Navigating Privacy Risks For Edtech Platforms And Educational Institutions Under India’s Data Protection Regime: Children’s Data, Consent And Compliance

Posted On - 28 January, 2026 • By - Aniket Ghosh

Introduction: Why Children’s Data Is a Regulatory Flashpoint

India’s education ecosystem has undergone a rapid digital transformation. Online learning platforms, EdTech startups, hybrid schools, tutoring apps, assessment tools, proctoring software and learning management systems now process personal data of millions of children on a daily basis.

Student names, photographs, academic records, behavioural analytics, attendance data, learning patterns, voice recordings and even biometric identifiers have become integral to digital education models. This scale and sensitivity make children’s data one of the most closely scrutinised categories of DPDP Act compliance.

With the enactment of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the notification of the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”), India has moved decisively towards a child-centric data protection framework. For EdTech platforms and educational institutions, this shift creates significant legal, operational and reputational implications.

Applicability of the DPDP Act to EdTech and Educational Institutions

Who Is Covered?

The DPDP Act applies to any entity processing digital personal data, including:

  • Online EdTech platforms and tutoring apps
  • Schools, colleges and universities using digital systems
  • Learning management system (LMS) providers
  • Online examination and proctoring platforms
  • Skill development and test-prep companies
  • After-school learning and enrichment apps

Both for-profit and not-for-profit educational institutions fall within the scope of the Act.

EdTech Platforms as Data Fiduciaries

EdTech companies typically qualify as data fiduciaries, as they determine:

  • What student data is collected
  • How it is used
  • Whether it is shared with third parties
  • How long it is retained

Third-party service providers like cloud vendors, analytics providers, video conferencing tools and assessment engines, generally function as data processors, though primary liability remains with the EdTech platform.

Large EdTech platforms with nationwide reach may be notified as Significant Data Fiduciaries (SDFs) due to volume of children’s data processed, risk of harm to minors, and use of behavioural analytics and AI tools

Children Under the DPDP Act: A Special Category of Protection

A. Definition of a Child

Under the DPDP Act, a child is any individual below the age of 18 years. This is a higher threshold than many international regimes and has far-reaching implications for EdTech businesses.

As a result:

  • A vast majority of school-going users are legally “children”
  • College preparatory and test-prep platforms may also be affected
  • Age-gating becomes a critical compliance requirement

The DPDP Act mandates verifiable parental consent before processing personal data of a child.

The DPDP Rules further require:

  • Mechanisms to verify the identity of the parent or lawful guardian
  • Records demonstrating such verification
  • Clear linkage between the consenting adult and the child

In practice, many EdTech platforms currently rely on self-declared age, generic consent checkboxes, school-level permissions. These approaches are unlikely to meet statutory standards.

Consent obtained for children’s data must be:

  • Purpose-specific
  • Clearly worded
  • Easily understandable to parents
  • Capable of being withdrawn

Bundled consents covering analytics, marketing, research and third-party sharing pose significant legal risk.

B. Mandatory Notices Under the DPDP Rules

The DPDP Rules require EdTech platforms to provide notices disclosing:

  • Categories of student data collected
  • Purpose of processing
  • Data sharing arrangements
  • Retention practices
  • Rights of the child and parent
  • Grievance redressal mechanisms

Notices drafted for adults or buried in terms of service are non-compliant when dealing with children’s data.

Prohibition on Tracking, Profiling and Targeted Advertising

A. Statutory Restrictions

One of the most consequential provisions of the DPDP Act is the restriction on tracking, behavioural monitoring and targeted advertising directed at children. For EdTech platforms, this directly affects learning analytics tools, performance profiling, behaviour-based content recommendations, and in-app nudges and gamification mechanics.

B. Business Model Impact

Many EdTech platforms rely on:

  • Data-driven personalisation
  • Engagement optimisation
  • AI-driven adaptive learning

While pedagogical personalisation may be defensible, commercial profiling and monetisation of children’s data is legally fraught. The line between “educational necessity” and “behavioural exploitation” is likely to be closely scrutinised by regulators.

High-Risk Data Practices in EdTech

A. Online Proctoring and Surveillance

Remote examination tools often involve:

  • Webcam access
  • Audio monitoring
  • Screen recording
  • AI-based behaviour analysis

Such practices raise serious concerns around:

  • Proportionality
  • Intrusiveness
  • Psychological impact on children

Without robust safeguards and explicit parental consent, these tools expose platforms to enforcement risk.

B. Biometric and Facial Recognition Data

Use of facial recognition for attendance or identity verification significantly increases compliance exposure. While not explicitly prohibited, such processing requires clear necessity justification, strong security controls, and minimal retention periods.

C. Third-Party Integrations

EdTech platforms frequently integrate with:

  • Video conferencing services
  • Cloud analytics tools
  • Content delivery networks

Each integration represents a potential data leakage point, requiring contractual and technical controls.

Data Sharing with Schools, Parents and Third Parties

A. School–Platform Data Flows

Where EdTech platforms partner with schools, ambiguity often arises around:

  • Who is the data fiduciary
  • Who is responsible for consent
  • Who bears breach liability

Clear contractual allocation of roles is essential.

B. Advertising, Sponsors and Commercial Partners

Sharing student data with advertisers, sponsors or affiliates directly or indirectly poses severe legal and reputational risks, even where anonymisation is claimed.

Data Breaches Involving Children’s Data

A. Mandatory Breach Notification

Under the DPDP Act and Rules, EdTech platforms must notify the Data Protection Board of India and the affected children and parents. Even limited breaches can trigger regulatory scrutiny due to the involvement of minors.

B. Heightened Harm Assessment

Data breaches involving children are likely to be viewed as aggravated violations, increasing the likelihood of higher penalties and corrective orders.

Penalties and Enforcement Exposure

A. Monetary Penalties

The DPDP Act allows penalties up to INR 250 crore per contravention, assessed based on:

  • Nature of data involved
  • Impact on children
  • Duration and scale of violation
  • Remedial measures taken

Children’s data violations are expected to attract stringent enforcement responses.

B. Reputational and Institutional Fallout

Beyond financial penalties, EdTech entities face:

  • Loss of parental trust
  • School partnership terminations
  • Investor scrutiny
  • Media and public backlash

In the education sector, reputational harm can be existential.

Compliance Roadmap for EdTech Platforms and Schools

1. Age-Gating and User Classification: Implement robust age-verification and user categorisation systems.

3. Purpose Limitation and Feature Review: Reassess analytics, tracking and AI tools through a child-safety lens.

4. Vendor and Integration Audits: Ensure DPDP-compliant contracts and security controls.

5. Governance and Training: Train product, pedagogy, tech and support teams on children’s data obligations.

Conclusion: Trust, Not Technology, Will Define the Future of EdTech

The DPDP Act and Rules mark a turning point for EdTech in India. The law recognises that children are not merely users, but vulnerable data principals deserving of heightened protection.

EdTech platforms that treat compliance as a design principle rather than a regulatory burden will be best positioned to earn long-term trust from parents, schools and regulators alike.