EdTech
DPDP Compliance for EdTech Platforms
Platforms serving users under 18 trigger the DPDP Act's enhanced children's data protections. Section 9 requires verifiable parental consent and prohibits behavioural monitoring of minors.
350M+
Students in India's education system
4,500+
EdTech startups operating in India
250 Cr
Maximum DPDP penalty per incident
Obligations
Your DPDP Obligations as a EdTech Company
The DPDP Act 2023 imposes specific requirements based on how your organisation processes personal data. These are the obligations most relevant to edtech operations.
Verifiable Parental Consent
Section 9 requires verifiable consent from a parent or lawful guardian before processing any data of individuals under 18. Self-declaration is insufficient.
No Behavioural Monitoring
Section 9 prohibits tracking, profiling, or behavioural monitoring directed at children. Engagement analytics, personalised recommendations, and adaptive learning may require restructuring.
No Targeted Advertising
Advertising directed at children based on their personal data is prohibited. Revenue models dependent on targeted ads to minor users need alternative approaches.
Data Principal Rights
Parents exercise rights on behalf of minors under Sections 11-14. Access, correction, and erasure requests may come from parents, not the student users.
Purpose Limitation
Student data collected for education delivery cannot be repurposed for marketing, research, or product development without fresh parental consent.
Security Safeguards
Enhanced security measures are expected for children's data. Encryption, access controls, and data minimisation must reflect the sensitivity of minor user data.
Timeline
Your Compliance Roadmap
Key milestones between now and full DPDP enforcement in May 2027.
Now
Identify minor user data
Determine which users are under 18 and map all personal data processing for this cohort.
Q3 2026
Parental consent system
Implement verifiable parental consent flow with age verification and guardian identity confirmation.
Q3 2026
Audit behavioural tracking
Review all analytics, personalisation, and adaptive learning features for Section 9 compliance.
Nov 2026
Consent Manager registration
Deadline to register with the Data Protection Board as a Consent Manager.
May 2027
Full DPDP enforcement
The Act is fully enforceable. Children's data violations are expected to receive priority enforcement.
Penalty Exposure for EdTech Companies
Section 33 of the DPDP Act prescribes penalties based on violation type. These are the maximum amounts per incident.
Recommended Plan
Growth for EdTech
Growth tier supports parental consent workflows and children's data segregation required by Section 9 for up to 500K student records.
₹75,000 one-time
- Up to 500K data principals
- Granular consent management
- Full audit trail with exports
- Priority support
- Rights fulfilment workflows
Resources
Essential Reading for EdTech
Deep dives into the DPDP provisions most relevant to your sector.
Children's Data Protection Under the DPDP Act 2023
The DPDP Act imposes strict requirements for processing children's personal data. Verifiable parental consent, advertising restrictions, and tracking prohibitions apply to every business serving minors.
6 min read min read
Consent ManagementConsent Management Under the DPDP Act: What Indian Businesses Must Implement
The DPDP Act 2023 makes consent the legal foundation for data processing. This is what valid consent requires, how withdrawal works, and what your systems must support.
7 min read min read
Data Principal RightsData Principal Rights Under the DPDP Act: What Your Customers Can Demand
The DPDP Act 2023 grants individuals enforceable rights over their personal data. Every Indian business must build systems to honour these rights within defined timelines.
7 min read min read
Understand your edtech compliance position.
The free DPDP Gap Assessment takes 10 minutes. You receive a personalised compliance report with your score and a prioritised action list.