EdTech
DPDP Compliance for EdTech Platforms
In May 2026, the NHRC issued show-cause notices to major EdTech platforms over algorithmic exploitation of minors and the absence of verifiable parental consent. For this sector, enforcement is not a 2027 concern. Platforms serving users under 18 trigger the DPDP Act's Section 9 children's data protections, which require verifiable parental consent and prohibit behavioural monitoring of minors.
350M+
Students in India's education system
4,500+
EdTech startups operating in India
250 Cr
Maximum DPDP penalty per incident
Obligations
Your DPDP Obligations as a EdTech Company
The DPDP Act 2023 imposes specific requirements based on how your organisation processes personal data. These are the obligations most relevant to edtech operations.
Verifiable Parental Consent
Section 9 requires verifiable consent from a parent or lawful guardian before processing any data of individuals under 18. Self-declaration is insufficient.
No Behavioural Monitoring
Section 9 prohibits tracking, profiling, or behavioural monitoring directed at children. Engagement analytics, personalised recommendations, and adaptive learning may require restructuring.
No Targeted Advertising
Advertising directed at children based on their personal data is prohibited. Revenue models dependent on targeted ads to minor users need alternative approaches.
Data Principal Rights
Parents exercise rights on behalf of minors under Sections 11-14. Access, correction, and erasure requests may come from parents, not the student users.
Purpose Limitation
Student data collected for education delivery cannot be repurposed for marketing, research, or product development without fresh parental consent.
Security Safeguards
Enhanced security measures are expected for children's data. Encryption, access controls, and data minimisation must reflect the sensitivity of minor user data.
Timeline
Your Compliance Roadmap
Key milestones between now and full DPDP enforcement in May 2027.
May 2026
NHRC notices issued
The National Human Rights Commission issued show-cause notices to major EdTech and AI platforms over exploitation of minors and missing verifiable parental consent. Regulatory scrutiny of children's data is active now.
Now
Identify minor user data
Determine which users are under 18 and map all personal data processing for this cohort.
Q3 2026
Parental consent system
Implement verifiable parental consent flow with age verification and guardian identity confirmation.
Q3 2026
Audit behavioural tracking
Review all analytics, personalisation, and adaptive learning features for Section 9 compliance.
Nov 2026
Consent Manager registration
Deadline to register with the Data Protection Board as a Consent Manager.
May 2027
Full DPDP enforcement
The Act is fully enforceable. Children's data violations are expected to receive priority enforcement.
Penalty Exposure for EdTech Companies
Section 33 of the DPDP Act prescribes penalties based on violation type. These are the maximum amounts per incident.
Recommended Plan
Growth for EdTech
Growth tier supports parental consent workflows and children's data segregation required by Section 9 for up to 500K student records.
₹1,25,000 one-time
- Up to 500K data principals
- Granular consent management
- Full audit trail with exports
- Priority support
- Rights fulfilment workflows
Resources
Essential Reading for EdTech
Deep dives into the DPDP provisions most relevant to your sector.
Children's Data Protection: Parental Consent Under DPDP in India
₹200 crore per violation. Section 9 of the DPDP Act bans tracking, behavioural profiling, and targeted ads aimed at under-18s, even with parental consent, and requires verifiable parental consent before any processing begins.
6 min read
Consent ManagementDPDP Consent Management: Technical Systems for Indian Businesses
The DPDP Act 2023 makes consent the legal foundation for data processing. This is what valid consent requires, how withdrawal works, and what your systems must support.
7 min read
Data Principal RightsDPDP Act 2023: All 8 Data Principal Rights with Templates (India)
Access, correction, erasure, grievance, and nominee rights under the DPDP Act 2023: the response deadlines a Data Fiduciary must meet, with ready-to-use request templates.
7 min read
FAQ
EdTech compliance, answered.
What age threshold triggers children's data protections?
The DPDP Act sets the threshold at 18 years. Any individual under 18 is considered a child, and their data requires verifiable parental consent before processing.
Can we use adaptive learning if it involves behavioural monitoring?
Section 9 prohibits behavioural monitoring directed at children. Adaptive learning features that track and profile student behaviour may need to be restructured to use aggregated, non-identifiable data instead.
How do we verify parental consent?
The Act requires "verifiable" consent. While specific mechanisms are not prescribed, methods such as guardian identity verification, OTP to registered parent number, or Aadhaar-based verification are expected to be accepted.
The NHRC has already issued notices to EdTech platforms. What does that mean for us?
In May 2026, the National Human Rights Commission issued show-cause notices to major EdTech and AI platforms over algorithmic exploitation of minors and the absence of verifiable parental consent. This is active regulatory scrutiny, separate from the DPDP penalty timeline. The defensible position is documented evidence: a verifiable parental consent record for every minor user, a record of restricted behavioural processing, and an audit trail you can produce on request. ConsentOS installs this infrastructure.
Understand your edtech compliance position.
The free Compliance Vault Assessment takes 10 minutes. You receive a personalised compliance report with your score and a prioritised action list.