DPDPA and Edtech: Safeguarding Minors' Data in India's Online Learning Boom

As of May 2026, India’s Digital Personal Data Protection Act, 2023 (DPDPA), along with its accompanying Rules, has fundamentally reshaped how businesses handle personal data. For the burgeoning edtech sector, which often serves a demographic predominantly comprising minors, the DPDPA introduces stringent obligations that demand a complete overhaul of data processing practices. The intersection of rapid digital learning adoption and robust data protection for children presents both significant challenges and opportunities for responsible innovation in India.

The DPDPA’s Protective Shield for Minors

The DPDPA places minors at the heart of its protective framework, recognizing their enhanced vulnerability in the digital realm. A “child” is defined as an individual under the age of eighteen years (Section 2(j)). For any processing of a child’s personal data, a Data Fiduciary (the edtech platform) must obtain verifiable consent from the parent or lawful guardian (Section 9(1)). This stands in contrast to the GDPR, which allows member states to set the age of digital consent between 13 and 16, often leading to varied compliance landscapes across Europe. India’s uniform 18-year threshold simplifies, yet also tightens, the requirement for all edtech providers operating within its jurisdiction.

Beyond consent, the DPDPA imposes critical prohibitions. Data Fiduciaries are explicitly barred from undertaking any processing of a child’s personal data that is likely to cause harm to the child (Section 9(4)). While the DPDPA does not statutorily define “harm,” the Data Protection Board of India (DPBI) is expected to interpret this broadly, encompassing not just financial or physical harm, but also psychological distress, academic pressure, or exposure to inappropriate content. Furthermore, Data Fiduciaries cannot track or monitor children’s behaviour, nor engage in targeted advertising directed at children (Section 9(3)). These prohibitions directly challenge many prevalent edtech business models that rely on profiling user behaviour for content recommendations or marketing.

Navigating Verifiable Consent and Prohibited Practices

The requirement for “verifiable consent” from parents or guardians (Section 9(1)) is perhaps the most significant operational hurdle for edtech companies. Simply ticking a box is no longer sufficient. Edtech platforms must implement robust mechanisms to confirm the identity and authority of the consenting parent. While the DPDPA Rules are expected to provide specific guidance, industry best practices are coalescing around methods such as Aadhaar-linked OTP verification for parents, credit card verification (though less ideal for child-centric services), or integration with school verification systems. The onus is entirely on the Data Fiduciary to demonstrate that verifiable consent was obtained.

The prohibition on tracking, behavioural monitoring, and targeted advertising (Section 9(3)) necessitates a fundamental redesign of how edtech platforms engage with their young users. Personalised learning paths, often powered by AI algorithms that track student progress and recommend resources, must be carefully re-evaluated to ensure they do not cross into prohibited behavioural monitoring. Edtech companies must also meticulously audit their advertising partnerships and internal marketing strategies to ensure no direct targeting of minors occurs. This shift will likely push edtech towards contextual advertising or parental-controlled content rather than data-driven personalisation for children.

Edtech’s Data Ecosystem: Interplay with Other Regulations

While DPDPA is the primary legislation, edtech platforms in India must also consider other relevant legal frameworks. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (IT Rules, 2021), specifically Rule 3(1)(j), mandate that intermediaries exercise due diligence to prevent the hosting or publishing of information that is “harmful to a child.” This complements DPDPA’s “harm” prohibition, requiring edtech platforms to actively curate content and moderate user interactions to ensure a safe environment. Their privacy policies and user agreements must also comply with Rule 3(1)(b) and (c) of the IT Rules.

Furthermore, if edtech platforms venture into financial services, such as offering loans for courses or managing payment plans, they would fall under the purview of regulations from the Reserve Bank of India (RBI). While not directly impacting minors’ academic data, any financial data collected, even from parents on behalf of minors, would be subject to stringent RBI norms alongside DPDPA. Similarly, if platforms offer investment or insurance-linked educational products, SEBI or IRDAI regulations would apply. This multi-layered regulatory environment demands a holistic compliance strategy, with DPDPA serving as the foundational privacy layer.

Practical Takeaway

For Indian edtech businesses, General Counsels, and Data Protection Officers, DPDPA’s provisions regarding minors are not merely a compliance checklist but a call for ethical innovation. Begin by conducting a comprehensive Data Protection Impact Assessment (DPIA) specifically for all data processing activities involving children. Redesign consent mechanisms to ensure verifiable parental consent, potentially leveraging secure digital identity solutions. Crucially, audit your data collection practices to ensure data minimisation, gathering only what is absolutely necessary for the educational service. Re-evaluate business models that rely on tracking, profiling, or targeted advertising for minors, pivoting towards privacy-by-design solutions. Invest in robust data security measures and provide ongoing privacy training for all staff. Proactive adherence to DPDPA, coupled with a deep understanding of its interplay with other sectoral regulations, will be key to building trust and ensuring sustainable growth in India’s dynamic online learning landscape.