Edtech Privacy / Students

Edtech Student Privacy

CA Nikhil Gupta·June 2026·3 min readEdtech Privacy / Students

Protect student and parent data through age design, guardian controls, school contracts, learning analytics, advertising limits, access, safety and deletion.

Edtech systems often combine identity, behaviour, performance, family and payment data about children.

Quick View

Decision

Design separate controls for students, parents, teachers, schools and direct consumers before collecting learning telemetry.

First action

Map child and parent journeys.

Core evidence

School and parent agreements.

Main warning

Using 13 as the Indian child threshold.

Why It Matters

The Digital Personal Data Protection Act, 2023 and the final Rules notified in November 2025 follow phased commencement. As of 25 June 2026, organisations should separate duties already operative from consent, grievance, rights, children, Significant Data Fiduciary and other operational provisions scheduled for later commencement, while continuing to comply with the IT Act, CERT-In directions and sector-specific rules already in force.

The DPDP Act defines a child as an individual under eighteen and includes restrictions relating to detrimental processing, tracking, behavioural monitoring and targeted advertising when the relevant provisions commence.

School-authorised use, direct-to-parent subscriptions, classroom monitoring and marketing are different processing contexts and should not be collapsed into one consent.

Control Framework

AreaWhat to establishOperating rule
UserStudent, parent, teacher or school administrator.Assign role.
PurposeLearning, safety, assessment or marketing.Separate.
AnalyticsProgress, attention, behaviour and profiling.Limit and explain.
ExitSchool change, course end and account closure.Delete or restrict.

Action Checklist

  1. Map child and parent journeys.
  2. Remove targeted advertising defaults.
  3. Review learning analytics necessity.
  4. Build guardian and school controls.
  5. Restrict teacher and support access.
  6. Create course-end deletion process.

Practical Example

An edtech platform uses student attention scores to target paid tutoring ads to parents without explaining the profiling or separating it from the learning service.

Evidence to Keep

  • School and parent agreements.
  • Age and guardian workflow.
  • Analytics dictionary.
  • Advertising settings.
  • Access logs.
  • Deletion and transfer records.

Warning Signs

  • Using 13 as the Indian child threshold.
  • Behavioural ads by default.
  • Permanent student profiles.
  • Teachers exporting class data.
  • No school-offboarding workflow.

Detailed Review

A reliable control should connect the individual, data field, purpose, notice or sector disclosure, system, employee access, vendor access, retention rule and closure evidence. A policy statement that cannot be traced through this chain is difficult to operate.

Maintain a legal-timing matrix. Record the DPDP provision, phased commencement status, current IT Act or sectoral duty, business owner, system dependency and implementation deadline. Avoid one blanket label such as compliant or not compliant.

Build controls into technology and workflow. A written instruction cannot stop an SDK from collecting contacts, a campaign tool from re-importing suppressed users or an agent from downloading medical records unless the system enforces the decision.

Use proportionate verification. Weak checks can expose another person’s information; excessive checks create more Aadhaar, health, payroll or bank data that must be protected and deleted later.

Generate evidence during ordinary operations: versioned screens, event logs, access approvals, vendor tickets, complaint chronology, deletion reports, test recordings and management decisions.

Segment access by role and lifecycle. Sales, support, teachers, clinicians, claims staff and external agents do not need the same information.

High-risk data should not move through personal messaging, unprotected links or shared credentials merely because those channels are convenient.

Control Test

Select one real user or transaction journey and trace it from collection through sharing, access, retention, withdrawal, complaint or closure. Capture the evidence at each stage.

Test the control on production-like systems rather than screenshots alone. Review network traffic, event logs, suppression status, vendor responses, role access and deletion output.

Run an adverse scenario: the vendor is breached, the user is a child, the borrower alleges harassment, the employee leaves or the app permission is revoked. Record the response and gaps.

Compare public wording with actual behaviour. Product forms, call scripts, privacy notices, contracts, SDKs and support tools should tell the same story.

Assign a named owner, funded action and closure date to each gap. Retain the reason when management accepts residual risk or chooses a less intrusive alternative.

Escalation Route

Start with the privacy, security, product or regulated-business owner and preserve system evidence before changing configuration or deleting records. Separate current sector and CERT-In obligations from future DPDP readiness.

For serious complaints, children’s data, financial harassment, medical exposure or suspected cybercrime, involve qualified legal, privacy, cyber, banking, insurance or healthcare specialists and use the applicable official channel.

Frequently Asked Questions

Who is a child under the Act? â–¼
An individual who has not completed eighteen years.
Can learning analytics be used? â–¼
Use should be necessary, transparent, safe and legally reviewed.
Can student data be used for targeted advertising? â–¼
The Act restricts targeted advertising directed at children when the relevant provisions commence.
What happens when a student leaves? â–¼
Apply school, legal and product retention rules and remove unnecessary access and copies.