Skip to content
checkDPDP

Industry guide · #4 most exposed · Critical risk

DPDP Act for Edtech in India

Edtech platforms — K-12, test-prep, tutoring marketplaces, coding bootcamps for minors — sit at the intersection of children’s data and high engagement-driven user growth. The DPDP Act sets the bar at 18, which means every Indian-facing edtech with a meaningful under-18 user base is a children’s-data processor with stricter duties than GDPR or COPPA.

Penalty exposure cap

₹200 cr

Section 9 children-specific failures sit in the ₹200 cr band — second highest after Section 8 security. The Section 33(2) gravity factor amplifies penalties because the affected principals are minors.

Realistic effort

120–280 hrs (6–14 weeks)

Engineering + Product + Privacy + School Liaison (if B2B)

Annual budget

₹5–18 lakh / yr for tooling, parental-verification provider, DPO

Tooling + DPO retainer + audit

Sector regulators

MoE (UGC, AICTE, NCERT) · CERT-In

Stack on top of DPDP — comply with both

Why this industry

How DPDP hits Edtech differently

Section 9 is the strictest section of the Act — it bans behavioural tracking and targeted ads at minors outright, with no consent override. Verifiable parental consent is engineering-heavy: a checkbox does not count. Edtech is a top-three SDF candidate under MeitY’s open-ended Section 10 criteria.

What you must do

Specific DPDP obligations for this sector

Section 9

Verifiable parental consent before any child data collection

A checkbox is not consent. Workable methods: parent payment (₹1 refund), DigiLocker, government-ID OTP, signed authorisation.

Section 9(1)(b)

No behavioural tracking of minors

No analytics, no engagement scoring, no recommendation algorithms feeding on minor behaviour. Outright prohibition.

Section 9(1)(c)

No targeted advertising at children

Cannot show personalised or interest-based ads to under-18 users. Includes upsells inside the product itself.

Section 5 + Section 9

Age-determination flow before consent capture

Self-attestation only acceptable if no signal otherwise. School-domain emails, age fields, in-app behaviour all imply you should verify.

Section 8(7)

Retention limited to learning purpose

Keep records only as long as needed for the educational service — alumni marketing requires re-consent.

What to ship

Minimum control set + realistic time to land each

Effort estimates assume an in-house engineer + an external CMP/DPO partner where indicated. Cumulative time gets you to a defensible posture; full SDF maturity adds 1–2 quarters on top.

  1. 1

    Age-gate flow at signup

    1–2 weeks engineering

  2. 2

    Parental consent verification (payment / DigiLocker / OTP)

    3–4 weeks engineering + integration

  3. 3

    Disable analytics and recommendations for under-18 sessions

    2 weeks engineering

  4. 4

    Granular consent banner for parents of school-domain users

    1 day · Banner builder

  5. 5

    Itemised privacy notice covering minor data + school-liaison flows

    2 days · Notice template

  6. 6

    Vendor inventory (LMS, video, analytics, payment) with DPAs

    2–3 weeks

  7. 7

    Section 8 security audit

    3–4 weeks

What goes wrong

Real-world enforcement scenarios

Recommendation engine personalises content for an under-18 user

Section 9 prohibition — no consent fix. Disable for minors, then rebuild as opt-in for verified adults.

Parent claims they never authorised the account

Section 6 + Section 9 — must produce the verification record. Without one, account purge + Board notification.

School-domain bulk-enrol shares student PII with marketing vendor

Section 9 + Section 8 — joint liability with the school. DPA + purpose limitation are the only mitigation.

Close these first

The three highest-impact gaps for this sector

  1. 1

    Self-attested age with no verification

    Add age-gate + parental verification handshake before any new product launch.

    Open the fix →
  2. 2

    Recommendation engine running on minor session data

    Disable for under-18 cohorts immediately; this is a no-consent-fix issue.

    Open the fix →
  3. 3

    No purpose split between learning and marketing

    Split the consent capture — marketing requires separate, withdrawable opt-in.

    Open the fix →

See your sector-specific score in 60 seconds

Calculate your Edtech risk →Run a free site scan

Edtech · FAQ

Sector-specific questions, answered

Does the DPDP Act apply to a college platform if users are 18+?

Yes — DPDP applies to all Indian Data Principals. The children's overlay only kicks in for under-18 users, but baseline consent, notice and withdraw obligations apply to everyone.

Can I use Google Analytics on an edtech site?

Yes for adult sessions with consent. For under-18 sessions you should disable analytics entirely — Section 9 prohibits behavioural tracking of minors.

What counts as verifiable parental consent?

A small parent-bank-account payment, DigiLocker handshake, government-ID OTP, or a signed authorisation. A checkbox does not count.

Compare across sectors

Other industries' DPDP exposure

BFSI & Fintech

Critical

Highest DPDP exposure of any Indian sector — payment data, KYC, credit profiles all in scope.

Diagnostic Labs & Pathology Chains

Critical

Patient PII + lab results + Aadhaar-linked KYC — the most stacked DPDP exposure of any sub-sector inside healthcare.

Healthtech & Pharma

Critical

Health data is the highest-sensitivity category — DPDP overlaps with ABDM and the Clinical Establishments rules.