Navigating Student Data: India's DPDPA vs. FERPA and GDPR in Edtech
The rapid expansion of edtech platforms has brought into sharp focus the critical issue of student data privacy. As Indian edtech companies increasingly operate globally and international players eye the Indian market, understanding the comparative landscape of data protection laws is paramount. This analysis anchors on India’s Digital Personal Data Protection Act, 2023 (DPDPA), comparing it against the US Family Educational Rights and Privacy Act (FERPA) and the EU General Data Protection Regulation (GDPR).
Scope and Applicability
India’s DPDPA has a broad, technology-agnostic scope, applying to the processing of digital personal data within India, and to some extent, outside India if it relates to the offering of goods or services to Data Principals in India (Section 3). For edtech, this means any platform collecting student data (Data Principal) from India falls under its ambit. Unlike FERPA, DPDPA is not sector-specific but a general data protection law.
FERPA, in contrast, is a highly specific US federal law (20 U.S.C. § 1232g) that applies only to “educational agencies and institutions” that receive federal funding from the US Department of Education. Its primary focus is on “education records” and the rights of parents and “eligible students” (those 18 or attending post-secondary institutions) concerning these records. This makes its reach much narrower than DPDPA, primarily governing traditional schools and universities rather than private edtech companies unless they contract directly with such institutions.
The GDPR (Article 3) boasts the widest extraterritorial reach, applying to any processing of personal data of individuals located in the EU, regardless of where the data controller or processor is established. For an edtech company, whether Indian or American, serving students in the EU, GDPR obligations apply. While not edtech-specific, its comprehensive nature covers all aspects of personal data processing, including student data.
Compared to FERPA’s narrow focus, DPDPA and GDPR are significantly broader, encompassing a wider range of edtech activities. DPDPA’s concept of a “Significant Data Fiduciary” (Section 10), which could include large edtech platforms, introduces enhanced obligations not present in FERPA.
Consent and Children’s Data
The DPDPA takes a particularly stringent stance on children’s data. It mandates verifiable parental consent for processing the personal data of a child, defined as anyone under 18 years of age (Section 9(1)). Crucially, it prohibits any processing that is likely to cause detriment to a child’s well-being (Section 9(3)) and explicitly bans tracking, behavioural monitoring, or targeted advertising directed at children (Section 9(4)). This makes DPDPA arguably the strictest of the three in protecting minors in the digital space.
FERPA requires parental consent for the disclosure of “education records” to third parties until the student becomes an “eligible student” (18 years old or enrolled in post-secondary education). However, it focuses more on disclosure rights rather than the broader processing activities covered by DPDPA or GDPR. It also allows for exceptions, such as disclosure to school officials with a legitimate educational interest.
GDPR requires parental consent for processing personal data of children for online services, with the age of consent set at 16, though member states can lower it to 13 (Article 8). It also emphasizes that privacy notices for children must be clear and in plain language. While robust, GDPR allows for a lower age of consent than DPDPA and does not explicitly ban tracking or targeted advertising to children, though these activities would be subject to strict consent requirements and data protection impact assessments.
Data Fiduciary/Processor Obligations and Data Subject Rights
DPDPA places significant obligations on Data Fiduciaries (Chapter III), including implementing reasonable security safeguards (Section 17), ensuring data accuracy, and adhering to data retention limits (Section 8(8)). Data Principals are granted rights such as access to information, correction, completion, updation, and erasure of their personal data (Sections 13, 14, 15). “Significant Data Fiduciaries” face additional duties like conducting Data Protection Impact Assessments and appointing a Data Protection Officer (Section 10).
FERPA’s primary obligations revolve around providing parents/eligible students the right to inspect and review education records, and to seek their amendment (20 U.S.C. § 1232g(a)). It has less explicit provisions for data security beyond requiring institutions to protect personally identifiable information (PII) from unauthorized access or disclosure. Data subject rights are limited to access and amendment of education records.
GDPR imposes extensive obligations on data controllers and processors (Articles 24-43), including data protection by design and by default (Article 25), robust security of processing (Article 32), and mandatory Data Protection Impact Assessments for high-risk processing (Article 35). It grants comprehensive data subject rights (Articles 12-22), encompassing access, rectification, erasure (“right to be forgotten”), restriction of processing, data portability, and objection to processing.
In terms of organisational obligations and data subject rights, GDPR sets a high benchmark, which DPDPA largely mirrors, especially for Significant Data Fiduciaries. FERPA, being older and sector-specific, is comparatively looser on proactive data protection obligations and broader individual rights.
The Indian Layer: RBI and IT Rules
Beyond DPDPA, Indian edtech companies must also contend with sector-specific regulations. The Reserve Bank of India (RBI) mandates data localisation for payment system operators and imposes stringent cybersecurity guidelines for regulated entities like Non-Banking Financial Companies (NBFCs). If an edtech platform processes payments or offers financial services (e.g., student loans), these RBI directives add a unique layer of compliance, often requiring data to be stored exclusively within India. This is a dimension largely absent in FERPA or GDPR, which do not have equivalent financial sector-specific data localisation mandates.
Furthermore, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, apply to edtech platforms acting as intermediaries. These rules require intermediaries to exercise due diligence, including respecting user privacy (Rule 3(1)(b)), and to inform users about their privacy policies (Rule 3(1)(k)). For “Significant Social Media Intermediaries,” additional obligations apply (Rule 4). While not directly a privacy law, the IT Rules complement DPDPA by imposing general platform responsibilities that impact student data handling.
Practical Takeaway
For Indian businesses, General Counsels, and Data Protection Officers in the edtech sector, navigating this multi-faceted regulatory landscape requires a sophisticated and layered approach. The DPDPA should be the primary anchor, demanding robust verifiable parental consent mechanisms (especially for children under 18), stringent security protocols, and clear data principal rights. For any global ambitions or operations, a thorough understanding of GDPR’s extraterritorial reach and comprehensive obligations is crucial. While FERPA may seem less relevant for purely private edtech, its principles are important if partnering with US federally-funded institutions. Finally, the unique Indian context, particularly RBI’s data localisation and IT Rules’ intermediary obligations, must not be overlooked. A “privacy by design” and “by default” strategy, coupled with regular compliance audits, will be essential to thrive in this evolving regulatory environment.