Industry — EdTech

DPDPA Compliance for EdTech Companies

Student data. Parental consent. Behavioural tracking. EdTech companies carry some of the strictest DPDPA obligations in India — and most have never verified whether their current practices meet them.

Section 9 — Minor User Obligations Verifiable Parental Consent Behavioural Monitoring Restrictions School Contract Compliance Analytics on Student Sessions
Book a Scoping Conversation See the Operational Audit
Section 9 applies to almost every EdTech user

Unlike other sectors where minor user obligations are peripheral, EdTech platforms are primarily used by users under 18. Section 9 is not a secondary consideration — it governs the core processing activity of most EdTech products.

The Core Challenge

Why EdTech obligations under DPDPA are categorically different

Most DPDPA obligations apply uniformly across sectors. Section 9 creates a separate, stricter framework that applies specifically where platforms process data of minor users.

Verifiable Parental Consent

Section 9(1) requires verifiable consent from the parent or lawful guardian before processing any personal data of a child. A self-declared date of birth, a ticked checkbox, or a school enrolment form may not satisfy the verifiable standard — the verification must genuinely confirm the consenting adult is the parent or guardian.

Section 9(3) Prohibitions

Section 9(3) creates restrictions that apply even where valid parental consent has been obtained. Behavioural monitoring of minor users, tracking of online activity, and targeted advertising directed at children may fall within these prohibitions — meaning parental consent alone does not create a valid processing basis for these activities.

School Contract Accountability

In many institutional deployment models, the school may act as the data fiduciary while the EdTech platform operates as a processor. The platform's Data Processing Agreement with the school must specifically address how Section 9 compliance is achieved — most school contracts used by EdTech companies do not address this at all.

Section 9 — Operational Requirements

What Section 9 requires — and what it restricts

Each requirement below maps to a specific operational obligation under the Act. These are not aspirational standards — they are current obligations that apply to any platform processing data of users under 18.

Required
Verifiable parental consent before any processing

Verifiable consent from the parent or guardian must be obtained before the platform processes any personal data of a minor — including data collected during the signup process itself. Self-declared age fields and school enrolment do not satisfy this standard.

Required
Parental access and deletion rights

Parents and guardians have rights to access their child's data, request correction, and seek erasure. EdTech platforms must have operational processes for handling these requests — including a mechanism to verify parental identity and relationship to the child account.

Restricted
Behavioural monitoring restrictions

Screen time tracking, keystroke logging, click pattern analysis, and session recording of minor users are likely to fall within Section 9(3)'s restrictions — regardless of whether parental consent has been obtained. Platforms using these for adaptive learning or engagement scoring need to assess their implementation carefully.

Restriction applies even where parental consent exists.

Restricted
Targeted advertising to minor users

Serving targeted advertisements to minor users — whether based on behavioural data, demographic inference, or interest profiling — may fall within Section 9(3)'s prohibitions. This applies to platforms that monetise through advertising or serve third-party ad networks on student-facing pages.

Restriction applies even where parental consent exists.

On exemptions: Platforms should currently proceed on the basis that full Section 9 obligations apply unless and until formal exemptions are notified by the government. No exemptions have been issued as of the date this page was last updated. Verify current status with qualified legal counsel before relying on any exemption.
Common Findings

The gaps Privara finds most consistently in EdTech assessments

Identified through review of live consent flows, analytics configurations, school contracts, and data principal rights processes.

Critical
Self-declaration age gate only

A date of birth field where the user enters their own birth date — without any verification. A minor who enters a false date of birth does not thereby create a valid consent basis for the platform. Under Section 9(1), verification must genuinely confirm the consenting adult is the parent or guardian — self-declaration by the child does not satisfy this.

Section 9(1) — Verifiable Parental Consent
Critical
Analytics SDKs firing on minor user sessions

Behavioural analytics tools, session recorders, and engagement trackers operating on student-facing pages — processing minor user data without verifiable parental consent having been obtained, and potentially within the scope of Section 9(3)'s restrictions on behavioural monitoring regardless of consent status.

Section 9(1) + Section 9(3) — Consent and Monitoring Restrictions
Critical
School contracts that do not address Section 9

Data Processing Agreements between the EdTech platform and schools that do not specify how verifiable parental consent is obtained, who is responsible for obtaining it, or how Section 9(3) restrictions are observed in the platform's technical implementation. Without this, both the school and the platform carry unaddressed compliance exposure.

Section 8(2) + Section 9 — Processor Contracts and Minor Data
High
Learning behavioural data used for recommendations without disclosure

Using quiz performance, completion rates, and engagement signals to generate personalised content recommendations — without disclosing this processing in the privacy notice or assessing whether it falls within Section 9(3)'s restrictions on behavioural monitoring of minor users.

Section 5 — Privacy Notice + Section 9(3) — Monitoring Restrictions
High
No mechanism for parental access or deletion requests

No operational process for parents to verify their relationship to a child account, access their child's personal data, or request erasure. This gap is consistently present across EdTech products reviewed — most platforms have no parent-facing rights portal or documented process for handling these requests.

Section 9 — Data Principal Rights for Minor Users
High
No consent transition process for users turning 18

No mechanism to identify when a child user reaches 18, transition them from parental consent to direct consent, and obtain fresh direct consent for all processing purposes. Most EdTech platforms have no age-tracking or consent transition workflow — meaning users who have aged out of the minor-user regime continue to be governed by parental consent that is no longer appropriate.

Section 9 — Consent Transition on Majority
Consent Architecture

What a compliant EdTech consent flow requires

The consent challenge for EdTech is more complex than for other sectors. The data principal — the student — is typically a minor who cannot themselves provide valid consent. The person required to consent — the parent or guardian — is not the one interacting with the platform at the point of signup.

Most EdTech platforms resolve this by asking the student to provide their parent's email address, then sending the parent a consent link. Whether this constitutes genuinely "verifiable" consent is an open question under the Act — the verifiability of the parent's identity is not confirmed by this flow alone.

Platforms that deploy through schools face an additional layer: the school's responsibility to obtain parental consent before the platform is activated for a student. Whether this responsibility is clearly documented in the school-platform contract — and whether the school has actually obtained that consent — are both areas that a Privara assessment reviews.

Operational consent requirements for EdTech
A verification method that goes beyond self-declaration — the consenting adult's identity as parent or guardian should be reasonably confirmed, not assumed
Consent obtained before any personal data of the minor is processed — including data collected during the registration or onboarding flow itself
Analytics and tracking tools configured to respect Section 9(3) restrictions — not simply gated on parental consent, but assessed for whether they fall within the behavioural monitoring restrictions
A parent-facing rights portal or documented process for access, correction, and erasure requests from parents and guardians
A consent transition process that identifies users reaching 18 and obtains fresh direct consent before continuing to process their data
Real Finding

What a finding looks like in an EdTech assessment

Finding — Analytics on Minor User Sessions
Behavioural analytics SDK processing student session data without verifiable parental consent

During a review of an EdTech platform's student-facing product, a third-party behavioural analytics tool was found to be active on all student session pages — tracking page views, time-on-task, click patterns, and quiz interaction data at the individual user level.

The platform's registration flow asked students to enter their date of birth. Users under 18 were shown a message asking them to provide their parent's email address. A consent email was sent — but the parent's identity was not verified beyond email access. No documentation existed confirming that parents had actually completed the consent flow before the analytics tool began processing student data.

The finding was documented with the specific Section 9 obligations engaged, an assessment of whether the analytics processing was likely to fall within Section 9(3)'s behavioural monitoring restrictions, and the operational changes required to bring the consent flow into compliance.

Critical Section 9(1) — Verifiable Parental Consent Section 9(3) — Behavioural Monitoring Product review + consent flow inspection
Recommended Starting Point
Why EdTech companies need the Operational Compliance Audit

Section 9 obligations affect every aspect of an EdTech product — consent architecture, analytics configuration, school contracts, and parental rights processes. This cross-functional complexity requires a comprehensive assessment that covers all eight DPDPA control areas with specific depth on Section 9 obligations, vendor contracts, and data principal rights processes.

For early-stage EdTech platforms with limited vendor complexity, the Readiness Review may be an appropriate starting point.

Learn more about the Operational Compliance Audit Learn more about the Readiness Review
Book a Scoping Conversation
FAQ

Questions from EdTech founders and product teams

Yes. Applicability is determined by whether the platform processes personal data of individuals in India — not whether it charges users. A free EdTech platform that collects student names, email addresses, or usage data is subject to DPDPA obligations in the same way as a paid platform. Section 9 obligations apply regardless of the platform's business model.
A checkbox ticked by the child, a self-declared date of birth, or a school enrolment permission may not satisfy the verifiable standard under Section 9(1). Platforms should implement a verification approach that genuinely confirms guardian identity — not one that merely asks the child to provide a parent email address. Verify current regulatory guidance on verification standards before finalising your approach, as prescriptive requirements have not yet been issued.
Not categorically. The key question is whether the specific processing falls within Section 9(3)'s restrictions on behavioural monitoring. Generic aggregate analytics — page view counts, session counts — may sit outside the restriction. Individual-level behavioural tracking — click patterns, time-on-task per student, learning pace, engagement scoring — is more likely to create Section 9(3) concerns. An operational assessment of your specific implementation is required to determine where your analytics configuration sits.
Processing personal data of a minor without verifiable parental consent may not have a valid legal basis under Section 9(1). If the platform becomes aware that a user is a minor and parental consent has not been validly obtained, the platform should assess whether processing can lawfully continue until valid parental consent is obtained — and whether data processed without valid consent needs to be deleted. Platforms that rely on self-declared age gates carry exposure wherever minor users have accessed the platform using false age information.
In many institutional deployment models, the school may act as the data fiduciary — making the school responsible for obtaining parental consent before activating the platform for students. However, your Data Processing Agreement with the school must specifically address this responsibility, document how verifiable consent is to be obtained, and confirm how Section 9(3) restrictions are observed in your platform's implementation. If the contract does not address these points, both the school and the platform carry unresolved compliance exposure.
The assessment reviews your registration and consent flow to identify whether verifiable parental consent is genuinely being obtained — including how the platform handles the gap between the child's initial access and parental consent completion. It reviews your analytics and tracking configuration against Section 9(3)'s restrictions, your school contracts for Section 9 compliance provisions, and your parental rights process. Every finding is documented with the specific obligation it engages and the operational change required.
Related Resources
Service
DPDPA Readiness Review

Operational assessment of your compliance posture in 10–20 working days.

Learn more →
Checklist
DPDPA Compliance Checklist

Eight control areas — structured for operational self-review including Section 9.

View checklist →
Guide
DPDPA Penalty Guide

How the penalty framework works, what triggers it, and how exposure accumulates.

Read guide →
Get Started

Understand your EdTech platform's Section 9 compliance posture

The scoping conversation is focused and practical. We will identify where your platform's current practices may not meet Section 9's requirements — before anything is agreed.

Book a Scoping Conversation

Scope and pricing confirmed before work begins. No commitment required.