Edtech Data Dynamics: India's DPDPA in Global Perspective

The burgeoning edtech sector, particularly in India, thrives on personal data, from academic performance and attendance to health information and behavioural patterns. As digital learning platforms become integral to education, safeguarding this sensitive student data is paramount. India’s Digital Personal Data Protection Act, 2023 (DPDPA), alongside sector-specific regulations from the Reserve Bank of India (RBI) and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (IT Rules), forms a robust framework. This analysis compares India’s approach to the US Family Educational Rights and Privacy Act (FERPA) and the EU’s General Data Protection Regulation (GDPR), anchoring the discussion in the Indian context.

Defining Student Data and Scope

The DPDPA broadly defines “personal data” as any data about an individual who is identifiable by or in relation to such data (Section 2(k)). While it no longer explicitly lists “sensitive personal data,” the Digital Personal Data Protection Rules, 2025, clarify that certain categories, such as financial, health, or biometric data, would typically necessitate higher protection due to their nature, aligning with the spirit of the previous IT Rules, 2011. Edtech companies processing student data are “data fiduciaries” (Section 2(i)), with significant data fiduciaries (SDFs) facing enhanced obligations (Section 10). FERPA, in contrast, specifically defines “education records” (20 U.S.C. § 1232g(a)(4)(A)) and “personally identifiable information” (PII) within those records, applying primarily to educational agencies and institutions receiving federal funds. GDPR, like DPDPA, employs a broad definition of “personal data” (Article 4(1)) and provides for “special categories of personal data” (Article 9) which include health, racial, or biometric data, offering a wider scope of protected information than FERPA. Indian law, by not limiting its scope to federally funded institutions, is broader than FERPA in its application to edtech.

Consent and Processing Minors’ Data

Under DPDPA, processing personal data requires valid consent from the data principal (Section 7(1)). For children (individuals under 18 years, Section 2(d)), consent must be verifiable from a parent or lawful guardian (Section 9(1)). Crucially, DPDPA strictly prohibits tracking, behavioural monitoring, or targeted advertising directed at children, and processing of personal data likely to cause harm to a child (Section 9(3)). This makes DPDPA significantly stricter than FERPA, which requires written parental consent for disclosure of education records (20 U.S.C. § 1232g(b)(1)) but allows exceptions for school officials with a “legitimate educational interest” (20 U.S.C. § 1232g(b)(1)(A)) and “directory information” (20 U.S.C. § 1232g(a)(5)(A)). GDPR requires a lawful basis for processing (Article 6), with consent (Article 6(1)(a)) being one option. For children’s online services, parental consent is required for those under 16 (or lower, not below 13, set by Member State law) (Article 8). While GDPR also restricts profiling and automated decision-making for children, DPDPA’s explicit blanket ban on tracking and targeted advertising for minors is a notable stricter stance.

Data Security, Breach Notification, and Rights

DPDPA mandates data fiduciaries to implement reasonable security safeguards to prevent personal data breaches (Section 8(5)). In the event of a breach, notification to the Data Protection Board of India and affected data principals is required (Section 8(6)). Data principals also have rights to access, correction, erasure, and grievance redressal (Sections 13-15). GDPR is similarly robust, requiring “appropriate technical and organisational measures” (Article 32) and mandating breach notification to the supervisory authority within 72 hours (Article 33) and to data subjects if there’s a high risk (Article 34). GDPR also grants extensive data subject rights, including the “right to be forgotten” (Article 17) and data portability (Article 20). FERPA requires schools to protect the privacy of education records (20 U.S.C. § 1232g(b)(1)) but is largely silent on specific breach notification mechanisms, leaving it to other federal or state laws. On data retention, DPDPA requires cessation of retention once the purpose is met (Section 8(7)), mirroring GDPR’s storage limitation principle (Article 5(1)(e)). FERPA is less explicit on retention limits. India’s DPDPA aligns closely with GDPR on security, breach notification, and data principal rights, offering a far more detailed and prescriptive regime than FERPA.

Cross-Border Transfers and Ancillary Indian Regulations

DPDPA adopts a “whitelist” approach for cross-border data transfers, allowing personal data to be transferred to “such countries or territories outside India as may be notified by the Central Government” (Section 16). This is a stricter approach than GDPR’s Chapter V (Articles 44-50), which permits transfers based on adequacy decisions, standard contractual clauses (SCCs), or binding corporate rules (BCRs), offering more flexibility. FERPA primarily addresses domestic data handling, with no explicit provisions for international transfers, though schools remain responsible for compliance if data is transferred to third-party providers abroad.

Beyond DPDPA, Indian edtech companies must also navigate the RBI’s data localisation directives, particularly for payment system data, which often requires storing payment-related information within India. This adds a layer of complexity not directly mirrored in FERPA or GDPR, which do not impose blanket data localisation requirements for all types of data. Furthermore, the IT Rules, 2021, impose due diligence obligations on intermediaries, including grievance redressal mechanisms and content moderation duties, which can indirectly impact how edtech platforms handle user-generated content and associated student data. This multi-layered regulatory environment makes India’s privacy landscape for edtech particularly intricate.

Practical takeaway

For Indian businesses, General Counsels, and Data Protection Officers in the edtech sector, the DPDPA, complemented by RBI and IT Rules, necessitates a comprehensive compliance strategy. Prioritise granular, verifiable parental consent for minors, especially given DPDPA’s strict prohibitions on tracking and targeted advertising for children. Implement robust technical and organisational security measures, alongside clear breach notification protocols. Review data retention policies to ensure data is deleted once its purpose is served. Critically, understand the DPDPA’s cross-border transfer restrictions and regularly monitor the government’s notified countries. Finally, integrate DPDPA compliance with existing obligations under RBI for payment data localisation and the IT Rules for intermediary due diligence, ensuring a holistic approach to student data protection.