Home
DPDP Rules

DPDPA for Schools and EdTechs: The 2026 Guide to Children's Data Compliance

Date Published

parental consent

India's education sector processes children's data at a scale no other industry approaches. The EdTech market was valued at 3.63 billion dollars in 2025, with K-12 platforms holding 43 percent of it, and students logged over 950 million hours on primary and secondary education apps in a single year. Every one of those users under 18 is, in the eyes of the DPDP Act, legally a child.

That definition is the hinge on which everything else turns. Most global privacy regimes set the digital age of consent at 13 or 16. India sets it at 18, which means a 17-year-old preparing for JEE on a test-prep app is a child whose personal data cannot be processed without verifiable consent from a parent or lawful guardian. Section 9 of the Act, operationalised by the DPDP Rules notified in November 2025, becomes enforceable on 13 May 2027. For schools, EdTech platforms, learning management systems, tutoring apps, and proctoring vendors, the compliance build starts now, because age assurance, parent verification, and consent record infrastructure cannot be assembled in a quarter. Read: Educational Gaming Entry: What It Means for Consent and Children's Data Privacy.

The obligations also differ sharply depending on what kind of organisation you are. Schools receive narrow, purpose-tied exemptions under the Rules. EdTech platforms, in most readings, do not. Understanding that split is the single most useful thing a compliance team in this sector can do in 2026.

What Counts as Children's Data in Education

Learner data goes far beyond names and marks. A typical platform holds academic performance data (grades, test scores, progress reports), behavioural data (login frequency, click patterns, time on module, completion rates), personal and demographic details (age, contact information, language preference, sometimes parent profiles), device and technical data (IP addresses, browsers, network quality), and increasingly biometric data such as facial images and voice recordings captured during proctored exams. Some platforms also infer social and emotional signals from discussion forums and chat logs.

Under the Act, all of it is personal data of a child the moment the user is under 18. Behavioural and biometric categories carry the highest exposure, because they are exactly the categories Section 9 restricts hardest.

The Three Obligations Section 9 Creates

Section 9 does three things, and each lands differently on an education business.

First, it requires verifiable consent from a parent or lawful guardian before processing any personal data of a child. Self-declared birthdates and checkbox consents, which is how most platforms operate today, will not meet the standard.

Second, it bars tracking, behavioural monitoring, and targeted advertising directed at children. This is the provision with the deepest business model impact, because engagement optimisation, behaviour-based recommendations, and in-app nudges are standard EdTech machinery.

Third, it prohibits any processing likely to cause a detrimental effect on a child's well-being, a deliberately broad standard that regulators can apply to everything from addictive gamification loops to intrusive proctoring.

The penalty for failing these obligations sits at up to ₹200 crore under the Act's Schedule, among the highest exposure categories in the law. A breach involving children's data also compounds: the same incident can trigger the breach notification penalties and the children's data penalties together.

Rule 10 of the DPDP Rules converts verifiable parental consent from a phrase into an engineering specification. Before processing a child's data, a data fiduciary must confirm the user is a child, then verify the identity and age of the consenting parent or guardian, then capture a traceable consent linked to that verified adult.

Verification can run through three pathways: reliable identity details the fiduciary already holds, identity or age details voluntarily provided by the parent, or a virtual token issued through a government-authorised mechanism such as a DigiLocker service provider. Whichever pathway is used, the fiduciary carries the burden of proving, later and under scrutiny, that a specific verified adult consented to specific purposes at a specific time.

Operationally, that means age gating at signup, a parent verification flow, purpose-specific consent requests written in plain language (and, for a national user base, available across India's scheduled languages), withdrawal that works as easily as consent was given, and an immutable consent record that survives an audit. Bundled consents covering analytics, marketing, research, and third-party sharing in one checkbox are precisely what the framework is designed to eliminate.

Schools vs EdTech Platforms: Who Gets the Exemption

Here the framework splits the sector in two, and the split is widely misunderstood.

The Fourth Schedule to the DPDP Rules exempts specific classes of data fiduciaries from parts of Section 9, subject to tight conditions. Educational institutions, along with day care centres and caretakers, are among them: they may process children's data without the full verifiable consent machinery, and may track or monitor location, where the processing serves the educational activities, interests, or safety of the child. A school tracking its bus fleet or monitoring attendance sits inside the exemption. The same school running behavioural analytics for a commercial partner does not, because the exemptions are tied to listed purposes and expressly do not cover profiling, analytics for monetisation, or advertising.

EdTech platforms occupy far shakier ground. "Educational institution" is not crisply defined in the Rules, and there is no settled reading that extends it to commercial learning apps, test-prep platforms, or tutoring marketplaces. Until the Data Protection Board clarifies the boundary, the prudent posture for any EdTech business is the strict one: full Section 9 compliance, verifiable parental consent included.

School-platform partnerships add a second layer of ambiguity: when a school deploys an LMS or an assessment tool, who is the data fiduciary? In most arrangements, the platform determines what data is collected, how it is used, and how long it is kept, which makes the platform a data fiduciary in its own right rather than a mere processor, and primary liability follows that role. Contracts between schools and platforms need to allocate fiduciary responsibility, consent ownership, and breach liability explicitly, because ambiguity here defaults into shared regulatory exposure.

parental consent

The Learning Analytics Problem

The tracking prohibition collides directly with how modern EdTech works. Adaptive learning engines, engagement scoring, and AI-driven personalisation all rest on continuous behavioural monitoring, which is restricted when the user is a child.

The emerging line, and it will be tested through enforcement, runs between pedagogical necessity and behavioural exploitation. Performance tracking that a student and parent can see and control, progress reports, and curriculum adaptation serve the educational purpose. Psychological profiling, engagement optimisation designed to maximise screen time, predictive categorisation of a student's abilities, and any data flow into advertising sit on the wrong side. Platforms using AI in their learning products should be able to document, feature by feature, which side of that line each model operates on.

Online proctoring deserves its own review. Webcam capture, audio monitoring, screen recording, and AI behaviour analysis of a minor during an exam concentrate the highest-risk data categories into one workflow. Proportionality, explicit consent, minimal retention, and prompt deletion are the defensible configuration; always-on surveillance is not.

Consent Is the Entry Point, Governance Is the Programme

A platform that builds a flawless parental consent flow has solved the front door and nothing else. Learner data does not sit still: it flows into cloud storage, analytics tools, video conferencing services, payment gateways, and content delivery networks, and each integration is a potential leakage point that third-party contracts and audits must cover. Retention obligations under the Rules require erasure once the purpose is served, which for education businesses means defining what happens to a student's record after they leave, graduate, or turn 18. And a breach involving children's data triggers the standard dual notification duties to the Data Protection Board and affected families, with the involvement of minors likely to be treated as an aggravating factor when penalties are assessed.

This is why policy researchers, including the Observer Research Foundation in its June 2026 issue brief on learner data, argue that parental consent alone is an inadequate safeguard and that education businesses need a governance layer underneath: knowing where learner data lives, which systems and vendors touch it, and being able to prove control over the full lifecycle. Consent answers whether you may collect. Governance answers everything a regulator asks after that.

parental consent

A Compliance Roadmap for 2026

Sequencing matters, because the May 2027 enforcement date is closer than it looks once build time is counted. Map your learner data first: every category, every system, every vendor, because nothing downstream works without that inventory. Classify your users by age and close the gaps where age is unknown. Design the parent verification and consent architecture next, choosing verification pathways that match your user base's realities. Then re-review every analytics, personalisation, and proctoring feature against the tracking prohibition, and document the pedagogical justification for what stays. Renegotiate school and vendor contracts to fix fiduciary roles and breach obligations. Finally, wire the evidence layer: consent records, processing logs, retention schedules, and breach playbooks that treat children's data as the aggravated category it is. A practical checklist for minors' data compliance and a step-by-step DPDP compliance checklist can anchor the programme plan.

Where Privy Fits

Privy by IDfy is built for exactly this compliance shape. Its Consent Governance Platform handles purpose-specific consent capture, notices across India's 22 scheduled languages, symmetric withdrawal, and immutable consent artifacts, the audit trail Rule 10 effectively demands with 60M+ consent artifacts already generated at enterprise scale. Verifiable parental consent is, at its core, an identity verification problem, and that is IDfy's home ground: 14 years of verifying Indian identity documents and infrastructure that runs over 60 million verifications a month, now applied to confirming that the consenting adult is who they claim to be. Data Compass supplies the governance layer underneath, discovering and classifying learner data across systems so that retention, erasure, and breach scoping stop depending on tribal knowledge. Together with the wider compliance and risk modules, it gives schools and EdTech platforms one connected record of control, which is what MeitY's DPDP Innovation Challenge tested when IDfy won it.

Conclusion

DPDPA redraws the economics of education technology in India around a simple premise: children's data is a protected category, and the burden of proving protection sits with the organisation that processes it. Schools get a narrow, purpose-tied carve-out. EdTech platforms get a build list: age assurance, verified parental consent, a defensible analytics posture, vendor accountability, and a governance layer that can produce evidence on demand. The platforms that treat May 2027 as a product deadline rather than a legal one will be the ones still signing school partnerships on the other side of it.

To see how Privy by IDfy operationalises verifiable parental consent and learner data governance for schools and EdTech platforms, write to shivani@idfy.com for a walkthrough.

FAQ's

Who counts as a child under the DPDP Act? 

Anyone who has not completed 18 years of age. This is higher than GDPR (13 to 16, depending on the member state) and COPPA (under 13), and it pulls almost the entire school-going and test-prep user base of Indian EdTech into the children's data regime.

Do schools need verifiable parental consent for everything? 

No. The Fourth Schedule to the DPDP Rules exempts educational institutions from parts of Section 9 where processing serves educational activities or the interests and safety of the child, including location tracking for safety. The exemption is purpose-tied and does not cover profiling, commercial analytics, or advertising.

Do EdTech platforms get the same exemption as schools? 

Not on any settled reading. The Rules do not clearly extend "educational institution" to commercial learning platforms, and until the Data Protection Board clarifies the boundary, EdTech businesses should assume full Section 9 compliance, including verifiable parental consent under Rule 10.

Is learning personalisation banned for children? 

No, but it is constrained. Tracking, behavioural monitoring, and targeted advertising directed at children are barred. Personalisation that serves a documented pedagogical purpose, with transparency and parental control, is the defensible zone; engagement optimisation and predictive profiling of minors are not.

What is the penalty exposure for children's data violations? Up to ₹200 crore under the Act's Schedule for failing the Section 9 obligations. A breach involving children's data can additionally attract the breach notification and security safeguard penalties, so a single incident can stack multiple heads of liability.