods for verifiable parental consent. Monitor MeitY notifications.
2. Prohibition on Behavioural Monitoring (Section 9(3))
Section 9(3) prohibits tracking, behavioural monitoring, or targeted advertising directed at children. For EdTech:
- No personalised advertising based on child learning behaviour
- No cross platform tracking of child user activity
- No sale of child data to third parties for marketing
- Permitted: Learning analytics for educational improvement (with parental consent)
3. Student Learning Data
EdTech platforms collect extensive learning data. DPDPA requirements:
Performance Data
Test scores, assignment grades; legitimate for educational purpose
Engagement Data
Time spent, videos watched; disclose in privacy notice
Proctoring Data
Webcam feeds, screen recordings; specific consent required
Biometric Data
Face recognition for attendance; enhanced consent and security
4. Third Party Sharing
Common EdTech data sharing scenarios:
- Schools/Institutions: Sharing progress data with enrolled institution; disclose in notice
- Parents: Access to child learning data is a Data Principal right
- Cloud Providers: Data Processor relationship; ensure Section 8(2) contracts
- Advertisers: Prohibited for children data under Section 9(3)
Distinguishing Adult and Child Users
Platforms serving both adults and minors must implement differentiated consent flows:
Adult Users (18+)
- • Standard Section 6 consent
- • Behavioural tracking permitted with consent
- • Personalised advertising permitted with consent
Child Users (Below 18)
- • Verifiable parental consent required
- • No behavioural tracking or monitoring
- • No targeted advertising
- • Parent is Data Principal
EdTech DPDPA Compliance Checklist
Compliance Deadline
All EdTech platforms must achieve full DPDPA compliance by 13th May 2027. Given the complexity of children data requirements, platforms should prioritise parental consent mechanisms.
Assess your compliance readiness →