Children’s Data Under DPDPA: Why EdTech and Schools Are the Most Unprepared Sector
Introduction: The Sector That Can't Afford to Wait
India’s Digital Personal Data Protection Act (DPDPA) 2023 is not a distant regulatory horizon, it is the present reality. With the DPDP Rules 2025 now in force, organizations across every sector are scrambling to build compliance frameworks from the ground up. But one sector is beginning this journey later, less prepared, and with more at stake than almost any other: EdTech and schools.
The reason is simple. The DPDPA contains an entire dedicated framework for children’s data and EdTech platforms, along with schools, are the single largest repositories of children’s personal data in the country. From K–12 learning apps to school management systems to test-prep platforms, this sector collects names, ages, performance records, behavioral profiles, and in some cases biometric data all belonging to individuals under 18.
The stakes are enormous. Non-compliance with the DPDPA’s child data provisions can attract penalties of up to ₹200 crore per violation with a total cap of ₹250 crore per Data Fiduciary. For most EdTech companies and virtually every school in India, that figure is not just a fine. It is existential.
We break down exactly what the DPDPA demands for children’s data, why EdTech and schools are the most exposed sector, and what organizations must do right now to close the gap before enforcement begins.
What DPDPA Actually Says About Children's Data
DPDPA sets out specific obligations for every Data Fiduciary any organization that determines the purpose and means of processing personal data when that data belongs to a child. Under Indian law, a child is any individual under the age of 18.
The obligations under Section 9 are not soft guidelines.
They are hard legal duties that apply before a single byte of a child’s data can be processed:
- Verifiable parental consent must be obtained before processing a child's personal data. The word "verifiable" is critical. A passive checkbox on an app's sign-up screen will not meet this standard.
- Age verification mechanisms must be in place so that Data Fiduciaries can determine whether a user is a child before data collection begins not after.
- Behavioral tracking and targeted advertising directed at children are expressly prohibited. This is a blanket ban, not a conditional one.
- No data processing that is detrimental to a child's well-being is permitted. This is a broad, principles-based obligation with wide reach.
There is a narrow exemption pathway the government may exempt specific categories of Data Fiduciaries, such as educational institutions operating in defined capacities. But these exemptions are conditional, limited in scope, and do not function as a blanket pass for the entire sector.
The compliance bar is high. And most EdTech platforms and schools are nowhere near clearing it.
The Data Footprint of a Student: Understanding the Exposure
Before analyzing the compliance gap, it helps to understand the data exposure that EdTech creates.
Consider the data flow triggered the moment a parent downloads a learning app and registers an account for their child:
- Registration data: Full name, date of birth, school name, grade, city, and parent or guardian contact details.
- Learning and performance data: Quiz scores, assessment results, video watch time, comprehension metrics, and progress trends.:
- Behavioral data: Click patterns, session recordings, in-app navigation paths, and content preferences often fed directly into recommendation and personalization algorithms.
- Device and connectivity data: Device identifiers, IP addresses, and in some cases GPS-based location data.
- Sensitive category data: In some platforms, learning disability assessments, psychological evaluations, and medical accommodations.
Each of these data categories triggers distinct obligations under the DPDPA. Many EdTech companies are processing all of them simultaneously with no documented legal basis for doing so, no parental consent framework, and no clear data retention policy.
Five Reasons EdTech and Schools Are the Most Unprepared
1. There Is No Consent Architecture
The DPDPA demands verifiable parental consent and building the infrastructure to deliver this is a product and engineering challenge that most EdTech platforms have never attempted. You need age-detection at onboarding, a parent-child identity linkage mechanism, and a consent journey that actually confirms the consenting individual is a legal guardian.
In practice, the vast majority of EdTech apps in India use a single sign-up flow regardless of the user’s age. There is no differentiation, no age-gate, and no parental journey. Building this from scratch is not a minor feature update; it requires product redesign, legal validation, and significant backend investment.
2. Behavioral Tracking Is the Business Model
The DPDPA explicitly bans behavioral tracking of children. But for most EdTech companies, behavioral data is not a side feature, it is the core product mechanism. Adaptive learning engines, personalized content recommendations, gamification systems, and AI-powered tutors all depend on continuous behavioral profiling.
The Act creates no exception for “educational” behavioral tracking. Companies that have built their products on this foundation will face a difficult choice: rebuild their product for child users or restrict features to adults only. Either path carries serious commercial consequences.
3. Schools Do Not Realize They Are Data Fiduciaries
This is one of the most dangerous blind spots in the entire sector. Schools routinely collect children’s personal data through admission forms, CCTV systems, attendance tracking tools, health records, and third-party learning management platforms. Under the DPDPA, any entity that determines the purpose of data processing is a Data Fiduciary. Most Indian schools meet this definition every single day.
Yet most schools have never conducted a data audit, have no data retention policy, have not appointed a Data Protection Officer, and have no internal process for responding to a data principal rights request from a parent. This is not a small gapit is a near-total absence of compliance infrastructure.
4. Third-Party Data Sharing Is Undocumented
EdTech platforms rarely operate in isolation. Most share student data with analytics providers, cloud infrastructure vendors, payment gateways, assessment partners, and third-party content providers. Under the DPDPA, each of these relationships constitutes engagement with a “Data Processor” and requires documented contractual obligations that impose equivalent data protection standards on the processor.
Most EdTech companies have no Data Processing Agreements in place with their vendors, have never conducted a vendor audit, and have no visibility into whether their processors, some of which may be headquartered overseas, meet DPDPA standards. The liability, however, remains entirely with the original Data Fiduciary.
5. Resource Constraints Create a Structural Compliance Gap
The EdTech sector in India spans a vast spectrum: large listed companies at one end, and bootstrapped startups with fewer than ten employees at the other. Schools sit even further back; most have no legal counsel, no dedicated IT function, and no budget for compliance programs.
Unlike financial services or healthcare sectors that have been subject to data regulation for years and have built compliance muscle accordingly, EdTech is being asked to achieve a high compliance standard on a compressed timeline, often with minimal institutional capacity.
What Regulators Must Clarify
The compliance burden on EdTech and schools cannot rest entirely on industry. The government has open questions to answer, and the sector needs clarity urgently:
- What does "verifiable" parental consent actually require in technical terms and will there be a government-facilitated mechanism (such as a DigiLocker-linked verification flow) to enable this at scale?
- What is the exact scope of exemptions for educational institutions under Section 17, and how do they interact with school management software vendors who are clearly Data Fiduciaries in their own right?
- How should cross-border data transfer obligations be applied to EdTech platforms that rely on offshore cloud infrastructure for core product functionality?
Sector-specific guidance from the Data Protection Board of India once constituted will be essential. In the meantime, the absence of clarity is not an excuse for inaction.
The Bigger Picture: Children's Data Is Not Just a Compliance Category
Children’s data is not simply another box on a compliance checklist. It sits at the intersection of digital rights, child safety, and the future of education in India.
The behavioral data that EdTech platforms collect today is already being used to train the AI-powered learning tools of tomorrow. It will shape academic recommendations, influence college admissions processes, and, in some cases, feed into employment screening. Collected without proper safeguards, it can be used to profile young people before they have the cognitive maturity or legal capacity to understand what is being done with their information let alone consent to it.
India has one of the world’s youngest populations and one of its largest EdTech markets. The DPDPA offers a genuine opportunity to build a trusted, rights-respecting digital education ecosystem but only if this sector steps up to meet its obligations with the same urgency it applied to product growth.
The conversation around DPDPA compliance in India has so far been dominated by financial services, healthcare, and Big Tech. It is time to bring EdTech and schools into the centre of that conversation before enforcement begins, not after it does.
Conclusion: Compliance Is Not Optional It Is Urgent
At ComplyPlanet, we make this journey manageable. Our Consent Management Platform (CMP) is built to handle the complexities of verifiable parental consent and age verification right out of the box so you are not building compliance infrastructure from scratch. As your dedicated DPDPA compliance partner, we work alongside your team to conduct children’s data audits, draft watertight Data Processing Agreements with your vendors, build your policy and notice framework, and provide DPO-as-a-Service for ongoing regulatory oversight. Whether you are an EdTech startup, an established learning platform, or a school navigating these obligations for the first time we have the technolegal expertise to get you there.
Need help building a children’s data compliance framework under the DPDPA? Contact ComplyPlanet today to speak with our DPDPA experts and get your EdTech or school audit-ready.
Start early and let ComplyPlanet help you build a compliant, secure, and privacy-driven future.
Start early and let ComplyPlanet help you build a compliant, secure, and privacy-driven future.