This is not about India’s Edtech industry. Not exactly.
India has one of the largest student populations in the world, and a thriving EdTech ecosystem built to serve it. Platforms for test preparation, school curriculum, coding, language learning, and tutoring collectively hold enormous amounts of data on minors — usage patterns, performance data, communication records, and in some cases biometrics. The DPDPA 2023 places this category of data under its strictest provisions, and the compliance challenge for EdTech companies is both significant and urgent.
The law requires verifiable parental consent before any data is collected from individuals under 18. Not a checkbox that says “I confirm I am above 18.” Verifiable consent — meaning the platform must take reasonable technological steps to confirm that the person giving consent is actually a parent or guardian, and that the user is actually a child. This is a deliberately high bar, and intentionally so. It also prohibits data fiduciaries from serving behavioural advertising to children and from profiling them in ways that could harm their wellbeing. The spirit of the provision is clear: children are not a demographic to be monetised.
The operational implications are substantial. EdTech platforms will need to redesign onboarding flows, introduce age-verification mechanisms, and build separate consent journeys for users below 18. Platforms that currently treat all users uniformly regardless of age will need to segment their user base and apply differentiated data practices. This is not just a legal exercise — it is a product and engineering challenge. The companies that approach it thoughtfully, building genuine child safety into their platforms rather than minimum viable compliance, will be better positioned as digital literacy and parental awareness in India continue to grow.
