Ed-Tech & Student Data: DPDP Obligations
How EdTech platforms must redesign their data collection, consent, and retention practices under DPDP Act 2023, especially for minors.
CompliYUG Research
Compliance Specialist
Executive Summary
EdTech platforms face uniquely stringent DPDP obligations for processing children's data. This guide covers verifiable parental consent, data minimization, and the impending DPDP Rules for online education.
"EdTech platforms collect an extraordinary volume of personal data — from academic performance and biometrics (for remote proctoring) to behavioral patterns and financial information for EMI-based courses. Under DPDP Act 2023, platforms targeting students face the strictest obligations, particularly around children's data."
Key Takeaways
- 1
Processing data of children under 18 requires verifiable parental consent under DPDP.
- 2
EdTech platforms cannot serve behavioral advertising to minors under any circumstances.
- 3
Learning management systems (LMS) must implement data minimization at the design level.
- 4
Student assessment data stored by third-party proctoring tools must be DPDP-compliant.
- 5
Post-enrollment data retention periods must be defined and communicated in privacy notices.
Children's Data: The Highest Standard
The DPDP Act defines a child as any individual under 18 years of age. Any EdTech platform with a K-12 product or any product used by minors must implement verifiable parental consent mechanisms. This goes beyond a simple checkbox — platforms need age-verification systems and documented consent records. The Act prohibits processing children's data for behavioral advertising or tracking purposes under any circumstance.
Proctoring Tools and Third-Party Risk
Online proctoring platforms collect video, audio, keystroke, and facial recognition data. Under DPDP, EdTech companies that integrate third-party proctoring tools remain the Data Fiduciary — meaning they are responsible for ensuring the proctoring vendor's compliance as a Data Processor. This requires comprehensive Data Processing Agreements (DPAs) that align with DPDP obligations.
Final Assessment
“For EdTech, DPDP compliance is not a legal checkbox. It is the foundation for building student and parent trust. Platforms that design compliance into their product roadmap — not retrofit it — will emerge as the trusted leaders of India's learning revolution.”
Explore DPDP Automation by CompliYUG
BreachBlitz automates Rule 7(2)(b) reporting. Reduce your 72-hour response to under 4 hours.
