DPDPA for Ed-Tech Platforms: Protecting Student Data & Parental Consent

The ed-tech industry in India has revolutionized education access, with platforms like BYJU'S, Unacademy, and Vedantu reaching millions of students. The Digital Personal Data Protection Act (DPDPA) 2023 introduces critical compliance requirements for handling children's data, parental consent mechanisms, and learning analytics.

Critical Requirement: DPDPA Section 3(g) defines children as individuals under 18 years old and requires parent/guardian consent for processing their data. For ed-tech platforms, this fundamentally changes how student data is collected, stored, and used.

Understanding Children's Data Under DPDPA

Ed-tech platforms operate in a unique compliance landscape because they primarily serve minors. DPDPA treats data of children with heightened protections requiring parental consent, simplified language in privacy notices, prohibition on profiling, withdrawal rights, and robust age verification.

Age Verification Mechanisms

Before collecting any student data, ed-tech platforms must verify the student's age through multi-layer approaches including parent/guardian email signup verification, date of birth validation against school documents, ID verification option, school enrollment verification, and periodic re-verification when students near age 18.

Compliance Risk: Many ed-tech platforms collect student data without proper parental verification. Under DPDPA, processing data of children without verified parental consent constitutes a serious violation and can result in penalties up to Rs. 25 crores.

Parental Consent Mechanisms for Ed-Tech

Model Parental Consent Form

PARENTAL CONSENT FORM FOR STUDENT DATA PROCESSING

This form must be completed by parent/legal guardian before any student data is collected. It includes parent/guardian information with government ID verification, student information with school details, and specific consents for account information, academic progress, device information, and learning analytics.

Additional consents address communication preferences (SMS/Email), case studies using anonymized data, platform improvement contributions, and opt-out of marketing communications. Parents must sign confirming they are the legal guardian with authority to provide consent.

Online Proctoring and Monitoring Data

Many ed-tech platforms use AI-powered proctoring systems for online exams, creating specific DPDPA challenges regarding facial recognition, screen recordings, and room monitoring.

Case Law Analogy: In K.S. Puttaswamy v. Union of India (2017), India's Supreme Court recognized privacy as a fundamental right. This principle applies strongly to student proctoring—constant surveillance without necessity violates fundamental privacy rights. DPDPA Section 5 requires data minimization: proctoring must capture only essential exam-verification data.

Compliant Proctoring Implementation

Example: Unacademy's DPDPA-Aligned Proctoring uses limited monitoring with face verification only at exam start, separate consent beyond regular course access, data minimization capturing only exam verification data, immediate deletion within 7 days of exam completion, and transparency notifications about captured data.

Learning Analytics and Student Profiling Restrictions

DPDPA Section 3(f) prohibits automated decision-making that significantly affects children. This directly impacts learning analytics usage, prohibiting psychological/behavioral profiles, intelligence predictions, career path recommendations, automatic course difficulty adjustments, and permanent records of learning disabilities.

Permitted analytics uses include performance tracking, content recommendations, progress reports, and curriculum adaptation with explicit student/parent control.

Philosophical Foundation: John Dewey's progressive education philosophy emphasized developing individual potential and critical thinking rather than categorizing students through rigid profiling. DPDPA's prohibition on profiling aligns with Deweyan principles—algorithms should enhance learning opportunities, not predetermine outcomes based on data analysis.

Data Retention and Deletion for Students

DPDPA requires specific retention periods for student data. Student account information should be retained for duration of enrollment plus 1 year with mandatory deletion after. Course progress data is retained for duration plus 2 years and can be anonymized instead of deletion. Test records are kept 1-2 years post-completion then deleted or permanently anonymized. Video recordings are retained during course access and deleted when access ends. Proctoring data has maximum 7-day retention with automatic deletion.

Parental Rights Under DPDPA

Parents have specific rights including access to all child data, correction of inaccurate data, complete deletion within 30 days, withdrawal of any consent anytime, data portability in portable format, and grievance resolution through Data Protection Board.

Implementation Requirement: Ed-tech platforms must provide mechanisms (email, in-app forms) for parents to exercise these rights within specified timelines, typically 30-45 days for responses.

Data Transfer and International Considerations

DPDPA Section 5(9) restricts transfer of personal data outside India. Student data CANNOT be transferred to servers outside India, content delivery networks cannot cache student personal data outside India, international analytics tools must ensure anonymized data use, and international cloud storage cannot store student personal data.

Key Takeaways for Ed-Tech Compliance

DPDPA Compliance Checklist for Ed-Tech Platforms:

✓ Implement verified parental consent before any student data collection
✓ Use robust age verification mechanisms
✓ Provide clear, child-friendly privacy notices
✓ Restrict profiling and avoid predictive categorization of students
✓ Implement strict data retention limits (not indefinite storage)
✓ Ensure all student data remains in India
✓ Establish breach notification procedures

Conclusion

As ed-tech continues transforming Indian education, DPDPA compliance is not merely a legal obligation but a trust-building measure. Platforms that implement robust parental consent mechanisms, minimize data collection, and provide transparency will foster greater adoption among privacy-conscious parents and educators.