DPDP Compliance for EdTech Companies
EdTech companies process children's data, academic records, and learning behavior. Under DPDP, children's data gets the highest level of protection — and violations carry the maximum penalty.
EdTech and DPDP: The Children’s Data Minefield
India’s EdTech sector — including Byju’s, Unacademy, Vedantu, and dozens of K-12 platforms — processes the personal data of millions of minors. Under DPDP Section 9, children’s data requires verifiable parental consent and completely prohibits tracking, behavioral monitoring, and targeted advertising.
DPDP Section 9: The Strictest Provision
The DPDP Act is unambiguous about children’s data:
- No tracking: Behavioral monitoring of children is prohibited
- No targeting: Targeted advertising to children is banned
- Parental consent: Verifiable consent from a parent/guardian is mandatory
- Maximum penalty: Violations attract the highest penalty bracket — up to ₹200 Crore
Most EdTech platforms currently track learning behavior extensively (time spent per lesson, quiz performance, attention metrics) and use this data for product improvement and marketing. Under DPDP, this entire pipeline needs re-architecture.
The Age Verification Challenge
How does an EdTech platform verify that consent came from an actual parent, not the child clicking “I am 18+”? The Act requires “verifiable” consent but doesn’t specify the mechanism. Options include:
- Parent email verification with separate onboarding
- Aadhaar-linked age verification (privacy versus compliance trade-off)
- Credit card verification (excludes large market segments)
- Video verification (scalability challenge)
Most platforms haven’t solved this — it’s one of the biggest practical gaps in EdTech DPDP compliance.
Learning Data Is Personal Data
A student’s academic performance record reveals:
- Learning disabilities and cognitive patterns
- Attention span and engagement levels
- Academic strengths and weaknesses
- Behavioral patterns during online learning
This data, when combined with personally identifiable information, creates a comprehensive profile of a child. Under DPDP, this data cannot be used for any purpose beyond direct educational delivery without explicit parental consent.
The Third-Party SDK Problem
Most EdTech apps integrate Google Analytics, Facebook SDK, AppsFlyer, and various ad networks. Each of these SDKs collects data from users — including children. EdTech companies must audit every third-party integration to ensure no child data flows to advertising or analytics platforms without compliant consent.
EdTech Company Analyses
BYJU'S
BYJU'S, a major EdTech platform, handles sensitive educational data, including that of children. Its privacy policy is extensive but hasn't fully updated for the DPDP Act 2023, particularly struggling with granular consent, verifiable parental consent for minors, and specific data retention timelines. These gaps create substantial regulatory risk, especially concerning Section 23 (Children's Data).
Unacademy
Unacademy tracks learning behaviors, exam preparation patterns, and live class participation for millions of aspirants — many minors. At 42/100, the absence of DPDP Section 9 child protections and indefinite retention of learning data that reveals career ambitions creates significant compliance gaps.