If you teach students under 18 — whether you run a coaching institute, tutor online via Zoom, teach via WhatsApp, or operate a full EdTech platform — you are processing children's personal data under DPDP. This triggers the second-highest penalty in the entire law: up to ₹200 crore.
Applies to: EdTech platforms • Coaching institutes • Individual online tutors • School management systems • Test prep apps • Language learning apps • Skill development platforms serving minors.
Who Does DPDP Apply to in Education?
DPDP applies across the entire education spectrum — from billion-dollar platforms to individual tutors teaching 5 students on WhatsApp:
Large Platforms
- EdTech companies (BYJU's, Unacademy, Vedantu, PhysicsWallah, etc.)
- School management software (student records, attendance, grades)
- Test prep platforms (Testbook, PW, Allen, FIITJEE online)
- Language learning apps (Duolingo India, Babbel)
- Skill development platforms (Coursera India, UpGrad, Simplilearn)
Mid-Size Operators
- Coaching institutes (offline + online classes)
- After-school learning centres
- Dance, music, art academies
- Sports academies and training centres
- Tutoring agencies managing multiple tutors
Individual Educators
- Freelance online tutors (Zoom, Google Meet, Skype)
- WhatsApp/Telegram group tutors
- YouTube educators with paid courses
- Udemy/Teachable/Graphy course creators
- Home tutors who collect student information
📌 Individual Tutor Reality Check: Teaching 3 students on Zoom and keeping their names, phone numbers, and parent contacts in your phone = you're processing personal data. DPDP applies to you. There is NO size or revenue exemption.
Children's Data: The Highest-Risk Category in Education
The DPDP Act treats children's data with extreme caution. Under the act, a "child" is any person under 18 years of age.
Why is children's data so heavily protected?
- Children cannot legally give consent for their own data processing
- They are more vulnerable to exploitation, targeting, and harm
- The law explicitly prohibits behavioral tracking and targeted advertising to minors
- Parental oversight is considered essential for any data collection
| DPDP Violation (Education) | Maximum Penalty |
|---|---|
| Processing children's data without verifiable parental consent | ₹200 crore |
| Behavioral tracking or profiling of minor students | ₹200 crore |
| Serving targeted ads to students under 18 | ₹200 crore |
| Security failure exposing student data | ₹250 crore |
| No privacy policy published | ₹50 crore |
| Ignoring parent/student data deletion request | ₹50 crore |
| Breach not notified within 72 hours | ₹200 crore |
⚠️ Critical Distinction: Adult learners (18+) can give their own consent. Students under 18 CANNOT. For every minor student, a parent or guardian must separately and verifiably consent to your data collection. This applies even if the student is 17 years old.
What Student Data Is Covered Under DPDP?
Education businesses collect far more personal data than they realize:
Basic Information
- Student full name
- Date of birth and age
- Gender
- Photograph (profile picture, ID photo)
- School/college name and grade
Contact Information
- Home address
- Student email and phone number
- Parent/guardian name, email, phone number
- Emergency contact details
Learning Information
- Test scores, grades, and academic performance
- Attendance records
- Course progress and completion rates
- Session recordings (Zoom/Meet recordings)
- Assignment submissions
- Learning pace and behavioral patterns
Financial Information
- Fee payment records
- UPI IDs, bank details (for refunds)
- Scholarship or discount information
🔴 Especially Sensitive: Academic performance data (grades, test scores) is considered sensitive personal data because it can affect a student's future opportunities. Treat it with the highest level of security and confidentiality.
Parental Consent: How to Get It Right
This is the most critical section for any education business with students under 18.
What "Verifiable Parental Consent" Means
DPDP requires consent that is:
- From the parent/guardian — not the student themselves
- Verifiable — you must be able to prove a parent consented, not a child pretending to be a parent
- Informed — parent must understand what data you collect, why, and how long
- Specific — consent for "enrollment" ≠ consent for "behavioral tracking" or "marketing"
- Freely given — parents cannot be forced to consent by making enrollment conditional on unrelated data uses
❌ INVALID Consent: Student fills in their own details and ticks "I agree to the privacy policy." If the student is under 18, this consent has NO legal validity under DPDP. You need the parent's consent.
How to Collect Verifiable Parental Consent
For coaching institutes and offline tutors:
Include a consent section in your physical enrollment form: "I, [Parent Name], parent/guardian of [Student Name] (DOB: ___), consent to [Institute Name] collecting and processing my child's personal data including name, contact details, academic records, and attendance for the purpose of education delivery. I have read the Privacy Policy at [link/copy attached]. Signature: ___ Date: ___"
For online platforms and Zoom/WhatsApp tutors:
"Dear [Parent Name], before [Student Name] begins sessions with us, please review our Privacy Policy: [link]. By replying YES to this message, you confirm you are the parent/guardian of [Student Name] and consent to us collecting their name, contact details, and session progress for educational purposes. Reply YES to proceed."
For EdTech platforms (web/app):
- During signup, ask: "Is this student under 18?"
- If yes: Redirect to parent consent flow (parent email, parent OTP verification)
- Send verification email/SMS to parent's contact, not student's
- Parent must actively tick consent checkbox (unchecked by default)
- Log parent's name, contact, consent timestamp, and IP address
Keeping Consent Records
You must be able to prove parental consent if the Data Protection Board asks. Maintain a record of:
- Parent's name and contact
- Date and time consent was given
- What they consented to (data types, purpose)
- How consent was collected (physical form, email, WhatsApp, platform)
- Copy of the privacy policy they agreed to
Platform-Specific Compliance Guides
Zoom/Google Meet Tutors
Session Recordings
Recording sessions = processing personal data (student voice, image, academic content).
- Get explicit consent before recording ("I will be recording this session. Do you consent?" — get YES verbally or in writing)
- For students under 18: Get parental consent for recordings specifically
- Tell them WHY you're recording (review, quality check, student revision)
- Tell them how long you'll keep recordings
- Delete recordings after stated retention period
- Never share recordings without explicit consent
Student Contact Information
- Store contact details securely (not in an unprotected phone notes app)
- Use 2FA on email/Google accounts containing student data
- Delete inactive student data after 1 year of no sessions
- Never share student numbers with other businesses without consent
WhatsApp/Telegram Group Classes
Group Member Data
- Every student in your WhatsApp group = personal data (name, phone number, messages)
- For students under 18: Only add them after getting parental consent
- Don't export group member lists to use for other purposes
- When students leave the group, delete their personal data from your records
- Don't forward student messages to other groups without consent
Coaching Institutes (Physical + Online)
Enrollment Forms
- Add parental consent section to all enrollment forms for under-18 students
- Include privacy policy notice on enrollment forms
- Store forms securely (locked filing cabinets or encrypted digital storage)
- Set retention policy (keep enrollment records for duration of enrollment + 2 years)
CCTV & Attendance Systems
- CCTV footage = biometric/personal data under DPDP
- Display notice: "CCTV recording in progress for security purposes"
- Delete CCTV footage after 30 days (unless specific incident requires retention)
- Biometric attendance data requires explicit consent from students (parent consent for under-18)
EdTech Platforms (Apps & Websites)
Age Verification at Signup
- Ask date of birth at signup
- If under 18: Trigger parent consent flow immediately
- Don't allow students under 18 to complete signup until parent verifies
- Don't use "honor system" (just asking if they're over 18)
No Behavioral Tracking of Minors
- Do NOT use behavioral data of under-18 students for advertising targeting
- Do NOT build behavioral profiles of minor students
- Disable Facebook Pixel, Google Ads remarketing for under-18 users
- Learning analytics (tracking progress, time on task) = permitted for educational purposes only
Data Retention
- Active students: Keep data while enrolled
- After graduation/unenrollment: Keep academic records for 2 years, delete everything else
- Inactive accounts: Delete after 1 year of no activity
Top Violations in the Education Sector
The mistake: Enrollment form has a checkbox "I agree to the privacy policy" filled out by the 15-year-old student themselves.
Why illegal: Minors cannot legally consent to data processing under DPDP. Only parents/guardians can.
Fix: Add separate parental consent section. Get parent to sign/click/respond. Log the parent's details, not just the student's.
The mistake: Using Facebook Pixel on your EdTech platform to retarget students (under 18) with ads based on their browsing behavior.
Why illegal: Behavioral tracking and targeted advertising to minors is explicitly prohibited under DPDP.
Fix: Disable behavioral tracking and retargeting for all users under 18. Use contextual advertising only.
The mistake: Sharing student names and contact numbers with a book publisher, stationery company, or coaching partner without consent.
Why illegal: Consent to enroll in your classes ≠ consent to share data with third parties.
Fix: Never share student data with third parties without explicit separate consent from parent (for under-18) or student (for adults).
The mistake: Recording Zoom tutoring sessions without informing students or getting consent. Storing recordings indefinitely.
Why illegal: Recording = processing personal data (image, voice, academic content). Requires explicit consent.
Fix: Inform students before recording. Get consent. Set retention period (e.g., 30 days). Delete after.
The mistake: Coaching institute database is hacked. 50,000 student records (names, addresses, academic data) are exposed. Institute tries to cover it up.
Why illegal: Must notify Data Protection Board within 72 hours of discovery. Must notify affected students/parents.
Fix: Create breach response plan. Know the DPB notification process. Notify immediately.
The mistake: Coaching institute keeps full student records (home addresses, family details, academic performance) of students who graduated 10 years ago.
Why illegal: Data retention must be limited to what's necessary for the stated purpose.
Fix: Set retention policy. Keep academic transcripts for 5 years. Delete addresses, phone numbers, family data after 2 years of graduation.
EdTech & Tutor DPDP Compliance Checklist
| Compliance Item | Status |
|---|---|
| Privacy policy published (linked from website, enrollment forms, app) | ☐ |
| Age verification at signup (ask DOB, trigger parent flow if under 18) | ☐ |
| Parental consent process (for all students under 18) | ☐ |
| Consent records maintained (parent name, date, what they agreed to) | ☐ |
| Session recording consent (explicit consent before every recording) | ☐ |
| No behavioral tracking of under-18 students | ☐ |
| No targeted ads to minor students | ☐ |
| Student data secured (encrypted database, access controls, 2FA) | ☐ |
| Data retention policy set (delete inactive student data) | ☐ |
| Session recordings deleted (after retention period) | ☐ |
| No third-party data sharing (without explicit parental consent) | ☐ |
| Breach response plan ready (72-hour notification to DPB) | ☐ |
| CCTV/biometric notices displayed (for physical institutes) | ☐ |
| Privacy contact set up ([email protected] for data requests) | ☐ |
FAQ for Educators & EdTech Founders
Does DPDP apply to individual online tutors?
Yes. Any tutor collecting student names, phone numbers, or payment details — whether teaching 2 students or 2,000 — must comply with DPDP. No size exemption exists.
What is the penalty for mishandling children's data?
Up to ₹200 crore for processing children's data without verifiable parental consent. This is the second highest fine in the DPDP Act.
Do I need parental consent for every student under 18?
Yes, every single one. Even a 17-year-old cannot legally consent to data processing under DPDP. Parent or guardian consent is mandatory.
Can I record my Zoom tutoring sessions?
Yes, but only with explicit consent. Inform students/parents before recording. Get a clear "yes." State the purpose and retention period. For students under 18, parent must consent to recordings specifically.
Can I use Facebook Pixel on my EdTech platform?
Not for students under 18. Behavioral tracking and targeted advertising to minors is explicitly prohibited. Disable tracking for under-18 users entirely.
What about adult learners (18+) on my platform?
Adults can give their own consent. Standard DPDP consent requirements apply — explicit consent, clear privacy policy, data retention limits, and honoring deletion requests.
What if a student asks me to delete their data?
You must honor the request. Delete from your database, CRM, WhatsApp contacts, cloud storage. You may retain data required for legal purposes (fee receipts, certificates) but must delete everything else.