Skip to main content

EdTech

DPDP Compliance for EdTech Platforms

In May 2026, the NHRC issued show-cause notices to major EdTech platforms over algorithmic exploitation of minors and the absence of verifiable parental consent. For this sector, enforcement is not a 2027 concern. Platforms serving users under 18 trigger the DPDP Act's Section 9 children's data protections, which require verifiable parental consent and prohibit behavioural monitoring of minors.

Critical Risk: Children's data protection obligations

350M+

Students in India's education system

4,500+

EdTech startups operating in India

250 Cr

Maximum DPDP penalty per incident

Obligations

Your DPDP Obligations as a EdTech Company

The DPDP Act 2023 imposes specific requirements based on how your organisation processes personal data. These are the obligations most relevant to edtech operations.

Verifiable Parental Consent

Section 9 requires verifiable consent from a parent or lawful guardian before processing any data of individuals under 18. Self-declaration is insufficient.

No Behavioural Monitoring

Section 9 prohibits tracking, profiling, or behavioural monitoring directed at children. Engagement analytics, personalised recommendations, and adaptive learning may require restructuring.

No Targeted Advertising

Advertising directed at children based on their personal data is prohibited. Revenue models dependent on targeted ads to minor users need alternative approaches.

Data Principal Rights

Parents exercise rights on behalf of minors under Sections 11-14. Access, correction, and erasure requests may come from parents, not the student users.

Purpose Limitation

Student data collected for education delivery cannot be repurposed for marketing, research, or product development without fresh parental consent.

Security Safeguards

Enhanced security measures are expected for children's data. Encryption, access controls, and data minimisation must reflect the sensitivity of minor user data.

Timeline

Your Compliance Roadmap

Key milestones between now and full DPDP enforcement in May 2027.

May 2026

NHRC notices issued

The National Human Rights Commission issued show-cause notices to major EdTech and AI platforms over exploitation of minors and missing verifiable parental consent. Regulatory scrutiny of children's data is active now.

Now

Identify minor user data

Determine which users are under 18 and map all personal data processing for this cohort.

Q3 2026

Parental consent system

Implement verifiable parental consent flow with age verification and guardian identity confirmation.

Q3 2026

Audit behavioural tracking

Review all analytics, personalisation, and adaptive learning features for Section 9 compliance.

Nov 2026

Consent Manager registration

Deadline to register with the Data Protection Board as a Consent Manager.

May 2027

Full DPDP enforcement

The Act is fully enforceable. Children's data violations are expected to receive priority enforcement.

Penalty Exposure for EdTech Companies

Section 33 of the DPDP Act prescribes penalties based on violation type. These are the maximum amounts per incident.

Student data breach (failure to implement safeguards) Up to ₹250 Cr
Processing children's data without verifiable parental consent Up to ₹200 Cr
Behavioural monitoring or targeted advertising to minors Up to ₹200 Cr
Calculate your specific exposure

Recommended Plan

Growth for EdTech

Growth tier supports parental consent workflows and children's data segregation required by Section 9 for up to 500K student records.

Implementation

₹1,25,000 one-time

₹14,999 /month
  • Up to 500K data principals
  • Granular consent management
  • Full audit trail with exports
  • Priority support
  • Rights fulfilment workflows

FAQ

EdTech compliance, answered.

What age threshold triggers children's data protections?

The DPDP Act sets the threshold at 18 years. Any individual under 18 is considered a child, and their data requires verifiable parental consent before processing.

Can we use adaptive learning if it involves behavioural monitoring?

Section 9 prohibits behavioural monitoring directed at children. Adaptive learning features that track and profile student behaviour may need to be restructured to use aggregated, non-identifiable data instead.

How do we verify parental consent?

The Act requires "verifiable" consent. While specific mechanisms are not prescribed, methods such as guardian identity verification, OTP to registered parent number, or Aadhaar-based verification are expected to be accepted.

The NHRC has already issued notices to EdTech platforms. What does that mean for us?

In May 2026, the National Human Rights Commission issued show-cause notices to major EdTech and AI platforms over algorithmic exploitation of minors and the absence of verifiable parental consent. This is active regulatory scrutiny, separate from the DPDP penalty timeline. The defensible position is documented evidence: a verifiable parental consent record for every minor user, a record of restricted behavioural processing, and an audit trail you can produce on request. ConsentOS installs this infrastructure.

Understand your edtech compliance position.

The free Compliance Vault Assessment takes 10 minutes. You receive a personalised compliance report with your score and a prioritised action list.