Navigating Minors' Data: DPDPA's Impact on Indian Edtech

The Indian digital landscape, particularly the burgeoning edtech sector, is undergoing a significant transformation with the full operationalisation of the Digital Personal Data Protection Act, 2023 (DPDPA) and the recent finalisation of the DPDP Rules, 2025. For online learning platforms catering to a young demographic, understanding and implementing the stringent provisions concerning children’s data is not merely a compliance exercise but a fundamental shift in their operational and business models.

The DPDPA’s Stance on Children’s Data

The DPDPA introduces a robust framework for safeguarding the personal data of children, defined in Section 2(c) as any individual under the age of eighteen years. This universal age threshold across India sets a clear benchmark, distinguishing it from jurisdictions like the EU, where the age of digital consent can vary. The cornerstone of the DPDPA’s approach is the explicit requirement for verifiable consent from a parent or lawful guardian (as defined in Section 2(k)) before any Data Fiduciary can process a child’s personal data (Section 9(1)). This isn’t a mere tick-box exercise; the emphasis on “verifiable” consent, which the DPDP Rules, 2025 are expected to elaborate upon, mandates robust mechanisms to confirm the identity and authority of the consenting adult.

Beyond consent, the DPDPA imposes critical prohibitions on Data Fiduciaries when dealing with children’s data. Section 9(2) expressly forbids tracking, behavioural monitoring, or targeted advertising directed at children. Furthermore, Section 9(3) prohibits any processing of a child’s data that is likely to cause harm to their well-being. This broad “harm” provision requires edtech platforms to proactively assess the potential negative impacts of their data processing activities, from addictive design elements to competitive pressures, ensuring that the digital learning environment remains beneficial and safe.

Operational Hurdles for Edtech

For edtech companies, these provisions translate into significant operational and technical challenges. The primary hurdle is implementing a truly verifiable parental consent mechanism. Methods could range from multi-factor authentication linked to a parent’s registered mobile number or email, to more robust identity verification processes. Striking a balance between verification stringency and user experience will be critical. Overly complex processes could deter legitimate users, while lax ones risk non-compliance.

Another challenge lies in age gating. How do platforms accurately determine if a user is a child without collecting excessive personal data in the first place? Self-declaration is insufficient under the DPDPA’s verifiable consent mandate. Edtech platforms must re-evaluate their onboarding flows to incorporate age verification early and effectively. Moreover, the prohibition on tracking and targeted advertising fundamentally alters how many platforms might have previously monetised or personalised content for younger users. Algorithms designed for engagement and recommendation must be re-engineered to exclude these prohibited practices for children, necessitating a shift towards context-based or curriculum-driven personalisation rather than behavioural profiling.

Beyond DPDPA: A Broader Regulatory Lens

While the DPDPA is the primary legislation for data protection, edtech platforms must also consider other relevant Indian regulations. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, particularly Rule 3(1)(b) on due diligence for intermediaries, reinforce the need for platforms to act responsibly. While these rules provide general obligations, the DPDPA offers specific, actionable mandates for personal data. Sectoral regulators like the Reserve Bank of India (RBI) might come into play for platforms handling payment data, while the Securities and Exchange Board of India (SEBI) or the Insurance Regulatory and Development Authority of India (IRDAI) could be relevant for platforms offering financial or insurance education, respectively. However, for the core issue of minors’ data processing, the DPDPA remains the most direct and impactful legislation.

Global Context and India’s Strict Approach

Compared to global benchmarks like the General Data Protection Regulation (GDPR), the DPDPA’s approach to children’s data is notably stringent, particularly with its universal 18-year age threshold. Under GDPR, the age of digital consent can be as low as 13 in some Member States, offering more flexibility. India’s decision to set a higher, uniform age underscores a clear policy intent to provide maximum protection to minors in the digital realm. This means Indian edtech platforms cannot simply port their compliance strategies from other jurisdictions but must tailor them specifically to the DPDPA’s robust requirements.

Practical takeaway: Indian edtech businesses, their General Counsels, and Data Protection Officers must undertake a comprehensive review of their data processing activities involving minors. This includes mapping all data flows, identifying where children’s data is collected and processed, and critically assessing existing consent mechanisms against the DPDPA’s “verifiable” standard. It’s imperative to redesign user onboarding to incorporate robust age and parental consent verification, and to re-engineer recommendation and personalisation engines to strictly avoid tracking, behavioural monitoring, and targeted advertising for children. Proactive impact assessments to ensure no processing activity could be deemed detrimental to a child’s well-being are also crucial. Compliance with the DPDPA is an ongoing journey that demands continuous vigilance and adaptation.