Can edtech platforms show targeted ads to students?

No. The DPDPA prohibits behavioural tracking and targeted advertising directed at children, so ad targeting to under-18 users is not permitted.

How do we verify parental consent?

You need a reliable mechanism to confirm the consenting adult is the child’s parent or guardian. The DPDP Rules describe acceptable verification approaches; a consent platform can operationalise them.

DPDPA for EdTech

DPDPA Compliance for EdTech

Education technology lives at the intersection of the DPDPA’s strictest provisions: much of the user base is under 18. Section 9 imposes verifiable parental consent and bans behavioural tracking and targeted advertising directed at children — making age assurance and parental-consent flows the defining compliance challenge for edtech.

Book a Demo Free assessment

Does the DPDPA apply to edtech?

EdTech platforms process the data of students — many of them children — so the DPDPA’s children’s-data rules apply directly. Education platforms must obtain verifiable parental consent for under-18s, avoid tracking and targeted advertising to children, secure student data, and honour data principal rights.

Personal data in edtech

Student names, ages, grades and contact details
Parent/guardian contact and payment information
Learning activity, assessment scores and progress data
Device, session and engagement analytics

Why it matters

Children’s-data violations carry penalties up to ₹200 crore.
Ad-tech and analytics SDKs may inadvertently track minors — a direct compliance breach.
Reputational risk is acute when minors are involved.

Edtech must reconcile DPDPA children’s-data rules with education-sector norms and any institutional data-sharing arrangements with schools and universities.

Key obligations

DPDPA obligations for edtech

The duties under the DPDP Act 2023 that matter most for edtech organisations.

Verifiable parental consent

For any user under 18, you must obtain verifiable consent from a parent or lawful guardian before processing their data (Section 9).

No tracking or targeting of children

Behavioural monitoring and targeted advertising directed at children are prohibited. Analytics on minors must be re-examined.

Age assurance

Implement a mechanism to determine which users are children and route them through parental-consent flows.

Data minimisation

Collect only what the learning purpose requires and retain it no longer than necessary.

How Data Adhikaar helps edtech teams

Sammati implements verifiable parental-consent flows and age-based routing.
Drishti flags where children’s data or tracking SDKs appear across your stack.
Lekhak drafts parental-consent notices and children’s-data policies in regional languages.
Saakshi evidences that tracking is disabled for minors.

Meet the ten agents

FAQ

DPDPA & EdTech: FAQ

Anyone under the age of 18 is a child under the DPDPA. Processing their personal data requires verifiable consent from a parent or lawful guardian.

Get edtech DPDPA-ready.

Run the free readiness assessment or book a demo tailored to your sector.

Book a Demo Free Readiness Assessment

Or call +91 98226 28174