What age threshold triggers children's data protections?

The DPDP Act sets the threshold at 18 years. Any individual under 18 is considered a child, and their data requires verifiable parental consent before processing.

Can we use adaptive learning if it involves behavioural monitoring?

Section 9 prohibits behavioural monitoring directed at children. Adaptive learning features that track and profile student behaviour may need to be restructured to use aggregated, non-identifiable data instead.

How do we verify parental consent?

The Act requires "verifiable" consent. While specific mechanisms are not prescribed, methods such as guardian identity verification, OTP to registered parent number, or Aadhaar-based verification are expected to be accepted.

The NHRC has already issued notices to EdTech platforms. What does that mean for us?

In May 2026, the National Human Rights Commission issued show-cause notices to major EdTech and AI platforms over algorithmic exploitation of minors and the absence of verifiable parental consent. This is active regulatory scrutiny, separate from the DPDP penalty timeline. The defensible position is documented evidence: a verifiable parental consent record for every minor user, a record of restricted behavioural processing, and an audit trail you can produce on request. ConsentOS installs this infrastructure.

EdTech

DPDP Compliance for EdTech Platforms

In May 2026, the NHRC issued show-cause notices to major EdTech platforms over algorithmic exploitation of minors and the absence of verifiable parental consent. For this sector, enforcement is not a 2027 concern. Platforms serving users under 18 trigger the DPDP Act's Section 9 children's data protections, which require verifiable parental consent and prohibit behavioural monitoring of minors.

Critical Risk: Children's data protection obligations

350M+

Students in India's education system

4,500+

EdTech startups operating in India

250 Cr

Maximum DPDP penalty per incident

Obligations

Your DPDP Obligations as a EdTech Company

The DPDP Act 2023 imposes specific requirements based on how your organisation processes personal data. These are the obligations most relevant to edtech operations.

Verifiable Parental Consent

Section 9 requires verifiable consent from a parent or lawful guardian before processing any data of individuals under 18. Self-declaration is insufficient.

No Behavioural Monitoring

Section 9 prohibits tracking, profiling, or behavioural monitoring directed at children. Engagement analytics, personalised recommendations, and adaptive learning may require restructuring.

No Targeted Advertising

Advertising directed at children based on their personal data is prohibited. Revenue models dependent on targeted ads to minor users need alternative approaches.

Data Principal Rights

Parents exercise rights on behalf of minors under Sections 11-14. Access, correction, and erasure requests may come from parents, not the student users.

Purpose Limitation

Student data collected for education delivery cannot be repurposed for marketing, research, or product development without fresh parental consent.

Security Safeguards

Enhanced security measures are expected for children's data. Encryption, access controls, and data minimisation must reflect the sensitivity of minor user data.

Timeline

Your Compliance Roadmap

Key milestones between now and full DPDP enforcement in May 2027.

May 2026

NHRC notices issued

The National Human Rights Commission issued show-cause notices to major EdTech and AI platforms over exploitation of minors and missing verifiable parental consent. Regulatory scrutiny of children's data is active now.

Now

Identify minor user data

Determine which users are under 18 and map all personal data processing for this cohort.

Q3 2026

Parental consent system

Implement verifiable parental consent flow with age verification and guardian identity confirmation.

Q3 2026

Audit behavioural tracking

Review all analytics, personalisation, and adaptive learning features for Section 9 compliance.

Nov 2026

Consent Manager registration

Deadline to register with the Data Protection Board as a Consent Manager.

May 2027

Full DPDP enforcement

The Act is fully enforceable. Children's data violations are expected to receive priority enforcement.

Penalty Exposure for EdTech Companies

Section 33 of the DPDP Act prescribes penalties based on violation type. These are the maximum amounts per incident.

Processing children's data without parental consent Up to ₹250 Cr

Behavioural monitoring or targeted advertising to minors Up to ₹200 Cr

Failure to implement age verification Up to ₹50 Cr

Calculate your specific exposure

Recommended Plan

Growth for EdTech

Growth tier supports parental consent workflows and children's data segregation required by Section 9 for up to 500K student records.

Implementation

₹1,25,000 one-time

₹14,999 /month

Up to 500K data principals
Granular consent management
Full audit trail with exports
Priority support
Rights fulfilment workflows

Start with a free assessment Compare all plans

Resources

Essential Reading for EdTech

Deep dives into the DPDP provisions most relevant to your sector.

Compliance Areas

Children's Data Protection: Parental Consent Under DPDP in India

The DPDP Act imposes strict requirements for processing children's personal data. Verifiable parental consent, advertising restrictions, and tracking prohibitions apply to every business serving minors.

6 min read

Consent Management

DPDP Consent Management: Technical Systems for Indian Businesses

The DPDP Act 2023 makes consent the legal foundation for data processing. This is what valid consent requires, how withdrawal works, and what your systems must support.

7 min read

Data Principal Rights

DPDP Act 2023: All 8 Data Principal Rights with Templates (India)

The DPDP Act 2023 grants data principals eight enforceable rights, from access to erasure to grievance redress. Each carries a mandatory response deadline you must meet.

7 min read

Understand your edtech compliance position.

The free Compliance Vault Assessment takes 10 minutes. You receive a personalised compliance report with your score and a prioritised action list.

Get Your Free Assessment Talk to a compliance specialist